Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

πŸ’° I Found Host Header Injection & Got a Quick $1,000 Bounty! (Full Guide) πŸš€

TheIndianNetwork
2 min read4 days ago

Images By β€” -TheIndianNetwork

πŸš€ How I Found a Host Header Injection Bug & Earned a $1,000 Bounty

During a recent bug bounty hunt, I discovered a Host Header Injection vulnerability that led to account takeover, password reset poisoning, and phishing attacks. Within hours of reporting, I received a $1,000 bounty! πŸ’°πŸ”₯

In this guide, I’ll break down exactly how I found, exploited, and reported this bug to maximize impact. Let’s get started! πŸš€

πŸ•΅οΈβ€β™‚οΈ Step 1: Finding a Target with Host Header Dependency

Many websites rely on the Host header to determine the domain name. If improperly validated, attackers can manipulate it to cause security issues. 🚨

I started by sending a simple request to a login page:

curl -I https://target.com/login

Response:

HTTP/1.1 200 OK
Server: nginx
X-Powered-By: PHP

πŸš€ Key Finding: The server was handling Host headers dynamically, making it a prime target for Host Header Injection!

πŸ”₯ Step 2: Injecting a Malicious Host Header

I modified my request to inject a fake Host:

GET /reset-password HTTP/1.1
Host: attacker.com

If the server does not properly validate the Host header, it could be used to: βœ… Hijack password reset links by sending victims a poisoned email.
βœ… Bypass authentication systems that rely on the Host header.
βœ… Perform web cache poisoning to inject malicious responses.

⚠️ Step 3: Confirming Password Reset Hijacking

To check if the vulnerability was exploitable, I initiated a password reset on my test account. I received the following email:

To reset your password, click the link below:
https://attacker.com/reset-password?token=123456

πŸ”₯ Impact: The reset link was poisoned with my attacker-controlled Host header, allowing me to hijack accounts! πŸš€

πŸ“© Reporting & Quick $1,000 Bounty

Once I confirmed the impact, I submitted a detailed report outlining: βœ… How the Host header was vulnerable.
βœ… How it could be exploited for phishing, cache poisoning, and account takeover.
βœ… A proof-of-concept (PoC) with a working attack scenario.

Within 24 hours, the security team responded and awarded me a $1,000 bounty! πŸ’°πŸ”₯

πŸ† Lessons Learned

1️⃣ Always test Host header manipulation in password reset & login pages.
2️⃣ Try injecting external domains (attacker.com) to see if they reflect.
3️⃣ Check if email confirmations use unvalidated Host headers.
4️⃣ Look for cache poisoning and authentication bypasses.

πŸ”₯ Want More Hacking Tutorials?

πŸ›‘οΈ Subscribe for Cybersecurity Videos: youtube.com/@theindiannetwork
πŸ’Œ Need Ethical Hacking Consultation? Contact: theindiannetwork@protonmail.com

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Host Header Injection
Host Header
Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup

TheIndianNetwork
TheIndianNetwork

Written by TheIndianNetwork

267 Followers
1 Following

The Indian Network is a dedicated platform focused on educating and empowering individuals in the fields of cybersecurity, ethical hacking, and digital privacy.

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech