http-host-header-attacks

What problem does it solve?

It helps you identify and test when an application trusts the HTTP Host header for URL generation, routing, cache behavior, or access-control decisions, which can lead to password reset poisoning, web cache poisoning, SSRF via routing, and virtual host bypass.

Core Features & Use Cases

• Password reset poisoning: Inject an attacker-controlled Host so generated reset links point off-domain and capture tokens.
• Web cache poisoning via Host: Determine whether responses (and embedded links/scripts) reflect Host while cache keys exclude it.
• SSRF via Host routing: Check reverse proxies/load balancers that route backend services based on Host.
• Virtual host bypass & enumeration: Brute-force and probe alternate vhosts using Host values like localhost, admin, staging, and internal.
• Bypass techniques for Host validation: Evaluate common normalization mismatches such as X-Forwarded-Host/Forwarded, absolute-URI request lines, double-Host, ports/credentials parsing, trailing dots, whitespace/tab injection, and connection-state keep-alive edge cases.
• Framework-specific verification: Focus on how PHP/Django/Rails/Node derive host information and which middleware/proxy settings change behavior.

Quick Start

Ask the model to produce a Host-header test plan for a target login/reset flow, including payload candidates to validate password reset poisoning, cache-link reflection, and vhost/SSRF routing impact.