Header-Based Open Redirect

It is also called Host Header Injection as Host Header is added in HTTP Request.

The attacker adds Host: attacker.com and check the response's status code is either of 301/307/308, which is for redirection.

Sometime, X-Forwarded-Host: attacker.com will give redirection to attacker.com.

Let's consider normal HTTP request,

GET / HTTP/1.1
Host: somesite.com

It gives response header as,

HTTP/2 200 OK
date: Wed, 13 May 2020 14:18:47 GMT

Now, When I add Host: attacker.com in Request Header, like

GET / HTTP/1.1
Host: attacker.com

It gives response header as,

HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://attacker.com/
Connection: close

It does not have much impact, as attackers can't add the Host header in the victim's request.
It may lead to Open redirection with the help of Web Cache Poisoning.

web vulnerabilities