401&403 bypass - path fuzzing

What is the "401&403 bypass - path fuzzing" module?

The "401&403 bypass - path fuzzing" module is designed to detect misconfigurations and vulnerabilities related to path-based access controls in web servers. It targets web servers and aims to identify potential bypasses for HTTP status codes 401 (Unauthorized) and 403 (Forbidden). This module can help identify security weaknesses that could allow unauthorized access to restricted resources.

This module is of moderate severity as it can potentially expose sensitive information or allow unauthorized access to protected resources.

Impact

If successful, the "401&403 bypass - path fuzzing" module can bypass access controls and grant unauthorized users access to restricted resources. This can lead to the exposure of sensitive information or unauthorized actions within the system.

How does the module work?

The "401&403 bypass - path fuzzing" module works by sending HTTP requests with various path fuzzing payloads to the target web server. It then checks the server's response to determine if any of the specified HTTP status codes (200, 500, 400, 302, 301, 204) are returned. If a matching status code is detected, it indicates a potential bypass of the access controls.

Here is an example of an HTTP request used by the module:

GET /{%path_fuzzing%}{%BasePath%} HTTP/1.1
Host: {%Hostname%}
User-Agent: {%RandomUserAgent%}
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

The module uses various path fuzzing payloads, such as "%2e%2e" (URL-encoded "..") and "%3b" (URL-encoded ";"), to test for potential bypasses. These payloads are inserted into the request path to manipulate the server's behavior and potentially bypass access controls.

The module's matching condition checks for specific HTTP status codes (200, 500, 400, 302, 301, 204) to determine if a bypass has occurred. If any of these status codes are returned, it indicates a potential vulnerability in the web server's access controls.