hacking, owasp, web application security

OverTheWire: Natas Level 4 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

Today’s blog post we’re going to solve level 4 from the Natas wargame.

Let’s begin.

Going to the following link we see:


After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:


Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.

In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.

We’re going to use Tamper Data for this challenge.


Starting Tamper Data, and going to the level 4 we see:


We see that the referrer shows natas4, what happens when we change it to natas5?


Changing the referrer to natas5, and clicking OK we see:



We found the flag!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s