Hi guys, it’s me @dheerajydv1 and in this writeup, we will be learning about all the ways of bypassing 403 forbidden content via manual attack first and then via automation.
Let’s start with manual testing and then we will learn about automation.
Using the “X-Original-URL” header
Original Request -
GET /admin HTTP/1.1
Host: target.com
Modify it to:
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
Logic - This technique works by tricking the web server into thinking that the request is coming from a different URL.
When to use: This technique will be effective when a website uses URL-based access control to restrict access to certain pages.
Adding %2e after the host URL -
Original Request -
http://target.com/admin => 403
Modify it to:
http://target.com/%2e/admin => 200
Logic - This technique works by exploiting the feature that some web servers don’t handle URL normalization correctly.
When to use: Try your luck.
Trying combinations of. and / -
Original Request -
http://target.com/admin => 403
Modify it to:
http://target.com/secret/. => 200
http://target.com//secret// => 200
http://target.com/./secret/.. => 200
http://target.com/;/secret => 200
http://target.com/.;/secret => 200
http://target.com//;//secret => 200
Logic -
These techniques use different combinations of the characters “.” and “/” in the URL to attempt to bypass access controls since many web servers. A better explanation of each of them from chatgpt is :
http://target.com/secret/. - This request adds a dot character after the “/secret” directory. The dot character represents the current directory, and the trailing slash represents an empty directory. This may cause the web server to serve the content associated with the “secret” directory, even though the original request was blocked.
http://target.com//secret// - This request includes multiple forward slashes in the URL. Some web servers may treat multiple forward slashes as a single slash and ignore any additional slashes, which may cause the request to bypass access controls.
http://target.com/./secret/.. - This request includes dot and double dot characters in the URL. The dot character represents the current directory, and the double dot character represents the parent directory. This may cause the web server to serve the content associated with the “secret” directory, even though the original request was blocked.
http://target.com/;/secret - This request includes a semicolon character in the URL. Some web servers may not properly validate the semicolon character and may allow the request to bypass access controls.
http://target.com/.;/secret - This request includes a combination of dot and semicolon characters in the URL. Similar to the previous example, this may cause the web server to allow the request to bypass access controls.
http://target.com//;//secret - This request includes multiple forward slashes and a semicolon character in the URL. Some web servers may treat multiple forward slashes as a single slash and ignore any additional slashes, while others may not properly validate the semicolon character. This may cause the request to bypass access controls.
Adding “..;/” after the directory name -
Original Request -
http://target.com/admin
Modify it to:
http://target.com/admin..;/
How it works - By adding “..;/” after the directory name in the original URL, we can attempt to trick the web server into interpreting the request in a different way, which may allow us to bypass access controls.
When to use - Try your luck
URL case manipulation -
Original Request -
http://target.com/admin
Modify it to -
http://target.com/aDmIN
How it works - Sometimes web servers use capital letters and small letters differently which can sometimes lead us to bypass access controls.
Now, let’s learn how we can do this via automation and can save time.
Using Burp Extension (403 Bypasser)
Go to BApp Store and download this burpsuite extension.
Installation - BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish
Alternatively, you can also download it from GitHub via portwigger GitHub repo.
You can also download it from their official website using the below link -
https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122
Using a GO script (bypass-403)
Install go from an official source and download the script using the below link -
https://github.com/daffainfo/bypass-403
Using a python script (https://github.com/channyein1337/403-bypass)
All installation and usage commands are given in the repo itself.
That’s it for today guys, will write some more amazing writeups soon on osint and pen-testing.
Follow me on Twitter - https://twitter.com/Dheerajydv19