Official ApacheBlaze Discussion

Official discussion thread for ApacheBlaze. Please do not post any spoilers or big hints.

This is really frustrating.
Just by looking at the challenge files this seems dead simple but it just does not work.
Is all you have to do: setting the X-** header ?
Because it does not work but according to the source code this is all that should be necessary.

I am at the exact same point - I was wondering if I overlooked something, but if so, I cannot figure out what it is… so if someone has a tip that would be great, I am fairly new to web challenges…

super weird, seems it must be done with one click, but I am still stuck, good challenge tho

Nice little challenge, thanks to the author.

I actually got stuck on this one for longer than I care to admit. A few hints:

  1. Have a look into how the server is configured, and understand the message flow into and out.
  2. Do some research on the server technology and see if there is anything interesting in recent times.
  3. Have a deep dive into certain headers and under what conditions they are set. I recommend going to the source documentation from developers.
  4. Once you have a handle on the potential exploit/bypass, and you understand how/when certain headers are assigned, you need to craft your request. Hint: you don’t need to add any non-required/non-standard headers.
  5. Note that you are only going to receive one response, so you need to make sure the corresponding request is the one which will give you what you need.
4 Likes

really nice hint bro. thanks

Just started this box. I’m still confused… Seems like you would just need to add the header to get the flag… I even see conf how the reverse proxy rewrites the requests, but still no luck. Any additional hints or even documentation links would be appreciated.
Thanks.

Well it is all about the challenge name…Maybe rather than changing headers try to sneak in another request