Host Header Injection is a web security vulnerability that occurs when an attacker manipulates the Host header in an HTTP request to exploit improper server-side handling or trust of this header.
Impact:
Web Cache Poisoning: Attackers can poison web caches by tricking the server into storing malicious responses.
Server-Side Request Forgery (SSRF): Exploiting internal services by forging requests.
Password Reset Poisoning: Manipulating links in password reset emails to redirect victims to malicious sites.
Information Disclosure: Exposing sensitive data by bypassing protections dependent on the Host header.
Proper validation of the Host header and avoiding reliance on its value for security decisions can mitigate this risk.
