AppSecNotes
401 and 403 Bypass
  1. Using Space Symbols:
    • /admin -> 403
    • /admin%09 -> 200
    • /admin%20 -> 200
  2. Using Path Traversal:
    • /admin -> 403
    • ..;/admin -> 200
    • You can fuzz with traversal sometimes: /..;/FUZZ/admin
  3. The TRACE HTTP Request method is a special type of HTTP request that performs a message loop-back test along the path to the target resource. It allows you to see the exact message that was received by the final recipient, excluding any sensitive data, such as cookies or credentials. Check with the TRACE method if there is any custom HTTP header that can be exploited. E.g. if there is an IP in a custom header, try changing it to 127.0.0.1.
  4. Check if the Host header has any impact on the permissions. Change it to localhost or 127.0.0.1.