Skip to content

Instantly share code, notes, and snippets.

Last active April 18, 2023 10:27
What would you like to do?
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a HTTP "Host" request header.
Vulnerability: Host Header Injection
Product: Plesk Obsidian
Version: 18.0.49 and below
Burp Suite
Mozilla Firefox (as a browser)
Scenario: Attacker could redirect users login page to malicious login page by inject a payload directly into the “Host: ” HTTP request header.
1. Access the target website (which Plesk installed) without URL path.
2. Intercept “login.php” request and Modify the “Host: ” HTTP request header value to malicious website. In this case -> and then forward the edited request.
3. The target website will redirect to “” instead of “https:<target>/login.php”.
More step by step screanshot and PoC video:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment