Targeted web cache poisoning using an unknown header

imagine we have this website

now let’s intercept the request.

notice that we have cache headers.

now let’s try to find out the hidden headers.

now let’s see the hidden headers.

and we got X-Host header.

now let’s add it to the request.

notice that the header is reflected in script tag.

now analysis the request.

the Vary header is set to user-agnet which mean that the application cache the request accourding to the user-agent of the users.

in order to exploit the victim we need to know his user agent.

now let’s try to get it’s user-agent.