Hello hunters,

This is Syed Jan Muhammad Zaidi, an independent security researcher and a full time Penetration Tester.

Today I’ll be demonstrating to you guys how I bypassed 403 forbidden domain using a simple trick

Let’s dive into it!

What are 403 forbidden?

The HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it since it is a confidential page/domain.

While hunting on a private invite, for the security purpose let’s call it redacted.com, I started my reconnaissance phase by listing all the endpoints and subdomains of the target domain. I used subfinder to find redacted.com subdomains.

$ subfinder -d redacted.com — silent | httpx -sc

As expected, I got tons of subdomains along with their status codes but one subdomain [subdomain.redacted.com] caught my attention as it was 403 forbidden and I straight away knew “ Hmmm.. something there is confidential!”

Intending to bypass 403 I tried multiple open-source GitHub tools including bypass-403, bypxx, but, no luck!

Here, an idea clicked in my mind and I thought why not try accessing the subdomain via its cname.

I straight away hit dig command for the said purpose.

$ dig redacted.com

And luckily it was accessible via cname. I was able to bypass their restriction!

I quickly compiled the report and submitted the issue. They were prompt enough to fix the issue in a week.

The tip was also acknowledged and applauded by Intigriti, Europe’s largest bug bounty platform

This was it! :)

Hit me up below

Twitter: https://twitter.com/hasanakajan

LinkedIn: https://www.linkedin.com/in/syed-jan-muhammad-zaidi-23a59015b/