hunt-host-header

Solid

Hunt Host Header Injection — password reset poisoning → ATO, web cache poisoning via unkeyed Host/X-Forwarded-Host, routing-based SSRF (Host picks upstream → cloud metadata/internal services), path-override SSRF/ACL-bypass (X-Original-URL/X-Rewrite-URL), OAuth redirect_uri/issuer poisoning, and absolute-URL link poisoning in emails. High to Critical when it reaches ATO or mass cache poisoning. Built on public Host-header research (PortSwigger 'Practical web cache poisoning' + James Kettle, and the classic password-reset-poisoning class). Use on any forgot-password flow, CDN/reverse-proxy-fronted app, OAuth/OIDC endpoint, or absolute-URL-in-email feature.

Data & Documents 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# HUNT-HOST-HEADER — Host Header Injection ## Grounding / Provenance This skill is built from the public Host-header attack literature, not invented payloads. Cite the *technique source* in your report, never a fabricated ID: - **Password-reset poisoning class** — the canonical write-up is Skelet's/Detectify-era "Practical HTTP Host header attacks" (the Django `request.get_host()` → password-reset-link case). Many frameworks built the reset URL from the request Host with no `ALLOWED_HOSTS`-style allowlist. Cite the framework + the reflected-Host behaviour you actually observed. - **Web cache poisoning via unkeyed Host / X-Forwarded-Host** — PortSwigger Research, James Kettle, "Practical Web Cache Poisoning" (2018) and "Web Cache Entanglement" (2020). These define unkeyed-input poisoning, which is the mechanism behind X-Forwarded-Host poisoning. - **Routing-based SSRF** — PortSwigger Research, "Cracking the lens" / routing-based SSRF (Host header steers the front-end's upstream selection). When you write the report, name the exact behaviour you reproduced (reflected header, cache HIT on a fresh key, OOB hit from your Collaborator). Do **not** copy a CVE or H1 ID you have not verified — a missing citation is always better than a wrong one. --- ## Crown Jewel Targets Host header injection that reaches password reset links = Critical (ATO for any user). **Highest-value chains:** - **Password reset poisoning → ATO** — server builds the reset link from the reque...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
1 months ago
Last Updated
3 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Django · Backend

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Solid

hunt-cache-poison

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization WCD against Cloudflare/Fastly/GCP. Use when hunting cache poisoning, Web Cache Deception, CDN-fronted apps.

1,912 Updated 3 days ago
elementalsouls
AI & Automation Listed

hunt-ato

Hunt account takeover taxonomy — 9 distinct paths to ATO, plus chains. Paths: (1) password reset flaws (host-header injection redirects token, predictable/numeric token, Referer leak, no-expiry/reuse), (2) email change without re-auth, (3) OAuth account-link CSRF, (4) MFA bypass (per hunt-mfa-bypass), (5) session fixation, (6) JWT manipulation (alg:none, RS256→HS256 key confusion, weak HMAC secret, kid injection), (7) password change without step-up (chain with login timing/length oracle), (8) social-recovery / security-question brute-force, (9) SSO subdomain takeover at OAuth redirect_uri. Chains: cookie theft + password oracle + no step-up = persistent ATO; lax redirect_uri = auth-code theft; dangling-CNAME takeover at redirect_uri = ATO. Validate: demonstrate real takeover of test account B from attacker A's session; OOB/Collaborator confirm blind token-leak steps. Use when hunting ATO chains, testing password reset / email change / MFA / OAuth / session / JWT, or chaining primitives toward Critical.

1,912 Updated 3 days ago
elementalsouls
Testing & QA Featured

testing-for-host-header-injection

Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.

15,448 Updated 1 weeks ago
mukul975