[Owasp-leaders] Host header injection

Achim achim at owasp.org
Tue Sep 30 22:08:01 UTC 2014


Hi Owen,

TCP is TCP and knows nothing about the Host header in the application layer (HTTP).
You can write anything inthe Host header. It depends on the (web) server and its
applications if it's handled correctly.
I.g. the same data validation needs to be done as for any othe header too.

Hope this helps.
Achim
 
Am 30.09.2014 23:53, schrieb Owen Pendlebury:
> Hi all,
> 
> Just wanted to ask your thoughts on host header injection. Because of the
> TcP connection I shouldn't be able to alter the host header and it redirect
> me right?
> 
> Would be interested in hearing your opinions on risk and exploitation of
> this.
> 
> Owen
> OWASP Ireland-Dublin Chapter Lead



More information about the OWASP-Leaders mailing list