Brackish Brewing Co.
A small craft brewery's website has a staff-only portal at /staff. The portal trusts the load balancer to tell it whether a request came from inside the building. The load balancer doesn't do that anymore. Nobody told the portal.
The Scenario
Brackish Brewing has been in Coalridge since 2017 — a fifteen-barrel system, four year-round beers, a taproom that's walk-in only on weekends. The website's a Flask app the head brewer's partner wrote over a few rainy weekends; it has a small staff section where the floor manager posts the week's shifts and keg-pickup notes. The hosting setup got rearranged when they moved off their old reverse proxy in early 2025, and nobody on the brewing side thought to revisit the assumptions the staff section had been quietly making about where its traffic comes from.
Challenge Intel
Synopsis
GET /staff returns 403 unless the request includes X-Forwarded-For: 127.0.0.1, in which case the staff schedule renders with the flag in the keg-pickup line.
What It Is
The Flask handler for /staff reads X-Forwarded-For and only renders the staff page if the first hop is loopback. The 403 page explains the portal is "internal network only" — the hint to swap the header. No auth, no cookies, no session — pure header trust.
Who It's For
Players who can modify a request from outside the browser. The capstone of the Web Fundamentals module — combines DevTools recon with active request manipulation.
Skills You'll Practice
- Spoofing X-Forwarded-For / Forwarded headers
- Recognising 'internal network' trust patterns
- Using curl -H or Burp match-and-replace
What You'll Gain
- Request headers from clients are client-controlled — never trust them
- Load-balancer-injected headers must be stripped at the LB and never trusted from outside
Ready to hack Brackish Brewing Co.?
This challenge is free. Sign up and start hacking.