Host Header Attacks — Web Cache Poisoning via Ambigious Requests

2 min readJul 8, 2023


In this example of the portswigger, the lab’s name provices a hint: We will be using caching mechanism and host header attacks.

Firstly, send a request to the “/” endpoint and observe the behavior. Everythings as it expected. Next, let’s proceed to manipulate the host header and analyze the response.

Manipulating the host header

As you can observe, when a malformed Host header is used, it is reflected in the response body with a 504 response code. I attempted various methods such as adding a port or using single quotes, but I was unable to modify the response. Whatever I typed in the Host header was reflected in the response exactly. The next testing approach is duplicating the Host header, which seems OK given the lab’s name. However, it’s crucial to monitor the Age and X-Cache headers for the cache mechanism. These headers can provide valuable insights during the attack.

Duplicated host header.

Host header has been duplicated and reflected on the main page. The next step is like solving a puzzle. Let’s try to close the script tag and execute the XSS payload. Host:”>

Change the Host header to Host:”></script><script>alert(1)</script> and send the request repeatedly until it gets cached.

XSS Payload is cached.
XSS Payload is executed.

The task is to execute alert(document.domain) instead of alert(1). The next step is a piece of cake. Change the alert(1) to alert(document.domain) and the lab is SOLVED.