Account Takeover Methodology
Application Level DoS
Authentication Bypass
Broken-Link Hijacking
Broken Auth And Session Management
Finding CVEs
Web Page Source Code Review
EXIF Geo Data Not Stripped
File Upload Bypass
Find Origin IP
GraphQL
HTTP Desync Attack
Host-Header Attack
HTML-Injection
IDOR
JWT ATTACK
OAuth
SSTI
Sign Up Functionality
Tabnabbing
Weak Password Policy
Host-Header

Summary For Host Header

https://pbs.twimg.com/media/ET39wJOWoAAfTBb?format=jpg&name=small

Also Check This Things While Testing

  1. 1.
    Add two HOST: in Request.
  2. 2.
    Try this Headers
    X-Original-Url:
    X-Forwarded-Server:
    X-Host:
    X-Forwarded-**Host**:
    X-Rewrite-Url:
  3. 3.
    If you come across /api.json in any AEM instance during bug hunting, try for web cache poisoning via following Host: , X-Forwarded-Server , X-Forwarded-Host: and or simply try https://localhost/api.json HTTP/1.1
  4. 4.
    Also try Host: redacted.com.evil.com
  5. 5.
    Try Host: evil.com/redacted.com https://hackerone.com/reports/317476​
  6. 6.
    Try this too Host: example.com?.mavenlink.com
  7. 7.
    Try Host: javascript:alert(1); Xss payload might result in debugging mode. https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html​
  8. 9.
    Bypass front server restrictions and access to forbidden files and directories through X-Rewrite-Url/X-original-url: curl -i -s -k -X 'GET' -H 'Host: <site>' -H 'X-rewrite-url: admin/login' 'https://<site>/'.

Author: