Hi everyone! This is my very first write-up i recently decided to start giving back to the community, pardon me for any mistakes. I’ll share my tip with everyone how I was able to bypass a 403 Forbidden endpoint on an API. So, Here we go…
I was hunting on private program, After fuzzing for sub-domains, I found some sub-subdomains and admin.redacted.com caught my eye , due to privacy let’s say organization = redacted.com. I got a 403 Forbidden response when i tried to access it.
I got interested in the sub-domain, i set my FFUF tool to recursion mode and started fuzzing, after a while i found some empty directories… https://admin.redacted.com/cpanel/view-credentials/ but i was still getting the 403 forbidden.
I got motivated to bypass the 403 so i quickly attempted to use the python tool [byp4xx] & bash tool [bypass-403] but i was not successful, i tried some other various tricks like URL Capitalization, X-Forwarded-IP, Changing User Agent and non of these worked for me, at this point i felt i was just wasting time on the endpoint but i decided to search for some hidden parameters.
I fired up param-miner on the endpoint and within few minutes i found a parameter [userId] but i did have a userId and also i did not know the value of the [userId]. After thinking for a while i decided to use the tool [waybackurls] and retrieved all urls of admin.redacted.com from Wayback Machine. There was so many urls so i couldn’t manually check them all, i grepped for [“?userId=”] and I found some urls leaking userId, i got excited and i immediately constructed a [POST] request sending the userId in the body but i got a 404 error, I was determined on bypassing the 403 forbidden, i casually thought to change the request type to [GET] and i sent the parameter as a GET request and i still got a 403 forbidden.
At this point i was going to give up and move on but while i was casually sending and observing how the API was responding to my requests from the repeater tab, i sent a GET request to the same endpoint and i received a 200 OK. Yes! Just like that, i was surprised and in luck.
What happened ?! I re-sent the GET request again in bid to find out how and why i got the 200 OK but this time i received 403 Forbidden.
I knew something was up… I decided to go through my request log on my burp, i carefully checked all the request but i could not see or find any reason why the server returned a 200 OK. It took me a few hours before i found out what was happening, after every 12 unauthorized requests that results to a 403 Forbidden, the next 4 requests would return 200 OK thereby bypassing the authorization.
I quickly compiled a report and submitted the issue. They were prompt enough to fix the issue in a week.
This was taken as a P2 - High Severity, I was rewarded 1800 USD for it as the page revealed admin data.
Thank you for taking time to read. Follow me on Twitter 😊
Twitter Profile Link:
Twitter: https://twitter.com/G0ds0nXY
