Description
Find a flag being transmitted by an HTTP method you might not be familiar with.
Setup
Navigate to the challenge instance URL.
Solution
- Step 1Send an HTTP HEAD requestUse curl with the -X HEAD flag to send an HTTP HEAD request to the challenge URL. The -v flag shows the full response including headers. The flag is returned in a custom response header that is invisible to a normal GET request in a browser.curl -v -X HEAD http://<server>/
Learn more
HTTP HEAD is identical to GET but instructs the server to return only the response headers -- no body. It is designed for efficiency: checking if a resource exists, reading its Content-Length or Last-Modified date, or cache validation without downloading the content. All servers are required by the HTTP spec to return the same headers for HEAD as they would for GET.
In this challenge, the flag is placed in a custom response header (e.g.,
flag:orX-Flag:). Browsers only display page content, not response headers in normal view. The curl-vflag (verbose) prints the full request and response headers to stderr, making the custom header visible.Other HTTP methods worth knowing for CTF web challenges: OPTIONS (lists allowed methods), PUT (upload a resource), DELETE (delete a resource), and TRACE (echo the request back -- useful for detecting header injection). Most web servers restrict which methods are allowed via configuration.
Flag
picoCTF{...}
HTTP HEAD returns only headers with no response body -- useful for checking responses efficiently; here the flag is smuggled in a response header.