Bug Bounty Course -- Day 25 of 60
42%

Day 25 Bug Bounty — Host Header Injection Attacks 2026

Mr Elite 18 min read Bug Bounty Course -- Day 25
Day 25 Bug Bounty — Host Header Injection Attacks 2026
🎯 BUG BOUNTY COURSE
FREE

Part of the 60-Day Bug Bounty Mastery Course

Day 25 of 60 · 41.7% complete

✅ Prerequisites — Complete These First

  • Bug Bounty: Day 24: CRLF Injection — the techniques and tools from the previous session are assumed knowledge here.
  • Environment: Kali Linux running (VM or native install). DVWA accessible at localhost if needed.
  • Tools: Burp Suite Community, terminal with root or sudo access.
Password reset links are everywhere. Every account recovery flow generates one — a unique URL emailed to the user to click and reset their password. Here’s what most developers don’t think about: that URL is built server-side using the Host header from the HTTP request. The application assumes the Host header reflects the legitimate domain it’s serving. It doesn’t always. When I modify the Host header on a password reset request to point to a server I control, the password reset email goes to the victim with my domain in the link. They click it. My server receives the reset token. I complete the password reset. Account taken. This attack class is called password reset poisoning, and it’s one of the highest-signal, highest-reward findings in bug bounty hunting. I’ve seen it pay out $1,000 to $10,000 on major programs. Today I’m showing you exactly how it works, how to find it, and how to report it.

🎯 After Day 25

Understand how HTTP Host header injection works and where applications trust it insecurely
Execute password reset poisoning to demonstrate account takeover — the full attack chain
Test X-Forwarded-Host and other proxy override headers that bypass Host validation
Identify web cache poisoning via Host header manipulation
Write a compelling bug bounty report demonstrating the complete HHI → account takeover chain

⏱️ 35 min read · 3 exercises · Day 25 of 60

📋 Day 25 — Host Header Injection

  1. How Host Header Injection Works
  2. Password Reset Poisoning — The Account Takeover Chain
  3. X-Forwarded-Host and Override Header Bypasses
  4. Web Cache Poisoning via Host Header
  5. Finding HHI in Bug Bounty Programs
  6. Reporting — Demonstrating the Full Attack Chain

CRLF injection on Day 24 showed how injecting newlines into HTTP headers breaks response parsing. Today’s vulnerability is different — I’m not injecting into a header value, I’m replacing an entire header the application trusts. The HTTP Host header is supposed to identify which virtual host the request is for. When applications use it to build URLs, generate emails, or route requests, trusting it without validation creates an injection point attackers control completely.

How Host Header Injection Works

The HTTP Host header identifies which domain a request is intended for. In a virtual hosting environment where multiple domains share an IP, it’s how the server knows which application to serve. Legitimate use: you request https://example.com, your browser sends Host: example.com, the server routes to the right application.

The vulnerability emerges when applications use the Host header value to generate output without validating it against an allowlist. The most common patterns: building absolute URLs for password resets, email confirmation links, and invitation emails; constructing redirect URLs; generating canonical URLs for SEO; and building API endpoint URLs. In each case, if I control the Host header, I control part of the generated URL.

HOST HEADER INJECTION — REQUEST STRUCTURE
# Legitimate password reset request
POST /forgot-password HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
email=victim@email.com
# Application generates reset email:
# “Click here: https://example.com/reset?token=abc123”
# Host header injection (attacker’s request)
POST /forgot-password HTTP/1.1
Host: attacker.com
Content-Type: application/x-www-form-urlencoded
email=victim@email.com
# Application generates reset email (VULNERABLE):
# “Click here: https://attacker.com/reset?token=abc123”
# Victim clicks → token sent to attacker.com → account takeover

🛠️ EXERCISE 1 — BROWSER (20 MIN · NO INSTALL)
Research Real Host Header Injection Bug Bounty Reports

⏱️ 20 minutes · Browser — HackerOne + PortSwigger Academy

Before testing, I want you to read real disclosed reports. Understanding how other hunters found, exploited, and reported HHI gives you the mental model you need to spot it yourself on live targets.

Step 1: Read PortSwigger’s Host Header Injection lab descriptions
Go to: portswigger.net/web-security/host-header
Read the “What is the HTTP Host header?” and “What is an HTTP Host header attack?” sections.
What four categories of attacks does PortSwigger identify?
Which category has the highest bug bounty value?

