when seeing a 4 or3 forbidden response most hackers move on but that is exactly why some of my biggest boundaries I've earned started with seeing a 403 today I'm going to show you the techniques that turn these dead ends into massive payouts on some of my favorite bug Bounty program I have been a bug Bounty Hunter for over a decade and if there is one thing that I've learned it is that understanding how access controls actually break is what separates casual hunters from those that actually are consistently finding massive bounties before we do dive into this video you need to do me a favor and drop me a lock Emoji in the comment section if you have ever encountered a 403 that made you think wow there's got to be more here because by the end of this video you will know exactly what to do the next time you encounter a 403 Forbidden page for this video what we're going to do is we're going to cover why 403 is often hidden a massive impact with massive paying vulnerabilities the five most effective bypass techniques that I use in my bug bounty hunting and I'm going to wrap up the entire video with some real examples from some of my findings which is going to be with some Hands-On Labs now before I show you actual techniques let's talk about why 403 bypasses even exist in the first place because understanding this will help you think beyond the checklist of bypasses think about how most companies built their applications they've got their front end teams working in something maybe like react or some kind kind of a framework and then you have their backend teams handling apis and usually some kind of Gateway or metalware handling authentication with that each layer thinks the other ones got security covered and all these different layers create opportunities for mistakes see a lot of developers think access control is super simple check if the user is logged in look at their rule allow or deny request but in reality modern web apps are way more complex you've got your microservices talking to each other multiple authentication methods Legacy end points that nobody remembers and then you have your apis that are meant to be internal but somehow they end up being exposed this initial reconnaissance is very important because a 4 or three on a Windows is server might need a completely different approach than one on engine X behind Cloud flare this is why bug bounty hunters who understand architecture and not just payloads are the ones finding critical bugs that automated scanners are always missing so now that we understand why 403 bypasses exist let me fire up my lab environment so I can show you these techniques in action okay now let's look at a couple of examples the first one we're going to take a look at here is when we hit secret it's going to come back and say hey your access denied for client IP unknown IP this is really important to look at because the hint here is that it is an unknown IP and it's looking to see where the request is coming from the where here is really important so what you want to do is you want to see see one why is it specifically looking at this and what are the different ways we can bypass the originating IP well the most obvious answer is using a header like X forwarded 4 and giving it a local IP like 1271 sometimes you can give the actual IP for the application and sometimes you can see what the VPN IP address for that company is put it in that and then give it the same URL and you can see that we were able to bypass it X4 word at for is not the only hter that you can use in this case there's a bunch of them I will link them down below in the comment section in the pin comments you have a bunch of different ones the key here is though you have to try all of these different headers you can actually automate this but you want to try these different headers and look for anomalies to see if that actual error changes does it give you a different error does it give you some different hint as though maybe that is working so you want to try all of them see what comes back and then based on that make a decision of what you're going to feed it next all right sorry to interrupt the lab one quick thing if you love content like this and you want to learn bug bounty hunting directly from me I have a course that I actually created an extensive module just on 403 bypasses and I also have things like xss bypasses CSP bypasses ssrf all the good stuff with bug bounty hunting if you want to get a discounted price right now it is 50% off all you have to do is use the code 403 bypass it's right here on the screen and go click on the link in the bio and sign up but whether you want to sign up and buy my course I'm still going to get give you all my techniques in this video but you also have that option to go and learn from me directly on our platform the next thing we want to try is doing some sort of path normalization so let's just say that we want to access secure SL admin where the 4 or3 happens there's a couple of things that you need to understand here and that is how our web server is going to handle accessing that specific path if you're not familiar with path normalization I'll put a talk down below but what we want to do is want to understand the different ways we can act admin within secure and that doesn't always have to just be with a slash it could be with doing a DOT slash which still means the admin folder within secure but instead we're accessing it by adding that current folder path within our websites request or our web server request so what we're doing here is we're still asking for a secure admin but instead we're doing it like this which bypasses any restrictions that is just checking for a string like secure admin because that's what the the path is that they're looking for but now we have changed that path by adding our do slash by doing that it is going to give us access to this and you can see in this first lab we can get access to it the second way to do it is is let's just say we wanted to access admin we're in the web rout want to access admin and our 403 happens here the other option here is using path normalization with a path traversal and seeing if we can access these with our curl command to get access to it so if I do something like secure and then dot do/ admin you can see that we were able to access admin again path traversals and path normalizations are sometimes key to finding some of the most beautiful vulnerabilities especially when it comes down to looking at just restrictions on 403s but also looking at API proxies and web proxies and reverse proxies that make it very very interesting to get access to other stuff so I just want to cover that because this will be very handy in our upcoming Labs but those are two different ways you can actually bypass these which are super simple but a lot of times are missed by a lot of bug bounty hunters also keep in mind with what I just showed you you want to do this in curl because your