Web cache poisoning with multiple headers

imagine we have this website.

now let’s intercept the request.

now let’s search for hidden headers using param miner.

now let’s see the discovered header.

as we see we get X-Forwarded-Scheme header.

let’s inject it to the request.

notice when we added the header to the reqeust we got redirection.

now let’s use param miner to search for the hidden headers.

now let’s see the hidden headers.

notice that we got another header named X-Forwarded-Host

now let’s see what we can do with this header.

notice that we now control the application location.