How 403 Forbidden Bypass got me NOKIA Hall Of Fame (HOF)
Hello, amazing people and bug bounty hunters, This is JD ( Jaydeepsinh Thakor ) I hope you all are fine ❤, In this write-up, I would like to share how I got my first HOF & how I was able to bypass 403 using simple method technique on Nokia Subdomain So let’s start,
First, understand what 403 is. Basically, 403 is a status code when an unauthorized user tries to access some restricted pages and the server response gives an error with the 403 status code as forbidden. let’s understand in detail.
What is 403 forbidden?
As normal users, we can’t have permission to access a particular web page/website/domain (only can access authorized users like admin, etc) so when we try to access that type of website it will give us an error 403 forbidden.
what is 403 forbidden bypass?
Bypassing 403 Forbidden Error indicates that the client was able to communicate with the server, but the server won’t let the client access what was requested.
After choosing my target (Nokia.com) which is wild scope, I started my recon process:
This is the simple methodology that I follow:
1: sub-domains enumeration using different-different tools ( like amass, sub-finder,asset finder, etc)
2:Start assessing those websites manually & intercepting request and understanding how websites works
3:Checked different-different functionalities.
After analyzing I got some domain that gives me a 403 forbidden error so my mind blow up and I decide let’s try to bypass it :)
So I came on a subdomain which is something like https://subs.nokia.com.
Also, I tried simple Content Spoofing like iFrame injection/Text injection like these https://subs.nokia.com/!!Site-is-an-down-visit-evil.com [or “/><p>INJECTION</p>] but sadly it’s didn’t worked and without wasting my time I moved on 403 bypass method.
First I checked that does site contains hidden directories or not so I wrote https://subdomain.nokia.com/.htaccess and it gives a 403 error instead of 404 “NOT FOUND” It means the .htaccess file exists in this subdomain.
https://subs.nokia.com /.htaccess
It’s Time to bypass this.
There are many different methods available for bypass 403 but first I used some basic and common ones like using the / (slash), /; etc…but NO LUCK :(
Also, you can automate that process, there are so many automation 403 bypass tools available on GitHub
Then I move to the next method which is the Change request method:
Change requested methods like GET → POST, GET → TRACE, etc.
So I fired up our Pro tool Burp-Suite and intercepted the request and sent it to the repeater [ we can do the same thing using curl also but I’m obsessed with Burp-Suit So..]
And I started playing with the repeater and changing the request method GET → POST but not worked it’s still showing 403. Then I again change it to GET → TRACE and
Here magic will happen, BOOM I got 200 OK responses
Then I click “Show Response In Browser” and paste it on the browser and guess what! the .htaccess / .htpasswd file pop-up and give me the download permission.
But but … when I opened and saw those files that’s doesn’t contain any crucial information so I was a little bit sad
then I thought I found nothing but still, I bypassed their 403 mechanisms, so why shouldn’t report !!
Cause let’s try a flip scenario:
However I found nothing crucial information or passwords, okay but what if something important is used within the site and maintained in the same way, it may be possible to bypass an attacker and see/dump/access/ any sensitive file.
So after all this, I have sent a well written with a detailed explained report and POC-included mail to security-alert@nokia.com regarding this issue.
Then they validated the same from their end and notified me that it was a valid finding
After some days they add me on their HALL OF FAME page as shown below
Yeah, that’s it for today Thanks !! I hope you enjoyed reading it.
