Hello guys👋👋,Prajit here from the BUG XS Team, it’s been a long time since my last story, sorry for the delay was held back in exams and viva😅. So anyway, in this story I will talk about one of my finding “Bypassing 403 Restrictions and gaining access to Global Pagespeed Admin Panel”
So whenever you visit some restricted resource you generally get 403-Forbidden message.
But should you stop right here🤔? Obviously no😈, always try to break into these restrictions to get sensitive data or access to restricted resource.
There are many headers and paths which you can use to bypass 403 restrictions.
- Adding in URL Paths: Adding this in paths of the URL and the file which is forbidden
/*
/%2f/
/./
/
/*/ - Adding Headers in request :By adding different headers in request with value 127.0.0.1 can also help in bypassing restrictions.
X-Custom-IP-Authorization
X-Forwarded-For
X-Forward-For
X-Remote-IP
X-Originating-IP
X-Remote-Addr
X-Client-IP
X-Real-IP
Reference: https://github.com/yunemse48/403bypasser
3. Changing the request method type: Changing method from GET to POST , etc can also lead to bypass.
Reference: https://infosecwriteups.com/403-forbidden-bypass-leads-to-hall-of-fame-ff61ccd0a71e
So now this is a general concept and methodologies for bypassing 403, now let’s move forward to what I did in my case.
1)First I went to pagespeed admin panel location http://target.com/pagespeed_admin/ and found out it was 403-Forbidden.
2)I used the above specified methods via a automated tool (which is basically a bash script for 403 bypass methods)
Link: https://github.com/iamj0ker/bypass-403
Found that in one case response code changed from 403 -> 200, so I tested it manually in browser and it finally BYPASSED!!😈
3)Method was http://target.com//pagespeed_admin/ just adding single slash bypassed the 403 and got complete access to pagespeed admin.
This was taken as a P2-High Severity, but since their low reward ranges I was rewarded 200 Eur for it.
So this is all about this write-up, hope you liked it, if you found this informative, do not forget to clap👏 and do let me know if you have any doubts✌️. I am also planning a new series for a writeup which I will start soon, so stay tuned, and hit that follow button.
Thanks For Reading😊
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/