While doing the bug bounty, sometimes, we came across 403 error pages due to lack of permission. Now what next? Shall we leave the target?
Well, not really. There is a huge opportunity. 💰
In this blog, we’ll discuss how to leverage these errors and crack good bounties out of it.
HTTP response status codes designate whether a specific HTTP request has been successful between server and client.
There are 5 different groups of HTTP status codes:
- Informational response (100-199)
- Successful response (200-299)
- Redirection messages (400-499)
- Client-side error response (400-499)
- Server-side error response (500-599)
Now that you know about the HTTP status code, let’s move on to the 403 error code introduction.
Why 403 Forbidden Error
403 is a client-side error response, it indicates that the server understands the request but due to lack of permission the server refuses to authorize it.
When you try to access a page or some media from a website, the webserver checks if the requested user has permission to read the requested page or media.
When the webserver finds that the requested user doesn’t have permission to read it, then the webserver sends back the HTTP 403 Forbidden status code and shows it to the browser.
Hope you are clear till now 🙂
In web pen-testing and bug bounties, the 403 Forbidden status code can be bypassed via 2 approaches:
- Manual Approach
- Automated Approach
Here in this blog post, we’ll discuss both the approaches in detail.
Bypassing the 403 status code the attacker could get sensitive files, which he shouldn’t have access to. Here we will learn both the manual method and also the automated method to bypass this status code.
The error could case for many reasons.
So, here I have discussed 5 different methods that you can try:
- Directory Based Attack
- File Based Attach
- Protocol Based Attack
- HTTP Request Method Based Attack
- Header Based Attack
The easiest way to bypass the 403 Forbidden error is to insert some characters after the domain, like (/, /, /./, %2f, ./., //).
Let’s see the below examples.
- domain.com/secret => 403
- domain.com/secret/* => 200
- domain.com/%2e/secret => 200
- domain.com/secret/./ => 200
- domain.com/secret.txt => 403
- domain.com/secret.txt => 200
- domain.com/%2f/secret.txt/ => 200
- https://domain.com/secret.txt => 403
- http://domain.com/secret.txt => 200
HTTP Request Method Based
- GET => 403
- POST => 200
- TRACE => 200
- PUT => 200
- OPTIONS => 200
- Without those headers => 403
- Content-Length: 0 => 200
- X-rewrite-url => 200
- X-Original-URL => 200
- X-Custom-IP-Authorization => 200
- X-Forwarded-For => 200
In real life and bug bounties, there will be thousands of URLs that you might need to check for 403 Forbidden error bypass. It is almost impossible to do manually unless you are in a dream.
So, to make our life easier, hackers have invented many 403 bypass automation tools. Here, we are going to have a look at the automated approach to bypass the 403 Forbidden error.
403bypasser is a good tool created using python by yunemse48 for bypassing 403 Forbidden error. Here you will see the installation and also the usage of the tool.
Step 1: Clone the GitHub repository to your machine, `git clone https://github.com/yunemse48/403bypasser.git`
Step 2: `cd 403bypasser` then install the python module requirements by executing the command `pip install -r requirements.txt`.
Well, there you go the installation is over. It’s time to see it in action.
The basic usage of the tool is like `python3 403bypasser.py -u https://example.com -d /secret` as shown below.
NOTE: The example site is not vulnerable, the site is tested just to show you how it works.
This is when you have a single domain and a list of possible directories that you might get from directory fuzz, `python3 403bypasser.py -u https://example.com -D dirlist.txt`.
The third technique is useful when you want to try multiple URLs with a single directory or file. `python3 403bypasser.py -U urllist.txt -d /secret`
And the 4th and final technique is when you want to check for a list of URLs and also a list of directories, `python3 403bypasser.py -U urllist.txt -D dirlist.txt`
Thanks for your time. Hope, now you are much clear about the concept. If you like this, make sure to share it with others so that they can leverage this information. For any doubts or questions, please leave a comment below.
I am a freelancer Cybersecurity researcher and a digital marketer. I have already helped Top IT Giants to secure their web applications and maintain a safe environment for their users. Sharing and Caring is my motive. I love to guide beginners about making a successful career in the cybersecurity industry.