MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Verify that the value of the X-Rail-Skin request header is reflected in the HTML response, and determine the exact HTML context in which it appears.
Context: The /api/rail/display endpoint reflects the X-Rail-Skin header value in the response HTML. You need to confirm this reflection is controllable and understand the exact tag structure so you can plan an escape.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Send a modified request to /api/rail/display with a custom, recognizable value in the X-Rail-Skin header and check where it lands in the response.
The value is injected inside an HTML <link> tag attribute (href). Think about what characters you need to inject to break out of the attribute and the tag itself.
Send: X-Rail-Skin: <svg onload=alert(1)> and observe that it reflects in both the X-Rail-Skin response header and in the HTML body. To achieve XSS you need to first close the <link> tag — try injecting a value like /css/default.css"> followed by your script.
Enjoying Hintru? Buy me a coffee ☕ ☕