Host Header Injector

Host Header Injector is a Caido plugin that adds a right-click workflow to Replay and HTTP History. It clones the selected requests, injects the fixed matcher string zwrtqx into Host-related headers, replays every mutation through Caido’s HTTP stack, and raises findings whenever the matcher is reflected back.

Key capabilities

• Context-menu entry: “Host Header Injector: Inject” appears under Plugins inside Replay and HTTP History request tables.
• Payload orchestration: rewrites Host, X-Forwarded-Host, X-Original-Host, X-Host, and Forwarded headers with several zwrtqx variations per request.
• Automatic dispatch: uses Caido’s internal HTTP API so upstream proxy, scopes, and history tracking work exactly like manual replays.
• Reflection detection: scans response headers and body text for the matcher and reports every hit.
• Findings integration: creates high severity “Host Header Injection Detected” findings containing the injected payload and the reflected snippet for easy triage.

Usage

• Open Replay or HTTP History, select any request rows, and right-click the selection.

• Choose Inject from the Plugins section.
• The plugin clones each request, sends multiple Host header payloads, and shows a toast summary when the run completes.
• If the matcher zwrtqx is reflected anywhere in the response, a finding is created automatically. Jump to the Findings panel to review the payload and evidence snippet.