Summary
A typical web application uses HyperText Transfer Protocol (HTTP) for communication purposes. There are various attributes in HTTP, termed as Headers (for both Request and Response), that have their significance, and all the attributes in HTTP Headers should be configured securely for communication purposes. Often most of the attributes in HTTP Headers are misconfigured in web servers which makes the entire HTTP communication vulnerable to various cyber-attacks.
HTTP Host headers are among one of the HTTP Header attributes that are misconfigured often and it can cause potential threat which is termed as Host Header Injection. In this literature, the author has shown how to exploit HTTP Host Header, where web servers are misconfigured in such a way that web servers respond to malicious HTTP requests without identifying the origin from which HTTP(S) Request(s) (Host Header) is made. In this literature, the author has also shown how to check incoming traffic on web servers w.r.t the origin or HTTP Host Headers and rejecting the same in case request is not coming from whitelisted origin.