Step 2: Find disclosed HHI reports on HackerOne
Search HackerOne Hacktivity: site:hackerone.com host header injection
Or go to: hackerone.com/hacktivity and search “host header”
Find 3 disclosed reports. For each note:
– Target company
– Payout amount
– Vulnerable endpoint
– Impact demonstrated

Step 3: Read the Acunetix HHI explanation
Search: “acunetix host header injection explained”
What server-side code patterns does Acunetix identify as vulnerable?
Which PHP functions / framework patterns are specifically mentioned?

Step 4: Find real password reset poisoning case studies
Search: “password reset poisoning bug bounty report site:medium.com”
Find a detailed writeup of a password reset poisoning attack.
Walk through their exact methodology — what did they change, what did they receive?

Step 5: Research X-Forwarded-Host bypasses
Search: “X-Forwarded-Host bypass host header injection”
What is the X-Forwarded-Host header’s legitimate use?
Why do some applications trust it over the Host header?
How does this create a bypass for Host header validation?

✅ The disclosed reports research (Step 2) is the most valuable part — real payouts, real vulnerable endpoints, and real impact demonstrations. The pattern you’ll notice: all high-paying HHI reports demonstrate account takeover via password reset poisoning, not just reflected injection. Demonstrating impact is what separates a $200 report from a $2,000 one. The PHP function patterns (Step 3) are directly applicable to identifying vulnerable code in PHP-based bug bounty targets — $_SERVER[‘HTTP_HOST’] used in URL generation without validation is the classic fingerprint.

📸 Screenshot the highest-paying HHI report you found. Share in #bug-bounty.

Password Reset Poisoning — The Account Takeover Chain

Password reset poisoning is the complete account takeover attack chain that makes Host header injection a high/critical severity finding. The attack works in three phases: I send a password reset request for the victim’s account with my domain in the Host header, the application emails the victim a reset link containing my domain, and when the victim clicks the link my server receives the reset token.

The critical prerequisite is that the application builds the reset URL using the Host header rather than a hardcoded domain from configuration. Applications that do this are often legacy systems or custom-built platforms where developers assumed the Host header is always the legitimate domain. In Burp Suite, I test this systematically:

PASSWORD RESET POISONING — BURP SUITE METHODOLOGY
# Step 1: Set up Burp Collaborator
Burp Suite → Collaborator tab → “Copy to clipboard”
Note your Collaborator URL: abc123.burpcollaborator.net
# Step 2: Intercept password reset request in Burp Proxy
Navigate to /forgot-password on target
Enter your own test email (account you control)
In Burp Proxy, intercept BEFORE forwarding
# Step 3: Modify Host header in Intercept
Change: Host: target.com
To: Host: abc123.burpcollaborator.net
Forward the request
# Step 4: Check email and Collaborator
Check the email sent to your test account
VULNERABLE: link contains abc123.burpcollaborator.net
HARDENED: link uses hardcoded domain (target.com)
# Step 5: For report — demonstrate full chain (don’t actually steal accounts)
Show: modified request → poisoned email → Collaborator interaction
Explain: attacker targets victim’s email, victim clicks, attacker captures token

securityelites.com
Password Reset Poisoning — Attack Chain Diagram
STEP 1
Attacker sends POST /forgot-password with victim’s email AND Host: attacker.com
STEP 2
Vulnerable server builds reset URL: “https://attacker.com/reset?token=abc123” and emails to victim
STEP 3
Victim clicks link in email → browser requests https://attacker.com/reset?token=abc123
STEP 4
Attacker receives token abc123 on their server → uses it on legitimate site to set new password → account takeover complete
FIX: Generate reset URLs using hardcoded domain from server config, never from the Host header. Validate Host header against allowlist of permitted domains.

📸 Password reset poisoning attack chain. The attacker never needs to interact with the victim directly — they send one HTTP request and wait for the victim to click a link that arrives in their legitimate inbox. The victim sees a real email from the target company, making this a highly effective phishing-free account takeover. In Burp Suite testing, use your own email as the target to confirm the chain without impacting real users.

X-Forwarded-Host and Override Header Bypasses

Some applications validate the Host header against an allowlist of permitted domains — so injecting an arbitrary Host value fails. But many of these same applications trust proxy override headers like X-Forwarded-Host without the same validation. The logic: “X-Forwarded-Host is set by our trusted reverse proxy, so it must be legitimate.” The problem: HTTP headers are client-controlled, not proxy-controlled. Attackers can set them directly.

My testing order for Host header injection always includes all the override headers. I test them individually because different applications trust different combinations:

HOST HEADER OVERRIDE TESTING — FULL HEADER LIST
# Test each header individually in Burp Repeater
# Attempt 1: Direct Host header modification
POST /forgot-password HTTP/1.1
Host: attacker.burpcollaborator.net
# Attempt 2: X-Forwarded-Host (most common bypass)
POST /forgot-password HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.burpcollaborator.net
# Attempt 3: X-Host
Host: target.com
X-Host: attacker.burpcollaborator.net
# Attempt 4: Forwarded (RFC 7239)
Host: target.com
Forwarded: host=attacker.burpcollaborator.net
# Attempt 5: X-Forwarded-Server
Host: target.com
X-Forwarded-Server: attacker.burpcollaborator.net
# Attempt 6: Duplicate Host header (parser confusion)
Host: target.com
Host: attacker.burpcollaborator.net
# Attempt 7: Host header with port (some parsers strip port)
Host: target.com:80@attacker.burpcollaborator.net

⚙️ EXERCISE 2 — SETUP LAB (25 MIN · BURP SUITE + PORTSWIGGER LABS)
Complete PortSwigger Host Header Injection Labs

⏱️ 25 minutes · PortSwigger Web Security Academy (free)

PortSwigger’s labs are the best hands-on practice for Host header injection because they provide confirmed-vulnerable applications in a legal sandbox. I want you to work through the password reset poisoning lab step by step and feel exactly what the attack looks like in Burp Suite.

Prerequisites: Burp Suite Community Edition + PortSwigger account (both free)

Step 1: Access the lab
Go to: portswigger.net/web-security/host-header/exploiting/lab-host-header-injection-basic
“Access the lab” → opens in browser with Burp configured as proxy

Step 2: Find the password reset functionality
Navigate to “My account” → “Forgot password”
Submit a password reset for the email: carlos@carlos-montoya.net
Intercept the request in Burp Suite Proxy

Step 3: Modify the Host header
In Intercept, change:
Host: [lab-id].web-security-academy.net
To:
Host: YOUR-EXPLOIT-SERVER-DOMAIN
Forward the intercepted request

Step 4: Check the exploit server logs
In the lab, go to “Go to exploit server” → “Access log”
Look for an incoming GET request containing a password reset token
Note the full URL in the log — this is the poisoned reset link the victim would click

Step 5: Claim the account
Copy the token from the log
Navigate to: https://[lab-domain]/forgot-password?temp-forgot-password-token=[TOKEN]
Set a new password for carlos’s account
Log in as carlos → lab solved ✅

Step 6 (bonus): Try the X-Forwarded-Host lab
portswigger.net/web-security/host-header/exploiting/lab-host-header-injection-basic-password-reset-poisoning-via-middleware
This version validates the Host header but trusts X-Forwarded-Host — apply the bypass technique

✅ Completing the PortSwigger lab gives you the muscle memory of how password reset poisoning feels in Burp — intercepting the request, modifying the Host header, seeing the token arrive in the exploit server logs. The moment you see the reset token appear in your controlled server’s access log is the moment Host header injection becomes concrete rather than theoretical. The X-Forwarded-Host lab (Step 6) is the direct real-world application — most bug bounty targets that validate Host still trust proxy override headers.

📸 Screenshot the exploit server log showing the received reset token. Share in #bug-bounty.

Web Cache Poisoning via Host Header

Web cache poisoning via Host header is rarer but significantly higher severity than password reset poisoning alone. When the application caches responses and the Host header value appears in the cached response, injecting a malicious value into the cache poisons the response for all subsequent users who receive the cached version.

The classic scenario: an application reflects the Host header in an absolute URL in a script import or redirect response. If that response is cached (by a CDN, reverse proxy, or application cache), every user who requests the page in the next cache TTL period receives a response with an attacker-controlled domain in the script source — enabling JavaScript injection at scale.

WEB CACHE POISONING VIA HOST HEADER — TESTING
# Identify cacheable endpoints first
Look for: X-Cache: HIT/MISS headers in responses
Cache-Control: public or max-age headers
CF-Cache-Status: HIT (Cloudflare)
Age: header (indicates cached response)
# Test Host header reflection in response
GET / HTTP/1.1
Host: target.com:1337
# Check response: does 1337 appear in the body or headers?
# If yes: Host header is reflected — test for cache poisoning
# Attempt cache poisoning with unique value
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.burpcollaborator.net
# Check: does the response contain attacker.burpcollaborator.net?
# If yes AND response is cached: critical severity
# Verify cache poisoning persisted
Wait 30 seconds, send identical request WITHOUT the malicious header
If attacker.burpcollaborator.net still in response → cache is poisoned
All users receiving this cached response are now affected

Finding HHI in Bug Bounty Programs

My methodology for finding Host header injection on bug bounty targets is systematic rather than random. I prioritise three categories: any endpoint that sends emails with links (password reset, email verification, invitation, subscription confirmation), any endpoint that generates or redirects to absolute URLs, and any endpoint with visible caching headers. These three categories cover the majority of exploitable HHI surfaces.

For testing efficiency, I use Burp Suite’s active scanner to test Host header injection automatically across the target’s endpoints, then manually verify and escalate any findings. The scanner catches the obvious cases; manual testing with override headers catches the bypasses. On older PHP and custom-built platforms, I specifically look for the password reset flow first — it’s the most likely exploitable surface and the highest payout potential.

Reporting — Demonstrating the Full Attack Chain

A Host header injection report that demonstrates only the injection — “I changed the Host header and it was reflected” — gets triaged as Low. A report that demonstrates the complete account takeover chain gets triaged as High or Critical. The difference is the impact demonstration. My report structure for password reset poisoning:

HHI REPORT STRUCTURE — BUG BOUNTY TEMPLATE
# Severity: High (ATO) / Critical (cache poisoning affecting all users)
TITLE: Host Header Injection Enables Password Reset Poisoning → Account Takeover
# Steps to reproduce
1. Go to /forgot-password and request a reset for [test account]
2. Intercept request in Burp Suite
3. Modify Host header: target.com → attacker-controlled-server.com
4. Forward request and check email received
5. Reset link in email: https://attacker-controlled-server.com/reset?token=XXX
# Attack scenario
1. Attacker sends reset request for victim@company.com
2. Server emails victim with attacker’s domain in reset link
3. Victim clicks → token delivered to attacker
4. Attacker uses token to set new password → account taken
# Evidence
– Screenshot: Burp Intercept showing modified Host header
– Screenshot: Email received with poisoned URL
– Screenshot: Collaborator interaction showing token received

⚡ EXERCISE 3 — LAB (20 MIN · BURP SUITE)
Test All Host Header Injection Vectors on a Practice Target

⏱️ 20 minutes · Burp Suite + PortSwigger Labs

This exercise tests the full range of Host header injection vectors — basic injection, override header bypasses, and identifying caching. Use PortSwigger labs for confirmed-vulnerable practice or your own test application.

SETUP: Burp Suite running with a PortSwigger lab open
Use any Host Header Injection lab at: portswigger.net/web-security/host-header

Testing Checklist — work through each:

☐ 1. Basic Host header modification
– Intercept POST /forgot-password
– Change Host to Burp Collaborator domain
– Forward and check email + Collaborator

☐ 2. X-Forwarded-Host bypass
– Keep Host: [legitimate domain]
– Add X-Forwarded-Host: [your collaborator domain]
– Send and check if application uses X-Forwarded-Host value

☐ 3. Duplicate Host header
– Add a second Host header with your collaborator domain
– Observe which one the application uses

☐ 4. Port injection
– Host: target.com:1337
– Does 1337 appear in the response? (reflects to response)

☐ 5. Cache testing on homepage
– Check for X-Cache, Cache-Control, Age headers
– Send request with X-Forwarded-Host: collaborator.domain
– Wait 30 seconds, send same request WITHOUT the header
– Is collaborator.domain still in the response? (cache poisoned)

Document: Which vectors were vulnerable? What was the impact for each?
Write: A 3-sentence impact statement for the highest-severity finding you could demonstrate.

✅ The testing checklist approach is the systematic methodology you should run against every bug bounty target that has a password reset or email generation flow. Most hunters test only the basic Host header modification and miss the X-Forwarded-Host bypass that’s actually present. Covering all 5 vectors in sequence takes under 5 minutes per endpoint and catches the full range of vulnerable configurations. Your 3-sentence impact statement is the core of your bug bounty report — practiced here in lab context, applied directly to live programs.

📸 Screenshot your completed testing checklist with findings marked. Share in #bug-bounty. Tag #Day25

📋 Key Commands & Payloads — Host Header Injection Bug Bounty 2026 — Password R

# Legitimate password reset request
POST /forgot-password HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
# Step 1: Set up Burp Collaborator
Burp Suite → Collaborator tab → “Copy to clipboard”
Note your Collaborator URL: abc123.burpcollaborator.net
# Test each header individually in Burp Repeater
# Attempt 1: Direct Host header modification
POST /forgot-password HTTP/1.1

🏆 Day 25 Complete — Host Header Injection

Password reset poisoning, X-Forwarded-Host bypasses, web cache poisoning, and the full report structure for demonstrating account takeover. HHI is one of the cleaner high-severity findings in bug bounty — the attack chain is demonstrable without touching real user accounts, and the impact is unambiguous. Day 26 moves to Server-Side Template Injection — another code execution pathway hiding inside template engines.


