# Host Header Attack
## Introduction
It is common practice for the same web server to host several websites or web applications on the same IP address. This why the host header exists. The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.
## How to Test
### Steps
* Go to the respective site (eg. )
* Open Burp suite Community Edition. Here, is the [Blog](https://support.portswigger.net/customer/portal/articles/1783055-configuring-your-browser-to-work-with-burp) to configuration on your browser.
* In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.
* Change the `Host: demo.testfire.net` to `Host: Attacker.com` then the website is goes in attacker.com .
## Solutions
### PHP
#### Method 1
This is a simple code to verify the host header. We use `$_SERVER['HTTP_HOST']` to declare the host name. In that code, `$SERVER['HTTP_HOST']` and required host is same, then proceed to sent the request, if not make the request as error. We have to insert the code in the required php file.
```
```
#### Method 2
In this, we can declared that, what are all the domains will be accessed from the webpage.
```
$domains = [‘abc.example.com’, ‘foo.bar.com’];
if ( ! in_array($_SERVER[‘SERVER_NAME’], $domains)) {
// error
}
```
### APACHE
#### Method 1
To mitigate Host Header attacks, we have to create Virtual Host entries in the configuration file. We have to configure in httpd.conf file.
```
#Configures the virtual host listening for all IPs on PORT 80.
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /path/to/your/webroot/directory
```
#### Method 2
We can verify the host header by regex pattern. If the regex is not matched, it will redirected to the predefined URL. We can configure in .htaccess or in httpd.conf files.
```
#It can allow 3rd level subdomain ({0,3}) name and in the length of 1 to 20 ({1,20}). We can change for you convenience.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^([a-zA-Z0-9-_]{1,20}.){0,3}domain.com$
RewriteRule ^(.*)$ https://domain.com/ [R=301,L]
```
### ASP.NET
You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:
1. Go to IIS Manager.
2. Click on the site.
3. Double click on “URL Rewrite” (it should be installed).
4. Click “Add Rule(s)” on the right side.
5. Select “Blank rule” in Inbound rules. Click “OK”.
6. Give a name to the rule (eg. Host Header Validation).
7. .In “Match URL” section, enter (.\*) in “Pattern” field.
8. In “Conditions” section, click “Add”.
9. Enter {HTTP\_HOST} into “Condition input” field.
10. Select “Does Not Match the Pattern” option from “Check if input string” list
11. Enter ^(\[a-zA-Z0-9-\_]+.)domain.com$ into “Pattern” field (change domain to your actual domain).
12. In the “Action” section, select “Abort Request” from the “Action type” list.
13. Click “Apply” on the right side.
## References
1.
2.
3.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sumeru.gitbook.io/sumeru-cyber-security/common-vulnerabilites/host-header-attack.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.