Host Header Vulnerability

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

Browsers send Host Header to inform about the URL client wants to visit. Attackers can temper Host Header to manipulate how the application works. Here is how this attack occurs:


  1. Attacker makes a request with edited Host Header (Example:
  2. Web server receives this Host Header (
  3. If the application is using this Host Header in a link, the malicious site will be displayed. For example, the application may be calling a JS file with Host Header string. In this case, the website will call an address like the one below which points to attacker’s site:
    <script src="">

This type of attack can affect password reset forms and X-Forwarded-Host header as well.



Security scan tools may flag Host Header related findings as a vulnerability. Here are the best practices for preventing attackers using Host Header:

  • Do not use Host Header in the code
  • If you have to use it, validate it in every page
  • Use hostnames in all IIS websites
  • Disable support for X-Forwarded-Host

URL Rewrite rules can be used to find malicious host headers:

  1. Click on the site in IIS  Manager
  2. Go to “URL Rewrite” (it should be installed first)
  3. Click “Add Rule(s)
  4. Select “Blank rule
  5. For “Match URL” section, enter (.) into the “Pattern
  6. In “Conditions” section, click “Add
  7. Enter {HTTP_HOST} into “Condition input
  8. Select “Does Not Match the Pattern” from “Check if input string” list
  9. Enter ^([a-zA-Z0-9-_]+.)$ into “Pattern” field (change domain name with yours)
  10. For the “Action” section, select “Redirect” from the “Action type” list
  11. Enter your domain address ( in the “Redirect URL
  12. Select “Permanent (301)” from the “Redirect type” list
  13. Click “Apply


REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.