X-Forwarded-Forto indicate the client to load script from there:
X-Cachein the response could be very useful as it may have the value
misswhen the request wasn't cached and the value
hitwhen it is cached. The header
Cache-Controlis also interesting to know if a resource is being cached and when will be the next time the resource will be cached again:
Cache-Control: public, max-age=1800Another interesting header is
Vary. This header is often used to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed. Therefore, if the user knows the
User-Agentof the victim he is targeting, he can poison the cache for the users using that specific
User-Agent. One more header related to the cache is
Age. It defines the times in seconds the object has been in the proxy cache.
X-Forwarded-Foris being reflected in the response unsanitized> You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:
X-Forwarded-Hostto a domain controlled by you and
http.If the server is forwarding all the HTTP requests to HTTPS and using the header
X-Forwarded-Schemeas domain name for the redirect. You can control where the pagepointed by the redirect.
X-Hostheader is being used as domain name to load a JS resource but the
Varyheader in the response is indicating
User-Agent. Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:
.pngetc are usually configured to be saved in the cache. Therefore, if you access www.example.com/profile.php/nonexistent.js the cache will probably store the response because it sees the
.jsextension. But, if the application is replaying with the sensitive user contents stored in www.example.com/profile.php, you can steal those contents from other users.
text/htmlcontent-type instead of a
text/cssmime type (which is the expected for a .css file).