Skills

hunt-host-header

Installation
SKILL.md

HUNT-HOST-HEADER — Host Header Injection

Grounding / Provenance

This skill is built from the public Host-header attack literature, not invented payloads. Cite the technique source in your report, never a fabricated ID:

  • Password-reset poisoning class — the canonical write-up is Skelet's/Detectify-era "Practical HTTP Host header attacks" (the Django request.get_host() → password-reset-link case). Many frameworks built the reset URL from the request Host with no ALLOWED_HOSTS-style allowlist. Cite the framework + the reflected-Host behaviour you actually observed.
  • Web cache poisoning via unkeyed Host / X-Forwarded-Host — PortSwigger Research, James Kettle, "Practical Web Cache Poisoning" (2018) and "Web Cache Entanglement" (2020). These define unkeyed-input poisoning, which is the mechanism behind X-Forwarded-Host poisoning.
  • Routing-based SSRF — PortSwigger Research, "Cracking the lens" / routing-based SSRF (Host header steers the front-end's upstream selection).
Installs
9
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
Jun 5, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-host-header — elementalsouls/claude-bughunter