browser is going to take that path and normalize it and just access it directly so if I take that and put it in my browser the path is going to back to normal it's going to ignore that dot sash so you want to make sure you do it in your curl or even better you can do it in kaido or whatever web proxy tool that you're using now let's just say that we're looking at a specific API important sometimes you're going to get it forbidden this user example it could be an idore it's probably not the best example but let's just assume you're looking at an API endpoint specifically that comes back as forbidden and if you want to try again what I want to do usually is trying and seeing where the 4 or3 happens at what level it looks like it is at the users's level if I give it a user ID it would probably give us our forbidden again this isn't really a backend Bypass or a trick it's just a logical flow that I realized a lot of times with Legacy apps especially is that happens and that is just by going after the API versioning so what I do usually here is I try to look if there's a V1 that exists in this case V1 works but also keep in mind that it may not be V1 it could be a v.1 it could be a v1.1 the different versions that they may use the secret here or the key here or the pro tip as you want to call it is going into the web archives looking at something like Wayback URLs or just internet archives dumping all of them and looking at that specific endpoint or the domain and seeing if other versions have been captured and cached within It Go on GitHub maybe and see if you can find other versions of it and take your exact request that you're sending to that Legacy endpoint and see if it spits out anything else looking for legacy Imports and old versions of API is really really fun it's a lot of manual work and you we can probably automate it but honestly it's one of those things that I try a lot of times especially on massive bug bounding programs that have a ton of apis so that's something to know it's not really a trick maybe it's just logical to look for it but I know a lot of times people miss these and my absolute favorite trick is this one for example we're going to try and look at Hidden you can probably see what the solution is on the other tab but what I like to do a lot of times is when I find a specific endpoint and this does wonders when it comes out to looking for actuators and jelia and things like that are supposed to be hidden but they're still there because it gets a four or three at some different level sometimes a w it just is really cool to play with and you can probably see on my face how excited it makes me is to try and URL encode the different parts if we go to our Cur right here and just going to copy this and try to access it it's going to say for 43 as expected we can do here is look at our references and find the definite letters and obviously one of the things we can do always is the leading slash for example if you change that into a percent 2f it may work maybe we can do a double encoding perent 252 if it looks like it is now giving us an error of 404 so maybe that doesn't work the next thing you can try is I always like to do the last letter of whatever word it is that we're doing so in this case and you start to actually learn a lot of these and memorize them the more and more do it is you can actually copy this right here and replace the N with it and see if this works again this may not work what you can do is go even a layer deeper and double encode the percent sign which is our percent 25 and then that becomes if we look at it double encoded I'm actually going to use an llm to ask this what is double encoded for it you can actually see that it becomes perent 25 25 25 it's not encoded so what we do is we go back we double encoded per 25 5 6E and we can see that this works now I want you to think about everything we have talked about throughout this video we've talked about path normalization we're talking about path traversal and then we're here looking at encoding specific parts of our request in order to get access to our hidden end points a lot of times your answer may not be one or the other it could be combining all three of this sometimes we may have to do a past reversal for One path to another and then also tack on a URL encoding between those pth reversals and also the actual endpoint that you're trying to access so keep that in mind if there's one thing that I want you to learn and I've noticed that 90% of my cool bugs that come out when I'm fuzzing a specific API endpoints is by just combining all three of these and really really learning how to leverage your L encoding and Patch versals together now here's something very funny actually this is out of a pentest not too long ago and everything I've talked about throughout this video I Threw at this web server I tried everything from path normalization to patch reversal to encoding decoding whatever you want to call it I tried it all and nothing worked but the key here was to actually try something very easy and not complicating this and realizing that I am hacking on a Windows server and by hacking on Windows servers what happens is with a Windows box the pads are not case sensitive versus a Linux box so for example on a Windows machine if you type in admin with the D being capitalized it is still going to serve you the contents of admin as it is but in a Linux machine if everything is lowercase you have to keep that lowercase and giving it an uppercase L is going to look for a different path so in this lab this is what I did but with just a small bit of a change and that is by first trying the different paths and not working and realizing that I can actually bypass the string they're looking for because in my case they we're looking for this string specifically and if I had anything before after it it would just complete demolish that filter in doing something like this this was what gave me access to the admin panel and then I could do some other stuff which is kind of weird if you think about it why do they create filters and protections that work in that sense instead of just maybe just not allowing people to access it or just taking it offline but that's besides the point of this video that is actually something to check for especially on machines that you know case sensitivity is not going to be a problem there you have it that was everything that I could think of at least for a short YouTube video to give you some techniques on 403 bypass is let me know down in the comments do you enjoy videos like this you want me to make more content like it and do me a favor we are almost at 150k nomies drop me a nomies comment if you already subscribed but if you haven't do me a favor do all the liking do all the commenting and make sure you hit that subscribe button and I will see you all in next week's video [Music] peace but let's try to do something different we're going to say path as is what the