> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/trick-0037.md).

# Web Hidden Path Discovery via User-Agent Brute-Force

***

Observe how a web server responds when iterating through different values for the `User-Agent` HTTP header. Some applications might reveal hidden paths or alter behavior (e.g., a redirect via a `Location` header) based on specific User-Agent strings.

This technique involves systematically sending requests with varied `User-Agent` values and examining the response codes and headers for anomalies.

You can specify the User-Agent header in curl in a few different ways. One common way is using the `--user-agent` flag:

```bash
curl --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" http://[TARGET_IP]/
```

Alternatively, you can use the shorter `-A` flag:

```bash
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" http://[TARGET_IP]/"
```

Or, you can use the `-H` flag to set any header, including User-Agent:

```bash
curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" http://[TARGET_IP]/"
```

For instance, if using single characters for iteration, a response might show:

```http
HTTP/1.1 302 Found
Location: agent_C_attention.php
```

Indicating that a specific `User-Agent` value triggered a redirect to a specific hidden page. Automate this process by scripting the `curl` command to loop through a list of potential User-Agent strings.
