While I was thinking about certain ways of summarizing CSRF prevention for OWASP PHP Security Cheat Sheet – mixing taint tracking with different request criteria – I found a certain type of attack against certain high-level web applications and frameworks, which I named it HTTP Host Alteration Attack. Many web appl1ications rely on the HTTP host (accessible via $_SERVER[‘HTTP_HOST’] in PHP) to determine their running environment, e.g development or deployment. For example, if HTTP_HOST is localhost, 127.0.0.1, or 192.168.*.*, the application is …