Possible cross site scripting via Host header
Description
Manual confirmation is required for this alert.
This vulnerability occurs when an application reflects the HTTP Host header value in the response body without proper sanitization, potentially enabling Cross-Site Scripting (XSS) attacks. An attacker can manipulate the Host header to inject malicious JavaScript that executes in the victim's browser context. The scanner has detected that the Host header is reflected in the response and that portions of the Location header can be influenced through user input, indicating a potential XSS vector that requires manual verification to confirm exploitability.
Remediation
Implement the following security measures to prevent Host header XSS vulnerabilities:
1. Validate and Sanitize the Host Header:
Implement a whitelist of allowed host values and reject requests with unexpected Host headers.
// Example: PHP validation
$allowed_hosts = ['example.com', 'www.example.com'];
$host = $_SERVER['HTTP_HOST'];
if (!in_array($host, $allowed_hosts)) {
header('HTTP/1.1 400 Bad Request');
exit('Invalid Host header');
}2. Encode Output:
Always HTML-encode the Host header value before reflecting it in responses.
// Example: HTML encoding in various languages
// PHP
$safe_host = htmlspecialchars($_SERVER['HTTP_HOST'], ENT_QUOTES, 'UTF-8');
// JavaScript (Node.js)
const escapeHtml = (unsafe) => {
return unsafe.replace(/[&