# HTTP Host header

## Anulación de encabezado Host (override header)

```
X-Forwarded-Host
X-HTTP-Host-Override
Forwarded
X-Host
X-Forwarded-Server
```

## Authentication bypass

Valores de localhost.

```
localhost
127.0.0.1
2130706433
0x7f000001
0177.0000.0000.0001
127.1
127.000000000000000.1
::1
0:0:0:0:0:0:0:1
[0:0:0:0:0:ffff:127.0.0.1]
0:0:0:0:0:ffff:127.0.0.1
[::ffff:127.0.0.1]
::ffff:127.0.0.1
localtest.me
0.0.0.0
0
```

Direcciones IP internas.

```bash
# 192.168.0.0 - 192.168.255.255
for a in {1..255}; do for b in {1..255}; do echo "192.168.$a.$b" >> ips.txt; done done
```

## Proceso de restablecimiento de contraseña

Envenenamiento del enlace de restablecimiento de contraseña a través de la manipulación del HTTP header `Host`.

## Payloads

* <https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet>