MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Send the crafted X-Rail-Skin payload to /api/rail/display and confirm the response is stored in the cache (X-Cache: HIT), giving you a 60-second window of poisoned content.
Context: The /api/rail/display endpoint has a 60-second public cache (Cache-Control: public, max-age=60). When you send the malicious X-Rail-Skin header and the cache key matches, the poisoned response will be served to any subsequent visitor — including the automated bot — for up to 60 seconds.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Send your XSS payload in the X-Rail-Skin header to /api/rail/display and inspect the X-Cache response header on the reply.
You are looking for the X-Cache header to change from MISS to HIT, confirming the server has cached your poisoned response. You may need to send the request twice — once to populate the cache, once to confirm the HIT.
Send the GET request with your malicious X-Rail-Skin header twice in quick succession. On the second (or subsequent) response, verify X-Cache: HIT and X-Cache-Expires shows remaining TTL (e.g., 59 seconds). The HTML body should now contain your injected script.
Enjoying Hintru? Buy me a coffee ☕ ☕