# 403 & 401 Bypasses

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/files/wkmyDmsvKJMEUQuPRvN4" alt=""><figcaption></figcaption></figure>

**Get a hacker's perspective on your web apps, network, and cloud**

**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="<https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons>" %}

## HTTP Verbs/Methods Fuzzing

Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`

* Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
* Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the verb used.
* Use **`TRACE`** verb and if you are very lucky maybe in the response you can see also the **headers added by intermediate proxies** that might be useful.

## HTTP Headers Fuzzing

* **Change Host header** to some arbitrary value ([that worked here](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
* Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource.
* **Fuzz HTTP Headers**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).

  * `X-Originating-IP: 127.0.0.1`
  * `X-Forwarded-For: 127.0.0.1`
  * `X-Forwarded: 127.0.0.1`
  * `Forwarded-For: 127.0.0.1`
  * `X-Remote-IP: 127.0.0.1`
  * `X-Remote-Addr: 127.0.0.1`
  * `X-ProxyUser-Ip: 127.0.0.1`
  * `X-Original-URL: 127.0.0.1`
  * `Client-IP: 127.0.0.1`
  * `True-Client-IP: 127.0.0.1`
  * `Cluster-Client-IP: 127.0.0.1`
  * `X-ProxyUser-Ip: 127.0.0.1`
  * `Host: localhost`

  If the **path is protected** you can try to bypass the path protection using these other headers:

  * `X-Original-URL: /admin/console`
  * `X-Rewrite-URL: /admin/console`
* If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](/hacktricks/pentesting-web/http-request-smuggling.md) **or** [**hop-by-hop headers**](/hacktricks/pentesting-web/abusing-hop-by-hop-headers.md)**.**
* Fuzz [**special HTTP headers**](/hacktricks/network-services-pentesting/pentesting-web/special-http-headers.md) looking for different response.
  * **Fuzz special HTTP headers** while fuzzing **HTTP Methods**.
* **Remove the Host header** and maybe you will be able to bypass the protection.

## Path **Fuzzing**

If */path* is blocked:

* Try using ***/*****%2e/path \_(if the access is blocked by a proxy, this could bypass the protection). Try also**\_\*\* /%252e\*\*/path (double URL encode)
* Try **Unicode bypass**: */**%ef%bc%8f**path* (The URL encoded chars are like "/") so when encoded back it will be *//path* and maybe you will have already bypassed the */path* name check
* **Other path bypasses**:
  * site.com/secret –> HTTP 403 Forbidden
  * site.com/SECRET –> HTTP 200 OK
  * site.com/secret/ –> HTTP 200 OK
  * site.com/secret/. –> HTTP 200 OK
  * site.com//secret// –> HTTP 200 OK
  * site.com/./secret/.. –> HTTP 200 OK
  * site.com/;/secret –> HTTP 200 OK
  * site.com/.;/secret –> HTTP 200 OK
  * site.com//;//secret –> HTTP 200 OK
  * site.com/secret.json –> HTTP 200 OK (ruby)
  * Use all [**this list**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt) in the following situations:
    * /FUZZsecret
    * /FUZZ/secret
    * /secretFUZZ
* **Other API bypasses:**
  * /v3/users\_data/1234 --> 403 Forbidden
  * /v1/users\_data/1234 --> 200 OK
  * {“id”:111} --> 401 Unauthriozied
  * {“id”:\[111]} --> 200 OK
  * {“id”:111} --> 401 Unauthriozied
  * {“id”:{“id”:111}} --> 200 OK
  * {"user\_id":"\<legit\_id>","user\_id":"\<victims\_id>"} (JSON Parameter Pollution)
  * user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution)

## **Parameter Manipulation**

* Change **param value**: From **`id=123` --> `id=124`**
* Add additional parameters to the URL: `?`**`id=124` —-> `id=124&isAdmin=true`**
* Remove the parameters
* Re-order parameters
* Use special characters.
* Perform boundary testing in the parameters — provide values like *-234* or *0* or *99999999* (just some example values).

## **Protocol version**

If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.

## **Other Bypasses**

* Get the **IP** or **CNAME** of the domain and try **contacting it directly**.
* Try to **stress the server** sending common GET requests ([It worked for this guy wit Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)).
* **Change the protocol**: from http to https, or for https to http
* Go to [**https://archive.org/web/**](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.

## **Brute Force**

* **Guess the password**: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
* [**Brute force**](/hacktricks/generic-methodologies-and-resources/brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.

{% code title="Common creds" %}

```
admin    admin
admin    password
admin    1234
admin    admin1234
admin    123456
root     toor
test     test
guest    guest
```

{% endcode %}

## Automatic Tools

* <https://github.com/lobuhi/byp4xx>
* <https://github.com/iamj0ker/bypass-403>
* <https://github.com/gotr00t0day/forbiddenpass>
* [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
* [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
* [NoMoreForbidden](https://github.com/akinerk/NoMoreForbidden)

<figure><img src="/files/wkmyDmsvKJMEUQuPRvN4" alt=""><figcaption></figcaption></figure>

**Get a hacker's perspective on your web apps, network, and cloud**

**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="<https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons>" %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-web/403-and-401-bypasses.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.