Open in app

Sign in

Write

Sign in

Sensitive Data Exposure via 403 Forbidden Bypass

Sagar Sajeev
3 min readDec 11, 2021

Hello everyone! My name is Sagar Sajeev. I’m a high school student from India. This is my first writeup and I would like to share how I was able to access a sensitive file via a 403 forbidden page bypass.

How I found it?

The story happens when I was using Google dorks to find some domains to check for bugs. It was then this particular domain of a well reputed company caught my eye (Lets call it redacted.com as I'm not supposed to reveal its name)

I straight away went on to the process of finding more subdomains. I saw a interesting subdomain which I thought would be cool to hunt.

After reporting a low hanging bug (which turned out to be duplicate), I thought why not look for something which can potentially cause any sort of sensitive data exposures.

I used Dirbuster and Dirsearch to bruteforce any directories or files which may contain sensitive information.

Bruteforcing directories are not recommended as it will create a lot of unnecessary traffic and your IP may get blacklisted for a while. In my case, I had the permission to do so.

dirbuster | Kali Linux Tools

version: 1.0 arch: all dirbuster DirBuster is a multi threaded java application designed to brute force directories and…

www.kali.org

GitHub - maurosoria/dirsearch: Web path scanner

Current Release: v0.4.2 (2021.9.12) An advanced command-line tool designed to brute force directories and files in…

github.com

I found one very interesting file which, when I tried to access showed a 403 forbidden page.

How did I bypassed it?

I did the same thing every bug hunter would do in such a case. I fired up my burp and intercepted the request and changed the request method from GET to TRACE and BOOM the 403 page was bypassed and I got a file to download.

I was like….

Tip — In such a case , try using all the possible request headers (POST,HEAD,OPTIONS,TRACE etc)

If adding Content-Length:0 is successfully bypassing 403 then try to exploit it the following curl command:

curl -X POST -H “Content-Length:0” https://www.redacted.com

You can also use automated tools like 403Bypass . But I refer manually testing of each parameter as there are high chances of false positives by using automated ones.

Timeline

Submitted : 06 Dec 2021

Accepted : 07 Dec 2021

Resolved : 11 Dec 2021

Thanks for reading my writeup.

If I’ve made any mistakes above or you have any queries regarding the same, hit me here: Sagar Sajeev .

Happy Hunting!

Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup
Vulnerability
Cybersecurity

--

--

Sagar Sajeev

Written by Sagar Sajeev

859 Followers

18 y/o | Security Researcher | Bug Bounty Hunter

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams