Host Header Injection is a web security vulnerability that occurs when an attacker manipulates the Host header in an HTTP request to exploit improper server-side handling or trust of this header.
Impact:
Web Cache Poisoning: Attackers can poison web caches by tricking the server into storing malicious responses.
Server-Side Request Forgery (SSRF): Exploiting internal services by forging requests.
Password Reset Poisoning: Manipulating links in password reset emails to redirect victims to malicious sites.
Information Disclosure: Exposing sensitive data by bypassing protections dependent on the Host header.
Proper validation of the Host header and avoiding reliance on its value for security decisions can mitigate this risk.
Impact:
Web Cache Poisoning: Attackers can poison web caches by tricking the server into storing malicious responses.
Server-Side Request Forgery (SSRF): Exploiting internal services by forging requests.
Password Reset Poisoning: Manipulating links in password reset emails to redirect victims to malicious sites.
Information Disclosure: Exposing sensitive data by bypassing protections dependent on the Host header.
Proper validation of the Host header and avoiding reliance on its value for security decisions can mitigate this risk.
Category
📚
Learning