Web cache poisoning with an unkeyed header

Imagine we have this website.

now let’s intercept the request.

notice the cache header is set to hit (which mean that the page is cached)

now let’s try to FUZZ for hidden headers using param miner.

now let’s see the output.

notice that param miner identified the secret header X-Forwarded-Host

now let’s put the parameter in the request.

notice that the value of the X-Forwarded-Host reflected in script tags.

now let’s try to inject a malisous code in it.

as notice when we send the request the script will be included from our exploit server.

now let’s check the lab.

and we solved the lab.