Bypassing 403

This detector identifies endpoints that return 403 Forbidden responses but can be bypassed through various techniques such as HTTP method manipulation, path normalization tricks, or header injection. The scan rule tests different payloads and techniques to determine if protected resources can be accessed despite access control restrictions.

Access control bypasses allow attackers to access restricted resources or administrative functions without proper authorization. Attackers exploit inconsistencies between reverse proxy and backend server path parsing, use alternate HTTP methods, inject special headers like X-Original-URL or X-Rewrite-URL, or manipulate URL encoding to circumvent 403 protections. Successfully bypassing these restrictions can lead to unauthorized data access, privilege escalation, or execution of administrative operations.

Implement consistent access control checks at the application layer rather than relying solely on web server or reverse proxy configurations. Ensure that all HTTP methods for protected endpoints are properly secured, not just GET requests. Validate and normalize all paths before applying access control rules, and disable or properly validate special headers like X-Original-URL that might override routing decisions. Use allowlist-based access control and verify that path normalization is consistent across all components in the request chain.