In this article, we will explore a scenario where a client initially required a black box penetration test of over a hundred different web applications that were supposed to only be accessible from internal IP addresses and therefore provide a 403 forbidden error. Once it was confirmed that these pages were indeed providing the correct 403 error, it was then necessary to test for 403 bypass vulnerabilities.
What is a 403 Error?
A 403 error is a response status code that indicates that the server understands the client’s request but refuses to fulfil it. The most common cause of a 403 error is that the user does not have sufficient permissions to access the requested resource. This error can also occur if the server has been configured to restrict access to a particular resource or if the resource has been removed or moved to a different location.
How to perform a 403 Bypass?
This bypass can be achieved in several ways, for example manipulating HTTP headers, exploiting vulnerabilities in the server software, or using brute force attacks to guess valid authentication credentials. It’s important to note that attempting to bypass a 403 error without proper authorisation is illegal and can result in serious consequences.
The Client’s Brief
Recently, Aardwolf Security were approached by a client who required a penetration test of over a hundred different web applications. These applications were only supposed to be accessible from internal IP addresses, and therefore, they should have provided a 403 forbidden error when accessed from external IP addresses. The client wanted to ensure that these applications were secure and that no unauthorised access could be gained through these applications.
Once the Aardwolf Security team confirmed that these pages were indeed providing the correct 403 error, they then had to test whether the 403 could be bypassed. However, publicly available tools on GitHub only allowed for individual URLs to be assessed. It was not practical to test each URL individually as there were over a hundred different web applications to test. Therefore, the Aardwolf Security team had to create a tool that would allow for a user to input a list of URLs, which would then each be tested using well-known 403 bypass methods.
Creating a 403 Bypass Tool
To solve the problem of testing over a hundred different web applications for 403 bypass vulnerabilities, Aardwolf Security created a new tool that would allow for a user to input a list of URLs. This tool would then test each URL using well-known 403 bypass methods. The tool was designed to be user-friendly and ensure many URL’s could be assessed consecutively.
The tool created by Aardwolf Security was able to identify several vulnerabilities in the client’s web applications, including a bypass of one of the client URLs that allowed for sensitive data to be accessed. The vulnerabilities were reported to the client, who was able to take the necessary steps to address them and improve their security posture.
The tool can be found on our GitHub repository here: https://github.com/aardwolfsecurityltd/bulk_403_bypass
To run the tool use:
bash 403_bypass.sh [input file]
If you want to reduce verbose output to only include 200 responses use the following:
bash 403_bypass.sh [input file] | grep 200
In this scenario, Aardwolf Security was able to create a tool that allowed for the efficient testing of over a hundred different web applications for 403 bypass vulnerabilities. By identifying these vulnerabilities, the client was able to take the necessary steps to improve their security posture and protect their sensitive data.
Aardwolf security have been helping protect and secure SMEs against cybercriminals since 2015. With an exclusive focus on penetration testing from CREST qualified penetration testers, Aardwolf Security has the expertise you need to improve your cybersecurity posture and prevent you from becoming a victim of cybercrime.
Our penetration testing services can be tailored to your specific needs, and our team of experts are here to provide impartial information and advice every step of the way.
Get in touch today to speak with one of our Senior Consultants, or fill out our 5-minute online quote form for a bespoke quote today.