picobrowser picoCTF 2019 Solution

Published: April 2, 2026

Description

This website can be found at the challenge URL. But you can only view it with the picobrowser.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Understand the User-Agent check
    Observation
    I noticed the challenge description said the site can only be viewed with 'picobrowser', which suggested the server was checking an HTTP header to identify the client's browser rather than enforcing any real authentication.
    Visit the challenge URL in a normal browser. You will see a message saying the page can only be accessed with 'picobrowser'. The server checks the User-Agent HTTP header to determine what browser you are using.
    Learn more

    The User-Agent header is sent by browsers to identify themselves to web servers. It is part of every HTTP request and looks like: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36.... Servers can use it to serve different content for different browsers or devices.

    However, the User-Agent is completely controlled by the client - any HTTP tool can send any string as the User-Agent. It is not a security mechanism.

  2. Step 2
    Send the request with the picobrowser User-Agent
    Observation
    I noticed the rejection message confirmed the server was reading the User-Agent header, and the challenge name 'picobrowser' was the exact string the server expected, which suggested setting the User-Agent to 'picobrowser' via curl's -A flag.
    Use curl with the -A flag to set a custom User-Agent string. Set it to 'picobrowser' to satisfy the server check.
    bash
    curl -A 'picobrowser' <CHALLENGE_URL>
    What didn't work first

    Tried: Use curl without any -A flag and just visit the URL directly

    Without -A, curl sends its default User-Agent (something like 'curl/7.x.x'), which the server does not recognize as picobrowser and returns the 'wrong browser' rejection page instead of the flag. The server is gating on the exact User-Agent string, so the flag is only returned when the header matches.

    Tried: Use -H 'User-Agent: PicoBrowser' with capital letters or extra spaces

    The server compares the User-Agent value case-sensitively, so 'PicoBrowser' or 'picobrowser ' (trailing space) will not match and the page will still show the rejection message. The value must be exactly 'picobrowser' as the challenge name implies.

    Learn more

    The -A (or --user-agent) flag in curl sets the User-Agent header. You can also use -H 'User-Agent: picobrowser' which works the same way.

    In browser DevTools, you can override the User-Agent under the Network conditions panel (or via a browser extension) and then reload the page - no curl needed.

  3. Step 3
    Read the flag from the response
    Observation
    I noticed curl returned the full HTML of the protected page once the correct User-Agent was sent, which meant the flag would be embedded in that output and just needed to be located in the response body.
    The curl response will contain the HTML of the page with the flag. Look for it in the output.
    Learn more

    User-Agent sniffing is used legitimately for responsive design and bot detection, but relying on it as a security gate is a common misconfiguration. Any attacker can trivially spoof the User-Agent string.

Interactive tools
  • URL Encoder / DecoderEncode and decode URL-encoded (percent-encoded) strings. Useful for web exploitation challenges involving query parameters, form data, and HTTP headers.
  • JWT DecoderDecode JSON Web Tokens and inspect the header, payload, and signature. Useful for web exploitation challenges.

Flag

Reveal flag

picoCTF{p1c0_s3cr3t_ag3nt_...}

Use `curl -A 'picobrowser' <url>` to set the User-Agent header to 'picobrowser' and receive the flag.

Key takeaway

HTTP request headers like User-Agent are entirely client-controlled and carry no authentication guarantee. Any tool or script can send an arbitrary value, so using header content as an access-control decision is a security misconfiguration rather than a real gate. The same principle applies to the Referer header, custom X- headers, and cookie values: anything the client supplies can be spoofed, and only server-side session tokens and cryptographically signed credentials should be trusted for authorization.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Web Exploitation

What to try next