cURL¶
Table of Contents¶
Overview¶
A command-line tool for transferring data to and from servers using a wide range of protocols. In CTF challenges, curl is used to interact with web servers, bypass security checks, manipulate headers and cookies, submit POST payloads, and probe for path traversal vulnerabilities.
Quick Reference¶
| Flag | Description |
|---|---|
-k |
Skip TLS certificate verification |
-X METHOD |
Specify HTTP method (GET, POST, PUT, DELETE, etc.) |
-d "data" |
Send POST body data |
-b "name=value" |
Set a cookie |
-H "Name: Value" |
Set a request header |
-I |
Fetch headers only (HEAD request) |
--verbose |
Show full request and response including headers |
--path-as-is |
Send the URL path exactly as given without normalisation |
Commands¶
Simple Connection¶
Bypass TLS Certificate Check¶
Useful when a target uses a self-signed or invalid certificate:
Submit a POST Payload¶
Single field
Multiple fields
Send a POST Payload with JSON Data¶
Set a Cookie¶
Single value
Multiple values
Inspect Response Headers¶
Headers only (HEAD request)
Full request and response detail
Set a Custom Request Header¶
Single Header
Multiple headers
Spoof IP via X-Forwarded-For¶
Some web applications use the X-Forwarded-For header to determine the client's IP address rather than the direct TCP source. This is common in Flask and other reverse-proxy setups where the app trusts forwarded headers from a load balancer. If the application fails to validate that the header came from a trusted proxy, an attacker can spoof it from the client side.
Common use cases in CTFs:
- Bypassing IP allowlist / denylist checks
- Triggering code paths that expect internal IPs, e.g.,
127.0.0.1,10.x.x.x - Exploiting applications that skip auth when the request appears to come from localhost
Spoof as localhost
curl https://TARGET:PORT/login -k \
-H "X-Forwarded-For: 127.0.0.1" \
-X POST -d "username=admin&password=test"
Spoof as internal network IP
curl https://TARGET:PORT/login -k \
-H "X-Forwarded-For: 10.0.0.1" \
-X POST -d "username=admin&password=test"
Spoof with multiple IPs (some apps read the first or last entry)
Other forwarding headers to try if X-Forwarded-For does not work
-H "X-Real-IP: 127.0.0.1"
-H "Forwarded: for=127.0.0.1"
-H "True-Client-IP: 127.0.0.1"
-H "CF-Connecting-IP: 127.0.0.1"
Tip
Combine with cookies and POST data for authenticated requests:
Path Traversal — Prevent URL Normalization¶
By default, curl normalises paths like ../../etc/passwd before sending the request, which defeats path traversal attempts.
There are two ways to prevent this:
URL-encode the traversal sequence manually
Pass the path exactly as-is without normalisation
Follow Redirects¶
Save Response to File¶
Combining Flags¶
Most flags can be combined freely. Below is a common pattern for authenticated API interaction:
curl https://TARGET:PORT/api/endpoint -k \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer TOKEN" \
-b "session=abc123" \
-d '{"command": "whoami"}' \
--verbose
References¶
Challenges¶
| Source | Name | Notes |
|---|---|---|
| Holiday Hack Challenge 2024, Act I | cURLing | Introduction to commands |
| Holiday Hack Challenge 2025, Act III | Hack-a-Gnome | API execution |
| Holiday Hack Challenge 2025, Act III | Schrödinger's Scope | IP spoofing |