Bypassing 403 Forbidden Errors

The 403 Forbidden HTTP status code indicates that the client was able to communicate with the server, but the server won't let the client access what was requested. In the most general case, the resource the client tried to access might be forbidden using a path based Access Control List. In this video, Dedalo from http://seguridadblanca.org shows us an interesting way to bypass a 403 error. The main idea is to fool the access controller into believing that a different resource was requested, by using "./" in the path of the request. A detailed explanation of why this works is available here.

Thanks go out to Dedalo (camilo.galdos [] security-expert [] se) for submitting this video to us.

We hate these ADs as much as you do! Help us stay FREE and CLEAN by making a Generous Donation!

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net