loading
loading
Misconfiguration
A host header injection vulnerability checker for batches of URLs.
overview
hinject checks web servers for host header injection by sending each request an X-Forwarded-Host header set to a unique canary hostname, then reading the response. When the canary comes back reflected in the body, the application trusts an attacker-controlled host value, the precondition for web cache poisoning, password-reset link poisoning, and routing to internal virtual hosts.
It reads URLs from a list and tests them concurrently, so you can screen a whole attack surface in one pass instead of crafting requests by hand. The interface is deliberately small: hand it a file of URLs and it prints the hosts that reflect the injected header.
Reach for hinject after you have a set of live URLs and want a fast, single-purpose check rather than a broad templated scan. Place it behind httpx so it only tests hosts that responded, then route the flagged URLs into your reporting stage.
use cases
Pipe a file of live URLs through hinject to find every host that reflects an X-Forwarded-Host value, the sign it trusts an attacker-controlled host.
Treat a reflected canary as evidence that a host is a candidate for web cache poisoning or password-reset link poisoning before you invest in manual exploitation.
Run hinject after httpx so it only tests URLs that responded, which keeps the request count and the noise down.
Schedule hinject behind subdomain discovery and probing so newly exposed hosts get the header-injection check as they appear.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| urls-list | FILE | · | List of URLs to check for host header injection, one per line; streamed to the tool on stdin. |
Showing key inputs. hinject exposes 1 inputs in total.
example
# pipe a URL list into hinject and flag host header injectioncat urls.txt | hinject -v[VULNERABLE] https://staging.example.com/[ NOT VULN ] https://www.example.com/[ NOT VULN ] https://api.example.com/[VULNERABLE] https://dev.example.com/[ FAILED ] https://legacy.example.com/[ NOT VULN ] https://app.example.com/[ NOT VULN ] https://mail.example.com/[VULNERABLE] https://cache.example.com/guidance
Use hinject when you have a list of live URLs and want a focused host header injection check. For broad templated vulnerability coverage, nuclei carries header-injection templates among thousands of others. For deep cache-poisoning research, a dedicated tool digs further.
Template-driven scanner with host header injection checks among thousands. Broader, less focused on this one class.
Maps hostnames behind IPs. Useful before hinject to build the URL list, not a vulnerability check itself.
Probes which hosts are live. Run it first so hinject only tests responding targets.
faq
related
A fast tool to scan for CRLF vulnerabilities, written in Go.
Leak git repositories from misconfigured sites and rebuild their contents.
Find files on web servers that should not be public and can pose a security risk.
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
A URL list is probed by httpx, then hinject tests the live hosts for host header injection and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.