🧠 Quick Check

You’re testing a password reset endpoint. Modifying the Host header to your Burp Collaborator domain returns a 400 Bad Request — the application validates the Host header against an allowlist. What should you try next?




❓ Frequently Asked Questions — Host Header Injection

What is host header injection?
A vulnerability where an application trusts and uses the HTTP Host header without validation, allowing attackers to inject arbitrary values that get embedded in password reset links, cached responses, or absolute URLs — enabling account takeover via password reset poisoning or web cache poisoning at scale.
What is password reset poisoning?
Exploiting host header injection on password reset endpoints. The attacker sends a reset request for the victim’s account with their domain in the Host header. The application emails the victim a reset link containing the attacker’s domain. When the victim clicks it, the reset token goes to the attacker who completes the password change and takes the account.
What headers should I test for host header injection?
Host (direct), X-Forwarded-Host (most common bypass), X-Host, Forwarded (RFC 7239), X-Forwarded-Server, duplicate Host headers, and port-based injection (Host: target.com:1337). Test each individually — different applications trust different headers.
How severe is host header injection in bug bounty?
Password reset poisoning enabling account takeover: typically High–Critical ($500–$5,000+). Web cache poisoning affecting all users: Critical. Host header reflected without further impact: Low–Medium. Demonstrating the full account takeover chain is essential for high severity classification.
What is web cache poisoning via Host header?
When the Host header value is reflected in a cacheable response, injecting a malicious value can poison the cache so all subsequent users receive a response containing attacker-controlled content. This escalates severity from single-account to all-users impact.
Which applications are vulnerable to host header injection?
Applications generating absolute URLs using the Host header for password resets, email links, or redirects; apps behind reverse proxies trusting X-Forwarded-Host; older PHP apps using $_SERVER[‘HTTP_HOST’] directly; and any custom-built platform generating user-facing URLs from request headers. Modern frameworks with ALLOWED_HOSTS configuration are generally resistant but misconfigured deployments remain vulnerable.
← Previous

Day 24: CRLF Injection Bug Bounty

Next →

Day 26: SSTI Bug Bounty — Server-Side Template Injection

📚 Further Reading

  • Day 24 — CRLF Injection Bug Bounty — Yesterday’s header injection technique that breaks HTTP response parsing. CRLF and HHI are often tested together on the same endpoints since both exploit inadequate HTTP header validation.
  • Day 26 — SSTI Bug Bounty 2026 — Tomorrow’s server-side template injection attack class. Like HHI, SSTI exploits trusted user input reaching the wrong processing layer — in SSTI’s case, the template engine rather than URL generation.
  • Web Application Security Hub — The full web app security series covering OWASP Top 10 attack classes, with lab walkthroughs, Burp Suite methodology, and bug bounty reporting templates for each vulnerability class.
  • PortSwigger — HTTP Host Header Attacks — PortSwigger’s authoritative Host Header injection reference with multiple hands-on labs covering password reset poisoning, middleware bypasses, and web cache poisoning. The definitive practice resource for this vulnerability class.
  • OWASP Testing Guide — Host Header Injection — OWASP’s standardised test methodology for Host header injection, covering all test cases, expected vulnerable behaviours, and remediation guidance for developers. Referenced by bug bounty programs in their security requirements.
ME
Mr Elite
Owner, SecurityElites.com
The first time I found password reset poisoning on a live target, I almost talked myself out of reporting it. The validation thought: “They’ll reject this — the Host header modification is so obvious, surely they know.” I submitted anyway. The program triaged it as High, paid out, and the triage note said “good catch, this was in production for 3 years.” What I’ve learned from dozens of HHI findings since: developers build password reset flows thinking about the happy path — user clicks the link, resets their password, done. The adversarial path — what if the link contains someone else’s domain? — almost never gets thought through in the initial implementation. That gap is why I test every password reset flow I encounter, and why I always test the X-Forwarded-Host bypass even when the direct Host modification fails.

host header attack 2026 host header injection bug bounty host header ssrf host header vulnerability password reset poisoning web cache poisoning host header x-forwarded-host injection
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free
Lokesh N. Singh aka Mr Elite
Lokesh N. Singh aka Mr Elite
Founder, Securityelites · AI Red Team Educator
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
Linkedin Twitter
About Lokesh ->

Leave a Comment

Your email address will not be published. Required fields are marked *