Web Cache Poisoning — Unkeyed Header

CacheServ caches responses by URL. The application reflects the X-Forwarded-Host header into HTML. The cache key includes the URL but NOT that header. Poison the cache so other users get your malicious content.