coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0a2a35036f
hacktricks/pentesting/pentesting-web/403-and-401-bypasses.md
CPol 0a2a35036f
GitBook: [#3090] No subject
2022-04-06 08:57:29 +00:00

93 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 403 & 401 Bypasses
## HTTP Verbs/Methods Fuzzing
Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
* Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
* Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the verb used.
* Use **`TRACE`** verb and if you are very lucky maybe in the response you can see also the **headers added by intermediate proxies** that might be useful.
## HTTP Headers Fuzzing
* **Change Host header** to some arbitrary value ([that worked here](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
* Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource.
* **Fuzz HTTP Headers**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
* `X-Originating-IP: 127.0.0.1`
* `X-Forwarded-For: 127.0.0.1`
* `X-Forwarded: 127.0.0.1`
* `Forwarded-For: 127.0.0.1`
* `X-Remote-IP: 127.0.0.1`
* `X-Remote-Addr: 127.0.0.1`
* `X-ProxyUser-Ip: 127.0.0.1`
* `X-Original-URL: 127.0.0.1`
* `Client-IP: 127.0.0.1`
* `True-Client-IP: 127.0.0.1`
* `Cluster-Client-IP: 127.0.0.1`
* `X-ProxyUser-Ip: 127.0.0.1`
* `Host: localhost`
If the **path is protected** you can try to bypass the path protection using these other headers:
* `X-Original-URL: /admin/console`
* `X-Rewrite-URL: /admin/console`
* If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
* Fuzz [**special HTTP headers**](special-http-headers.md) looking for different response.
* **Fuzz special HTTP headers** while fuzzing **HTTP Methods**.
## Path **Fuzzing**
If _/path_ is blocked:
* Try using _**/**_**%2e/path **_**(if the access is blocked by a proxy, this could bypass the protection). Try also**_** /%252e**/path (double URL encode)
* Try **Unicode bypass**: _/**%ef%bc%8f**path_ (The URL encoded chars are like "/") so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
* **Other path bypasses**:
* site.com/secret > HTTP 403 Forbidden
* site.com/SECRET > HTTP 200 OK
* site.com/secret/ > HTTP 200 OK
* site.com/secret/. > HTTP 200 OK
* site.com//secret// > HTTP 200 OK
* site.com/./secret/.. > HTTP 200 OK
* site.com/;/secret > HTTP 200 OK
* site.com/.;/secret > HTTP 200 OK
* site.com//;//secret > HTTP 200 OK
* site.com/secret.json > HTTP 200 OK (ruby)
* Use all [**this list**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt) in the following situations:
* /FUZZsecret
* /FUZZ/secret
* /secretFUZZ
* **Other API bypasses:**
* /v3/users\_data/1234 --> 403 Forbidden
* /v1/users\_data/1234 --> 200 OK
* {“id”:111} --> 401 Unauthriozied
* {“id”:\[111]} --> 200 OK
* {“id”:111} --> 401 Unauthriozied
* {“id”:{“id”:111\}} --> 200 OK
* {"user\_id":"\<legit\_id>","user\_id":"\<victims\_id>"} (JSON Parameter Pollution)
* user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution)
## **Other Bypasses**
* Try to **stress the server** sending common GET requests ([It worked for this guy wit Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)).
* **Change the protocol**: from http to https, or for https to http
* Go to [**https://archive.org/web/**](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
## **Brute Force**
* **Guess the password**: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
* [**Brute force**](../../brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.
{% code title="Common creds" %}
```
admin admin
admin password
admin 1234
admin admin1234
admin 123456
root toor
test test
guest guest
```
{% endcode %}
Reference in New Issue View Git Blame Copy Permalink