Using a custom "host" header value.

[Hector Luna]

I am trying to run a test where I submit a request with a custom "host" header value, but it seems that no matter what I do, it always defaults to something that is similar to the URL I am submitting a request to.

Is there a way to change the value of the host header so that it does not match the URL I am submitting to?

I have a function in my custom HttpRequest - Processor.js that attempts to do this prior to sending the request.

function replaceHostHeader(msg) {
    var header = msg.getRequestHeader();
    
    header.setHeader("host", "attack_value");
    msg.setRequestHeader(header);
}

However, when I look at what it sends, it always uses a host value that matches the URL.

Is there a way to force ZAP to use the value I want to inject into the host header?
The same procedure works well when trying to add/modify other headers.

Thank you!

[thc...@gmail.com]

Hi.

Host header is a special case, to override it do:

msg.setUserObject({"host": "attack_value"})


Best regards.

[Hector Luna]

Thank you very much sir!
That absolutely solves my issue.