search

HTTP Header Exploitation

Request Header payloads (xss, SQLi, etc.)

ko-fiarrow-up-right

Misused or improperly validated headers can lets an attacker:

  • Bypass login flows

  • Steal sessions

  • Hijack OAuth tokens

  • Abuse password reset links

  • Trick backend logic

circle-info

  • Referer: Tells the server which page the request came from

  • Origin: Specifies the domain where the request originated

  • Host: Indicates the target host being requested

hashtag
Basic Payload

X-Forwarded-Host: evil.com"><img src/onerror=prompt(document.cookie)>

X-Forwarded-Host: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

Referer: https://site.com/'+(select*from(select(sleep(10)))a)+'

Cookie: 'XOR(if(now()=sysdate(),sleep(10),0))XOR'

User-Agent: "XOR(if(now()=sysdate(),sleep(10),0))XOR"
LogoGitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHubchevron-right

hashtag
Testing

  1. Change the host header

  1. Duplicating the host header

  1. Add line wrapping

  1. Add host override headers

How to use? In this case im using "X-Forwarded-For : evil.com"

  1. Supply an absolute URL

hashtag
XSS

Blind XX

XSSchevron-right

hashtag
Command Injection

hashtag
SQLi

hashtag
Time Based SQLi

LogoGitHub - danialhalo/SqliSniper: Advanced Time-based Blind SQL Injection fuzzer for HTTP HeadersGitHubchevron-right
Logo#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL…Mediumchevron-right

hashtag
Open Redirect + Referer → Session Leak

Open Redirectionchevron-right

hashtag
Scenario

  • A login page redirects users after authentication.

  • The Referer header is used to determine the “safe” redirect destination.

  • But there’s no validation on it.

hashtag
Exploit Flow

  1. Attacker sends victim to a login link with a crafted Referer like evil.com.

  2. Server blindly trusts the header and sends a redirect to that external domain.

  3. If session tokens or SSO codes are passed along, they’re exposed.

OAuth / Okta Misconfigurationchevron-right

hashtag
Host Header Injection → Password Reset Poisoning

Password Resetchevron-right

hashtag
Scenario

  • A password reset link is emailed to the user.

  • The link is constructed using the Host header.

hashtag
Exploit Flow

  1. Attacker intercepts a password reset request (or initiates it on behalf of a user).

  2. They modify the Host header to their domain: evil.com.

  3. The server builds the reset link like: https://evil.com/reset?token=abcd1234

  4. The user receives this link and clicks it, revealing the reset token to the attacker.

hashtag
CSRF + Origin Header Bypass

CSRFchevron-right

hashtag
Scenario

  • A server uses Origin header to validate POST requests.

  • But it only partially matches or ignores subdomains.

hashtag
Exploit Flow

  1. The server expects Origin: https://example.com.

  2. Attacker sends Origin: https://evil.example.com — which still passes.

  3. CSRF protections are bypassed.

circle-check

Try bypassing Origin and Referer checks with:

  • Similar subdomains

  • Capitalization

  • Multiple headers (e.g., X-Origin, X-Forwarded-Host)

hashtag
Tool

LogoGitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHubchevron-right

hashtag
Resources

LogoHTTP header hacks: basic and advanced exploit techniques exploredYesWeHackchevron-right
LogoHidden in Headers: The Power of Misused Referer, Origin, and Host HeadersMediumchevron-right

hashtag
Interesting Books

Interesting Bookschevron-right
circle-info

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

hashtag
Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fiarrow-up-right

buymeacoffeearrow-up-right

PreviousHTTP Verb TamperingNextHTTP Request Smuggling

Last updated