Web cache poisoning via ambiguous requests
Last updated
Was this helpful?
Last updated
Was this helpful?
We fire up Burp Suite, set up our proxy, then explore the site for a bit in order to collect some info. The request to the main page looks like this:
We notice in the response that it’s loading a JavaScript resource from https://0a4f008b04b8bab18151b12b0006000a.h1-web-security-academy.net/resoures/js/tracking.js
Let’s try to edit the Host header in our request. We’ll see if the response reflects our change :
Unfortunately, this doesn’t work out as expected. We get back a 504 HTTP error. Now let’s try creating an ambiguous request by duplicating the Host header in our request. Here’s what it looks like:
Now that we’re able to trick the target into loading a resource from an arbitrary server, let’s craft a quick HTTP endpoint on a server we control.
Now, we can send request multiple times, and test it works or not:
and we solved the challenge
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
