403 forbidden bypass & Accessing config files using a header
This is my first writeup on how i bypass 403 & accessed the config file
Hi Everyone,
My name is vishnurajr, This is my first writeup, How i found a bypass for 403 FORBIDDEN !
So let’s begin,
403 forbidden :- The HTTP 403 Forbidden
response status code indicates that the server understands the request but refuses to authorize it
The target was a financial-based sector, During the recon, I found a subdomain with a login page, That login page was used by branch executives of the financial-based sector. It uses 3 credentials to login to its panel & uses some random credentials nothing happens there . Then I tried google dorks to find some endpoints but nothing works , Atlast I searched the domain in archive directory and got some endpoint it is not important.But one endpoint caught my attention the endpoint was like this
/v1/redacted/redacted/redacted/cms/config?channel=desktop
And access the endpoint ,and I got a forbidden on the endpoint
Then the next step is to bypass the forbidden. I tried every possible 403 bypasses that was previously finded by security researchers, but nothing happens there 😐 😐😐😐😐😐😐😐 still forbidden, forbidden, forbidden!!!!!
After sometimes I went to the burp history for searching a luck, I noticed that in some requests like login …etc. it contains an X-License-Key Header . I think let's copy the header into it, I copied the X-License-Key header and pasted it on the config endpoint request
GET /v1/redacted/redacted/redacted/cms/config?channel=desktop
Host:*.redacted.*
X-License-Key: xxxxxxxxxxxxxxxxxxx
Got access to the config endpoint and I bypassed the 403 forbidden
The config files contains lot of information like this
Impact
- An attacker can able to gain sensitive Information about the target
Fix:- They removed the x-license-key header from every request