You are currently on the home page of one of Akamai's Bug Bounty domains.
To access any other pages on any of Akamai's Bug Bounty subdomains,
you must pass your HackerOne username in a request header called
"Akamai-Hack-H1", e.g.:
Akamai-Hack-H1: MyCoolHackerName
This applies whether you are accessing the site from a browser or
using a command line tool like curl.
To 'reflect' your requests (showing all the request/response headers etc.) use the
/reflector.php
'reflector' page.
When you make a request for the reflector, the response is a plain text page containing information about the request, including the time and date it was requested, the request URL and method and any request parameters or body, as well as the response code (200, by default) and those response headers that were set when the reflector runs (other response headers such as Content-Length are not shown as they are set by the origin server after the reflector runs).
The reflector also includes a random 16-byte string at the top - you can easily determine whether a reflector page is returned from Akamai's cache, by making the same request multiple times and checking whether the random string changes each time (indicating that each request went through Akamai to retrieve a new version of the reflector from the origin server) or it doesn't change after the first request (indicating the subsequent requests retrieved the reflector output from Akamai's cache).
The reflector has a number of special options:
To return response header {header-name} with value
{header-value}, pass either of the following:
response-headerN={header-name}:{header-value}response-headerN:{header-name}:{header-value}N is a positive integer. You should not include spaces in the response-headerN
value.
You can include this to return multiple response headers as long as
the value of N is different for each one. For example,
you could pass the following query string:
/reflector.php?response-header1=iam:cool&response-header2=youare:not
which would return the following two response headers:
iam: coolyouare: not
To return a specific HTTP response code such as 403 or 500,
pass either of the following:
response-code={response-code}response-code:{response-code}For example:
will return the reflector output as normal, but the client will see the response code as 404 Not Found./reflector.php?response-code=404
Note: Any valid 2xx, 4xx or 5xx
response codes can be specified. 3xx response codes are not permitted at this time.
To return the reflector response with a specific
Content-Type response header, pass either of the
following:
response-ct={content-type}response-ct:{content-type}This allows you to return the reflector page in a number of different formats to determine whether and how the response is cached. For example, you could pass the following:
which would return the plain text reflector response as if it were a JPEG image. Note that specifying non-textual/reflector.php?response-ct=image/jpeg;charset=UTF-8
Content-Type values when making a request
from a browser may result in the response being formatted incorrectly
by the browser.
By default, the reflector response is returned with Content-Type: text/plain.
Any of the above options can be specified together or separately and in any order. If an option is specified multiple times, the last instance is used. If the same functionality is specified in a single request as both a request header and a query string, the query string value will be used.