Ways I followed to Bypass ‘403’ — Your checklist
Hello people! Hope you all are doing well.
I will explain in this article how I bypassed — 403 Forbidden in a web application :)
Let’s go!
What is Broken Access Control?
Imagine you have a secret diary with a lock on it. The lock is there to keep people from reading your private thoughts. In the world of computer systems and websites, access control is like that lock. It’s a way to make sure that only the right people can see or do certain things, like view their own personal information on a website.
Now, “broken” access control is like having a diary with a lock that doesn’t work properly. It means that even though there’s supposed to be a lock, some people can still sneak in and see things they’re not supposed to see. It’s a security problem because it means that sensitive information, like your personal diary entries or someone else’s private data on a website, can be accessed by the wrong people.
In the digital world, broken access control occurs when a website or application doesn’t properly enforce its rules about who can access what. It might allow unauthorized users to view, change, or delete information that should be off-limits to them. This can lead to privacy breaches, data leaks, and all sorts of problems.
As per Mozilla’s documentation, the HTTP 403 Forbidden response status code signifies that while the server comprehends the request, it declines to grant authorization for it.
However, if the access control mechanism in place is not robust, an attacker can circumvent the security measures and gain access to the restricted resource.
Ways to bypass 403 endpoints:
Bypassing 403 involves a lot of ways and we will see them one by one as follows:
- Directory Traversal:
We can initially test if the application is vulnerable to directory traversal attacks. We typically include special characters or sequences (e.g., “../”) in input fields, such as URLs or file paths, to trick the application into granting access to files or directories outside of the web root. We will consider that our target website is redacted.com and the forbidden path that we are trying to bypass is /path.
One way of doing it: redacted.com/%2e/path
Double URL encode: redacted.com/%252e/path
Unicode bypass: redacted.com/%ef%bc%8fpath
Other ways:
· redacted.com/path –> HTTP 403 Forbidden
· redacted.com/PATH –> HTTP 200 OK
· redacted.com/path/ –> HTTP 200 OK
· redacted.com/path/. –> HTTP 200 OK
· redacted.com//path// –> HTTP 200 OK
· redacted.com/./path/.. –> HTTP 200 OK
· redacted.com/;/path –> HTTP 200 OK
· redacted.com/.;/path –> HTTP 200 OK
· redacted.com//;//path –> HTTP 200 OK
· redacted.com/path.json –> HTTP 200 OK (if it is a ruby application)
You can further check ways to perform recon on identifying all URLs and directory path from the following post as well :)
2. Parameter Manipulation:
Testing for parameter manipulation involves checking if it’s possible to manipulate the values of URL parameters to access restricted content or perform unauthorized actions within a web application. Here are ways to test this with some examples:
One way of doing it: Change https://redacted.com/profile?id=123 to https://redacted.com/profile?id=124 and see if you can access the other user’s profile.
Other ways:
- Add additional parameters to the URL — https://redacted.com/profile?id=124 — -> https://redacted.com/profile?id=124&isAdmin=true
- Remove the parameters
- Re-order parameters
- Use special characters — can try XSS related payloads.
- Perform boundary testing in the parameters — provide values like -234 or 0 or 99999999 (just some example values).
3. Testing for error-based access:
This is a simple testing method to examine how the application handles error messages and pay close attention to the kind of error messages. Error messages often contain information about what went wrong.
Look for any details in the error message that seem unusual or could be indicative of a misconfiguration. For example, if the error message mentions a specific file or directory, that might be a clue.
4. Changing request headers:
- Alter the Referer header to see if the application grants access based on referring URLs.
- Change the User-Agent header to see if different user agents are treated differently.
- Try using different HTTP methods (e.g., POST instead of GET) to access resources that are supposed to be restricted to specific methods.
One of the best and easiest way to perform this 403 bypassing is by making use of the Burp extension — 403 Bypasser.
Using burp, we can capture the GET requests for the target path initially and send it to the burp extension. Further some rules can also be added to the burp to be appended to the URL to perform directory traversal.
If there is a vulnerability, it will be disclosed by the above methods, but if you’ve discovered any additional methods for uncovering vulnerabilities or have insights to share, please feel free to leave them in the comments. I’m always eager to learn and improve. Happy hunting, fellow security enthusiasts! Toodles!
