What it is
Reflected Host header enabling password-reset poisoning, cache poisoning, and malicious link generation.
How attackers abuse it
Weak authentication or session handling lets an attacker log in as someone else, forge a token, or keep a session alive that should have ended. Once they are 'you', everything you can do, they can do.
Attacker playbook
- 1Probe the login, token, or session for weaknesses (guessable tokens, weak signing, no expiry).
- 2Forge or replay a token, or brute-force credentials where there is no lockout.
- 3Take over the account and act with its privileges.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
VibeSec native
If this is in your report: how to fix it
- Use a vetted auth library; do not roll your own tokens or password hashing.
- Sign and verify tokens properly, set short expiries, and rotate on privilege change.
- Add rate limiting and lockout on login, and enforce strong passwords or MFA.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free