MesaNet is a Black Mesa Transit rail broadcast panel running on Bugforge's lab infrastructure. The application caches API responses and reflects a custom header value directly into HTML, creating a chained attack path: poison the cache with a script injected via a custom header, then trick a bot into viewing the poisoned page — causing it to exfiltrate its private notes (and the flag) to an attacker-controlled webhook.
Objective: Send the crafted X-Rail-Skin payload to /api/rail/display and confirm the response is stored in the cache (X-Cache: HIT), giving you a 60-second window of poisoned content.
Context: The /api/rail/display endpoint has a 60-second public cache (Cache-Control: public, max-age=60). When you send the malicious X-Rail-Skin header and the cache key matches, the poisoned response will be served to any subsequent visitor — including the automated bot — for up to 60 seconds.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Send your XSS payload in the X-Rail-Skin header to /api/rail/display and inspect the X-Cache response header on the reply.
You are looking for the X-Cache header to change from MISS to HIT, confirming the server has cached your poisoned response. You may need to send the request twice — once to populate the cache, once to confirm the HIT.
Send the GET request with your malicious X-Rail-Skin header twice in quick succession. On the second (or subsequent) response, verify X-Cache: HIT and X-Cache-Expires shows remaining TTL (e.g., 59 seconds). The HTML body should now contain your injected script.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