Server-side security war games: Part 4

We got an “access disallowed” error because we were visiting from “”, while authorized users should come from “natas5.blah”. Try the “Refresh page” link. Now the page says we came from “natas4.blah”. This is the referring to the Referer[[sic(] header. But that’s information provided by the client, and we control the client. We can put whatever we want in that header. So, let’s put the natas5 domain, as they kindly suggested.

If you’re using Google Chrome, hit CTRL-J, switch to the “Network” tab, and find the request to index.php. Now, you can right-click, and select “Copy as CURL”. This will give you the command to have curl execute the exact same request as the web browser did.

Now, we just look for the Referer header, and change it.

If you got some binary junk in your terminal, do you know why? The request sent an Accept-Encoding header that said we could accept gzip. But unless you’re an android, you can’t read gzip. Remove that header to get the uncompressed text.

    curl "" \
        -H "Authorization: Basic ..." \
        -H "DNT: 1" \
        -H "Host:" \
        -H "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6" \
        -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" \
        -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        -H "Referer:" \
        -H "Connection: keep-alive" \
        -H "Cache-Control: max-age=0"

Alternatively, you can build a much shorter command from scratch:

    curl "" \
        -e "" \
        --basic -u natas4:password

Look in the HTML in your terminal for the password, and head to the next level!

Lessons learned

As we’ve shown, the client controls a lot of data, and if you rely on client-controlled data for security, you can go very wrong indeed.