Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
OverTheWire Natas Level 3 → 4 tutorial!!
Published on 16 Dec 2023
Login
URL: http://natas4.natas.labs.overthewire.org
Credentials: natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
Task
After logging in, the page shows:
Access disallowed. You are visiting from "" while authorized users should come only from "[http://natas5.natas.labs.overthewire.org/](http://natas5.natas.labs.overthewire.org/)"
This means the server checks the HTTP Referer header.
A little bit of Theory
- Referer header is sent by browsers to indicate the previous page.
- It can be modified easily — so using it for access control is insecure.
- With Burp Suite, we can intercept and change this header before sending it to the server.
Further reading:
Solution
- Setup Burp Proxy
- In Burp: Proxy → Options → Proxy Listeners, ensure listener at
127.0.0.1:8080. - Configure your browser to use the proxy.
- In Burp: Proxy → Options → Proxy Listeners, ensure listener at
- Intercept the request
- Visit http://natas4.natas.labs.overthewire.org.
- Burp intercepts the HTTP request.
- Modify the Referer header
Change:Referer: [http://natas4.natas.labs.overthewire.org/](http://natas4.natas.labs.overthewire.org/)to:
Referer: [http://natas5.natas.labs.overthewire.org/](http://natas5.natas.labs.overthewire.org/)
-
Forward the request
Once forwarded, the server grants access and reveals the password.Access granted. The password for natas5 is 0n35PkggAPm2zbEpOU802c0x0Msn1ToK
Password
0n35PkggAPm2zbEpOU802c0x0Msn1ToK
Troubleshooting
- No traffic in Burp? → Check your browser proxy settings.
- Still blocked? → Make sure the Referer is exactly
http://natas5.natas.labs.overthewire.org/. - Forgot to forward? → The server won’t reply until you press Forward in Burp.
Nice 🎉 You’ve just spoofed an HTTP header and bypassed weak Referer-based controls with Burp Suite!
Thanks for reading!
Until next time — Otsumachi!! 💖☄️✨
all tags
GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86