Headache — Flag in HTTP Response Header

The Challenge

Visiting the site returns a blank or near-blank page. The flag is nowhere in the HTML. It is in the response headers.

Approach

A HEAD request retrieves only headers without a response body. requests.head sends one. Reading r.headers['Flag'] extracts the custom header value.

Solution

1
2
3


import requests
r = requests.head("http://headache.challs.olicyber.it/")
print(r.headers['Flag'])

Three lines. The flag is in the Flag header of the response. .head() is slightly cleaner than .get() here since we only care about headers, but both work.

What I Learned

HTTP headers are often overlooked in manual browsing but are easily missed even in source-view. Always check response headers — curl -I URL or requests.head().headers — as a first-pass step on any web challenge where the page body looks empty. Custom headers (non-standard names) are a common CTF hiding spot.

The Challenge#

Approach#

Solution#

What I Learned#

The Challenge

Approach

Solution

What I Learned