Bypassing 403 Protection To Get Pagespeed Admin Access

Hello guys👋👋 ,Prajit here from the BUG XS Team, it’s been a long time since my last story, sorry for the delay was held back in exams and viva😅. So anyway, in this story I will talk about one of my finding “Bypassing 403 Restrictions and gaining access to Global Pagespeed Admin Panel”

So whenever you visit some restricted resource you generally get 403-Forbidden message.

But should you stop right here🤔? Obviously no😈, always try to break into these restrictions to get sensitive data or access to restricted resource.

How to Bypass 403 restrictions?

There are many headers and paths which you can use to bypass 403 restrictions.

1. Adding in URL Paths: Adding this in paths of the URL and the file which is forbidden
   /*
   /%2f/
   /./
   /
   /*/
2. Adding Headers in request :By adding different headers in request with value 127.0.0.1 can also help in bypassing restrictions.

X-Custom-IP-Authorization
X-Forwarded-For
X-Forward-For
X-Remote-IP
X-Originating-IP
X-Remote-Addr
X-Client-IP
X-Real-IP

Reference: https://github.com/yunemse48/403bypasser

3. Changing the request method type: Changing method from GET to POST , etc can also lead to bypass.

Reference: https://infosecwriteups.com/403-forbidden-bypass-leads-to-hall-of-fame-ff61ccd0a71e

So now this is a general concept and methodologies for bypassing 403, now let’s move forward to what I did in my case.

Steps I Did:

1)First I went to pagespeed admin panel location http://target.com/pagespeed_admin/ and found out it was 403-Forbidden.

Restricted Pagespeed Admin Panel

2)I used the above specified methods via a automated tool (which is basically a bash script for 403 bypass methods)

Link: https://github.com/iamj0ker/bypass-403

Found that in one case response code changed from 403 -> 200 , so I tested it manually in browser and it finally BYPASSED!!😈

3)Method was http://target.com//pagespeed_admin/ just adding single slash bypassed the 403 and got complete access to pagespeed admin.

BBypassed Pagespeed Admin Panel

This was taken as a P2-High Severity, but since their low reward ranges I was rewarded 200 Eur for it.

So this is all about this write-up, hope you liked it, if you found this informative, do not forget to clap👏 and do let me know if you have any doubts✌️. I am also planning a new series for a writeup which I will start soon, so stay tuned, and hit that follow button.

Thanks For Reading😊

Profile Links:

Twitter: https://twitter.com/SAPT01

LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/

Instagram: https://instagram.com/prajit_01?utm_medium=copy_link

BUG XS Official Website: https://www.bugxs.co/