The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Host header poisoning

Adrian | Last updated: Oct 28, 2024 08:43AM UTC

Why did burp scanner discover the Host header poisoning vulnerability on this vulnerable code? ``` <?php $host = $_SERVER['HTTP_HOST']; //echo "The host is: " . $host; header('Location: ' . $host . "/test"); exit(); ``` https://imgur.com/3iXlxNi https://imgur.com/UH8MLVu

Syed, PortSwigger Agent | Last updated: Oct 29, 2024 09:30AM UTC

Hi Adrian,

The value of Host header is not sanitised here and is being used directly in the next Location header, which makes it susceptible to Host header injection. You can verify this by changing the Host header and seeing if the Host header is being changed in the Location header.

I would recommend doing a false positive analysis to confirm if this indeed can be exploited.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.