ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • HTTP - Headers
      Hacking/CTF 문제 풀이 2025. 7. 7. 23:37
      728x90
      반응형

      Working through problems

      접속하였을 때 위와 같은 문구가 출력되는데 해석해보면 Content만 보지 말라고 되어있습니다.

      Burp Suite로 요청을 가로채서 분석한 결과 아래와 같습니다.

      • Request
      GET /web-serveur/ch5/ HTTP/1.1
Host: challenge01.root-me.org
Pragma: no-cache
Cache-Control: no-cache
Accept-Language: ko-KR,ko;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
      • Response
      HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2025 08:08:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Header-RootMe-Admin: none
Content-Length: 272

<html>
<body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
<p>Content is not the only part of an HTTP response!</p>
</body>
</html>

      Header-RootMe-Admin은 HTTP 표준에는 존재하지 않는 Custom 헤더입니다.

      보통 이런 헤더는 특정 목적으로 서버 내부 로직에서 활용됩니다.

      • 수정된 Request
      GET /web-serveur/ch5/ HTTP/1.1
Host: challenge01.root-me.org
Pragma: no-cache
Cache-Control: no-cache
Accept-Language: ko-KR,ko;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Header-RootMe-Admin: none
      • 수정된 Response
      HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2025 08:11:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Header-RootMe-Admin: none
Content-Length: 360

<html>
<body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
<p>Content is not the only part of an HTTP response!</p>
<p>You dit it ! You can validate the challenge with the password [Flag]
</p></body>
</html>
      728x90
      반응형
      저작자표시 비영리 변경금지 (새창열림)

      'Hacking > CTF 문제 풀이' 카테고리의 다른 글

      HTTP - Improper redirect  (0) 2025.07.07
      HTTP - POST  (0) 2025.07.07
      HTTP - Directory indexing  (0) 2025.07.07
      Backup file  (0) 2025.07.07
      [Burp Suite] API - Broken Access  (0) 2025.07.07

      관련글 관련글 더보기

    Designed by Tistory.

    티스토리툴바