Access control vulnerabilities and privilege escalation

Access control vulnerabilities and privilege escalation

Yelp disclosed on HackerOne: X-Forward-For Header allows to bypass... Summary: If the "X-Forward-For: 127.0.0.1" header is used, it allows to bypass restrictions of the web application and…hackerone.comBypass Server Upload Restrictions How to Get a Shell on a Website using a File [Tutorial]infosecwriteups.com

https://infosecwriteups.com/403-forbidden-bypass-leads-to-hall-of-fame-ff61ccd0a71e

403 bypass payload:

• H “X-Originally-Forwarded-For: 127.0.0.1, 68.180.194.242” -X GET “${target}”

• The really interesting part was what ASP was reporting. When they configured a page which would dump the raw request headers, my requests came through as Remote_Addr: 127.0.0.1!!! In their application, they were checking the correct header value. But IIS was misconfigured to rewrite Remote_Addr from X-Forwarded-For if it existed. So thanks to a misconfiguration, I was able to get admin access as easily as using my proxy.

• https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/

• https://en.wikipedia.org/wiki/X-Forwarded-For

https://github.com/KathanP19/HowToHunt/blob/master/Status_Code_Bypass/403Bypass.md