Bug Bounty Hub
  • πŸš€WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • πŸ•ΈοΈPENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • πŸ“šRESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • πŸ”οΈBug Bounty Platforms
Powered by GitBook
On this page
  • HTTP Verbs Tampering
  • HTTP Headers Fuzzing
  • Path Fuzzing
  • Parameter Manipulation
  • Protocol version

Was this helpful?

  1. PENTESTING WEB

Bypass 401 & 403

PreviousHTTP Verb TamperingNextEvading WAFs

Last updated 5 months ago

Was this helpful?

In web pentesting, bypassing 401 (Unauthorized) and 403 (Forbidden) errors helps assess security gaps in access controls. Techniques like HTTP verb tampering, HTTP header fuzzing or Path Fuzzing are commonly used to find vulnerabilities and gain unauthorized access.

HTTP Verbs Tampering

Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK

HTTP Headers Fuzzing

Try using HTTP Proxy Headers, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques.

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Host: localhost

If the path is protected you can try to bypass the path protection using these other headers:

X-Original-URL: /admin
X-Rewrite-URL: /admin

Path Fuzzing

If /admin is blocked:

  • Try using /%2e/admin (if access is blocked by a proxy, this could bypass the protection).

  • Try also /%252e/admin (double URL encode)

  • Try Unicode bypass: /%ef%bc%8fadmin (The URL encoded chars are like "/") so when encoded back it will be //admin and maybe you will have already bypassed the /admin name check

Other /admin bypasses:

  • site.com/admin –> HTTP 403 Forbidden

  • site.com/ADMIN –> HTTP 200 OK

  • site.com/admin/ –> HTTP 200 OK

  • site.com/admin/. –> HTTP 200 OK

  • site.com//admin// –> HTTP 200 OK

  • site.com/./admin/.. –> HTTP 200 OK

  • site.com/;/admin –> HTTP 200 OK

  • site.com/.;/admin –> HTTP 200 OK

  • site.com//;//admin –> HTTP 200 OK

  • site.com/admin.json –> HTTP 200 OK (ruby)

Use all this list in the following situations:

  • /FUZZsecret

  • /FUZZ/secret

  • /secretFUZZ

Some API bypasses:

  • /v3/users_data/1234 –> 403 Forbidden

  • /v1/users_data/1234 –> 200 OK

  • {β€œid”:111}-> 401 Unauthriozied

  • {β€œid”:[111]}-> 200 OK

  • {β€œid”:111}-> 401 Unauthriozied

  • {β€œid”:{β€œid”:111}} -> 200 OK

  • {"user_id":"<legit_id>","user_id":"<victims_id>"} (JSON Parameter Pollution)

  • user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)

Parameter Manipulation

  • Change param value: From id=123 --> id=124

  • Add additional parameters to the URL: ?id=124 β€”-> id=124&isAdmin=true

  • Remove the parameters

  • Re-order parameters

  • Use special characters

  • Perform boundary testing in the parameters β€” provide values like -234 or 0 or 99999999

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

πŸ•ΈοΈ
Bypass 401 & 403