In follow-up to: #49 there are some outstanding items to be addressed.
Source ref: https://github.com/OWASP/OWASP-Testing-Guide-v5/blob/master/document/4%20Web%20Application%20Security%20Testing/4.8%20Input%20Validation%20Testing/4.8.18%20Testing%20for%20Host%20Header%20Injection%20(OTG-INPVAL-018).md
First paragraph:
A web server commonly hosts several web application on the same IP address
applications
plural (on the first occurrence)
referring to each applications via
application
(singular here)
to the target virtual host of the value supplied in the Host header
to the target virtual host based on the value supplied in the Host header
For the whole second chunk of this paragraph:
"Without proper validation of the header value, the attacker can supply invalid input to cause the web server: to dispatch requests to the first virtual host on the list without proper validation of the HTTP request Host header value, cause a redirect to an attacker-controlled domain, perform web cache poisoning, or manipulate password reset functionality."
Second paragraph:
not to an internal virtual hosts that
host
singular
Third section:
X-Forwarded Host header Bypass
heading should be title caps Header
.
Producing the following client-side output.
Potentially producing client-side output such as: