Open in app

Sign in

Write

Sign in

Bypassing 403 Forbidden: A Guide for Cybersecurity Professionals

Mahmoud Salah
4 min readOct 4, 2023

--

Hello, fellow cybersecurity enthusiasts! Today, we’ll delve into the world of HTTP status codes, specifically into the tool I created myself to bypass the 403 Forbidden error, and discuss different techniques for bypassing it.. So, let’s dive right in!

Understanding 403 Forbidden

Before we get into the bypass techniques, let’s first understand what a 403 Forbidden error is. The HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request but will not fulfill it. Whenever we encounter a 403 Page, it often means something is inside; we just need to find a way to bypass it.

Techniques to Bypass 403 Forbidden

Let’s embark on an exciting journey where we’ll explore the capabilities of a remarkable tool. This tool, my dear friend, is something that you’ll find incredibly useful. It’s designed to empower you, to give you control, and to open up a world of possibilities.

The Tool: https://github.com/diiablo00/403-bypass

Appending Special Characters

Alright, let’s dive right in! We’re kicking things off with a unique technique that I didn’t include in my tool. Why, you ask? Well, there’s already a fantastic tool out there for this technique — it’s called wfuzz. Now, moving on to a simple yet effective strategy. This involves adding special characters right after the first slash in the URL. For example:

  • https://www.domain/DB returns a 403 error
  • https://www.domain/%2e/DB or https://www.domain/./DB returns a 200 OK response

Now, let’s talk about how you can use wfuzz to bypass the 403 Forbidden error:

Alright, let’s dive right in! Here’s the strategy you’re going to follow:

  • /FUZZDB
  • /FUZZ/DB
  • /DBFUZZ

I’ve compiled a variety of word lists in my tool that you can utilize for fuzzing. You’ve got a few options here. You could use the Unicode.txt, or perhaps the Directory.txt, or even the Directory_traversal.txt. Or why not mix it up and use all of them together in this comprehensive list, all.txt? Or feel free to use any list that suits your needs. Remember, it’s all about discovering what works best for you!

Here’s a friendly piece of advice:

When you stumble upon an endpoint that returns a 403 forbidden error, don’t just stop there. Instead, try to explore further from that endpoint. For instance, if ‘example.com/admin' gives you a 403 forbidden error,

Try something like ‘example.com/admin/anything'. If it returns a 404 not found, that's okay. Move on to 'example.com/admin/another_anything'. If this gives you another 403 forbidden, keep going in this manner.

Once you’ve done this, gather all the endpoints that returned a 403. Now, here’s where the fun begins. Try to bypass all these 403s using my tool.

Modifying Request Headers

Note: From the beginning of this technique, we will use my tool, knowing that all the following techniques work together.

Let’s dive into the world of modifying request headers. This technique is like a secret handshake that can help you bypass those pesky 403 errors.

With my tool, you’ll be able to add certain headers to your requests. It’s like giving your request a VIP pass to get past the bouncer at a club. And the best part? All the headers you’ll need are neatly packed in a file named headers.txt. This wordlist is what is used in the tool, and if you want to use another wordlist, this is up to you.

And if you’re looking for a special tool just for changing headers, let me introduce you to headers.sh. It's my go-to script for all things header-related.

I’ve also created a special tool with the User Agent Header if you want to change the value of the User Agent only, and It is user-agent-fuzz.sh. The values I use in my tool are specific to certain operating systems and devices, such as Android, iOS, Windows, Mac OS X, Linux, PlayStation, Xbox, Apple TV, Roku Ultra, Amazon Fire TV, and Google Chromecast.

Changing HTTP protocol version

There’s a magic trick with HTTP protocol versioning that can often help us bypass it. Here’s a quick tip: try switching from HTTP/1.1 to HTTP/2, or the other way around. Sometimes, it’s as simple as that! And the best part? This nifty trick is something you can do right on my tool.

Changing Request Methods

Let’s talk about another cool technique to bypass those pesky 403 Forbidden errors. It’s all about changing the request methods. You know, switching up from the usual GET to something like POST, TRACE, PUT, or OPTIONS. It’s like speaking a different dialect in the language of servers. And guess what? Sometimes, this simple switch can be your golden ticket past the 403 wall.

And the best part? All the methods you’ll need are neatly packed in a file named method.txt. This list of wordlist is what is used in the tool, and note that you cannot change this list in the tool because I use all methods.

If you’re looking for a special tool just for changing methods, let me introduce you to methods.sh. It's my go-to script for all things method-related.

Conclusion

Hey there, tech enthusiasts! Bypassing a 403 Forbidden error can sometimes feel like you’re trying to solve a complex puzzle. But guess what? With the techniques in my tool, you’ll be well-equipped to tackle this challenge head-on. Remember, the essence of ethical hacking lies in persistence and creativity. So keep trying, keep exploring!

And here’s the best part — once you’ve given my tool a whirl, I’d love to hear from you. Got something to add? Have a question? Don’t hesitate to reach out on social media. The links will be provided below.

So, are you ready to embark on this exciting journey? Stay tuned for more cool tips and tricks! 😉 Happy hunting!

links:

Facebook

Instagram

Twitter

--

--

Mahmoud Salah

Written by Mahmoud Salah

15 Followers

One day or day one, you decide.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams