Chapter 4

Behind the Firewall

═══════════════════════════════════════════════════════════════════ CHAPTER 4: BEHIND THE FIREWALL ═══════════════════════════════════════════════════════════════════ Your session has been TERMINATED. Someone powerful has revoked your access. Your token returns 401. The spy knows you're getting close. But old protocols exist for emergencies - cookies that persist, sessions that survive. Find another way in. The clock is ticking. ═══════════════════════════════════════════════════════════════════

Skills You'll Learn: Authentication, Cookies, Sessions

Paste your token to sync progress:

curl -X POST https://httpqueen.net/investigators/register -H "Content-Type: application/json" -d '{"name": "YourName"}'

4-1 Locked Out

Not Done

Briefing

You return to the palace and... ACCESS DENIED. Your token has been revoked. Someone with high authority invalidated your session.

Command

curl https://httpqueen.net/castle/enter \
  -H "Authorization: Bearer YOUR-OLD-TOKEN"
# Returns 401 Unauthorized

What You'll Learn

401 Unauthorized means your credentials are invalid or expired. Sessions can be revoked server-side.

Old Margot whispers: "Your old token returns 401. You need a new way in."

4-2 Emergency Auth

Not Done

Briefing

Old Margot whispers of emergency protocols - a back door for investigators when normal channels fail.

Command

curl -X POST https://httpqueen.net/auth/emergency \
  -H "Content-Type: application/json" \
  -d '{"investigator_id": "YOUR-ID", "reason": "session_revoked"}'

What You'll Learn

Multiple auth paths provide resilience. Emergency/backup auth often has limitations but keeps you operational.

Old Margot whispers: "POST to the emergency auth endpoint. You'll need to prove your investigator identity another way."

4-3 Cookie Jar

Not Done

Briefing

Save the session cookies. They might reveal how the spy communicates.

Command

curl -c cookies.txt https://httpqueen.net/session/establish \
  -H "Authorization: Bearer YOUR-EMERGENCY-TOKEN"

What You'll Learn

-c cookies.txt saves cookies from the response. Like saving your session for later. Cookies persist state between requests.

Old Margot whispers: "Use -c to save cookies to a file. The cookie jar preserves session state."

4-4 Return Visit

Not Done

Briefing

Use the saved cookies to maintain your session without re-authenticating.

Command

curl -b cookies.txt -c cookies.txt \
  https://httpqueen.net/session/verify

What You'll Learn

-b cookies.txt sends saved cookies. Combined with -c, curl acts like a browser maintaining session state.

Old Margot whispers: "The -b flag sends cookies from a file. Combined with -c, you have persistent sessions."

4-5 Session Analysis

Not Done

Briefing

Examine the cookie structure. There's more data in there than a simple session ID...

Command

cat cookies.txt
# Examine the cookie values - they contain encoded data

What You'll Learn

Cookies often contain more than just IDs. Base64 encoding, JSON payloads, and metadata hide in plain sight.

Old Margot whispers: "Look at what's actually IN the cookies. The session cookie has encoded data."

4-6 The Routing

Not Done

Briefing

Check the response headers carefully. Where is your traffic actually going?

Command

curl -v https://httpqueen.net/session/verify \
  -b cookies.txt 2>&1 | grep -i routing

What You'll Learn

Response headers reveal server-side processing. Proxy headers, routing info, and processing metadata live there.

Old Margot whispers: "Use -v or -I to see response headers. Look for routing or proxy information."