Back to Host Header

Host Header 10: Absolute URL Poisoning

Goal: make the generated JavaScript asset URL point off-site.

Hints
  • The app uses the supplied host to build a full asset URL.
  • No allowlist exists.
  • This kind of bug can lead to cache poisoning or mixed-content style issues depending on the deployment.
Why this works

Applications that construct absolute URLs from untrusted host data can be tricked into referencing attacker-controlled infrastructure.