403 forbidden bypass leads to HALL OF FAME

Tamim Hasan

Published in

InfoSec Write-ups

5 min readJun 21, 2021

Assalamu Alaikum
peace be upon you

Hello hackers. I hope you are well. I am Tamim Hasan a Security Researcher and Bug Bounty hunter From Bangladesh 🇧🇩.

Today we are talking about 403 forbidden bypass. I am trying to explain it in a simple way and after that, I will talk about some 403 bypass technic. So without any delay let’s get started.

So what is 403 forbidden bypass?

Bypassing 403 Forbidden Error indicates that the client was able to communicate with the server, but the server won’t let the client access what was requested.

A few days ago I choose a program for bug hunting. As always I started recon on the website and find 400+ subdomains. While checking their screenshots. I see some 403 status codes, Normally I don’t give much focus on that. But I don’t know why on that day I think that let’s try to bypass 403. So I came on a subdomain which is something like https://subs.xyz.com.

To check its 403 forbidden mechanism I write some basic keywords like hello etc. I just want to check how it works. Is it restricted me from any kind of dir or it’s restricted me only on sensitive dir? So when I search

https://subs.xyz.it/hello it’s given me “Not Found” but when I search https://subs.xyz.it/.htaccess it’s given me 403.

It means this dir exists in this subdomain. Now time to bypass this. I use some basic technic of 403 forbidden bypasses like dir brute-force, use / (slash), etc but no luck. Then I fire up my burp suite and intercept the request as always I change the request method GET → POST again not working it’s still showing 403. Then I change it to GET → TRACE 💥 It’s given me 200 responses then I click “Show Response In Browser” and paste it on the browser and guess what! the .htaccess file pop-up and give me the download permission.

I felt joy and think that there are might be something. But I was wonder when I see that in the dir it’s contain nothing. It makes me worry. But after a few moments, I thought Wait 🤔though I found nothing but still, I bypass their 403 mechanisms. So why shouldn’t I report them?

Let’s try to flip the scenario

The flipping method I learn from Halabi Sir. Thank you Halabi sir to share the technic with us.

Guess what guys after some days they add me on their HALL OF FAME.

Now It’s time to talk (shortly) some 403 forbidden technic

## Dir brute:

Brute-force after 403 forbidden dir. And choose the right wordlist. Like your targeted website running on an apache server and you choose a wordlist that contains IIS, NIGIX server wordlist, etc.

It means two things

1| It makes unnecessary noise on the website. For this, you may be blacklisted from the company.

2|If your wordlist contains all the thing which is not even related to your target that means you didn’t do your recon properly.

Don’t be foolish you are a hacker man😉😉.

You can check out this and this repo which helps you to create your own custom wordlist.

## Change request method:

Change requested methods like GET → POST, GET — > TRACE etc.

## Try to bypass 403 with the curl command

If adding Content-Length:0 is successfully bypassing 403 then you can exploit it with this command

curl -X POST -H “Content-Length:0” https://www.xyz.com

If you see adding X-rewrite-url is able to bypass 403 then your exploit command will be

curl -i -s -k -X $’GET’ -H $’Host: sub.xyz.com’ -H $’X-rewrite-url: .htaccess’ $’https://sub.xyz.com/'

## common one:

xyz.com/secret/*

xyz.com/secret/./

xyz.com/secret/

xyz.com/%2f/secret.txt/

## Use automation:

On the other hand, you can use automation tools that make your work easier

lobuhi/byp4xx

Simple bash script to bypass "403 Forbidden" messages with well-known methods discussed in #bugbountytips …

github.com

iamj0ker/bypass-403

A simple script just made for self use for bypassing 403 It can also be used to compare responses on verious conditions…

github.com

https://github.com/gotr00t0day/forbiddenpass

like if tools give you the result X-rewrite-url = 200 then you can try to exploit it manually with curl -i -s -k -X $’GET’ -H $’Host: sub.xyz.com’ -H $’X-rewrite-url: .htaccess’ $’https://sub.xyz.com/' this command and check it gives you some sensitive info or just show default 200 page.

Motivation Part:

His word motivates me a lot. That’s why I share this with you. Because in this field these kinds of words help us a lot. It means nothing is easy but we have to work hard to achieve our goal.

That's all for today guys. If I made any mistakes please pardon me and if you have any suggestions let me know. Have a nice day :)

You can follow me on Youtube | Github | Twitter | Linkedin | Facebook