MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Inspect the HTTP response from the newly discovered /api/rail/display endpoint and identify any unusual or application-specific headers that could be exploitable.
Context: You have found two endpoints: /api/rail/current (the default broadcast feed) and /api/rail/display. Send a manual GET request to /api/rail/display and examine both request and response headers carefully in Burp Suite.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Look beyond the standard HTTP headers in the response — the application may be returning custom or non-standard headers that hint at server-side behavior.
Pay attention to caching-related headers (Cache-Control, X-Cache, X-Cache-Age) and any application-specific headers. A custom header whose value appears in the response body is a strong signal.
Note the Cache-Control: public, max-age=60 header (60-second cache window), the X-Cache: MISS/HIT header, and especially the X-Rail-Skin header in the response. Check if the X-Rail-Skin value is reflected anywhere in the HTML response body.
Enjoying Hintru? Buy me a coffee ☕ ☕