picoCTF Solutions
picoCTF 2021Web ExploitationMedium

Who are you?

Published: April 2, 2026

Description

Only those who use the official PicoBrowser are allowed on this site.

Setup

Remote

Access the challenge URL and observe what the server requires.

curl http://mercury.picoctf.net:38322/

Solution

  1. Step 1Set the User-Agent to picobrowser
    The server first checks the User-Agent header. Set it to 'picobrowser' to pass this check. Each failed check reveals the next requirement.
    curl --user-agent "picobrowser" http://mercury.picoctf.net:38322/
    Learn more

    The User-Agent header identifies the client software making the request. Browsers send values like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.... The server here checks for the exact string picobrowser. User-Agent validation is trivially bypassed -- never use it for security decisions.

  2. Step 2Add Referer, Date, DNT, X-Forwarded-For, and Accept-Language headers
    The server progressively reveals six requirements, one per request. After passing each check, it rejects on the next header. The full set of required headers: Referer must be the same site, Date must be in 2018, DNT must be 1, X-Forwarded-For must be a non-US IP (Swedish IP), and Accept-Language must be sv (Swedish).
    curl http://mercury.picoctf.net:38322/ \ --user-agent "picobrowser" \ --referer "http://mercury.picoctf.net:38322/" \ -H "Date: Mon, 23 11 2018 23:23:23 GMT" \ -H "DNT: 1" \ -H "X-Forwarded-For: 2.71.255.255" \ -H "Accept-Language: sv-SE"
    Learn more

    HTTP headers used in this challenge:

    • Referer: The URL the user navigated from. The server requires it to match the site itself (a same-origin check).
    • Date: The request date. The server checks for the year 2018 -- implying the challenge wants a "legacy" request timestamp.
    • DNT (Do Not Track): A privacy header with value 0 (allow tracking) or 1 (request no tracking). Largely ignored in practice, but checked here.
    • X-Forwarded-For: Added by proxies to indicate the original client IP. The server uses this for geographic restriction -- a Swedish IP (2.71.x.x) passes the check.
    • Accept-Language: The preferred language(s) for the response. The server requires Swedish (sv-SE).

    All of these checks can be trivially bypassed with curl -- headers are just strings in an HTTP request. This challenge illustrates that header-based access controls provide no real security.

Flag

picoCTF{...}

The server validates six HTTP headers in sequence -- each wrong header reveals the next requirement, making this a progressive enumeration challenge.

More Web Exploitation