403 bypass on Microsoft Subdomain 

I have been working on the HTTP protocol for some time. After checking and researching, I found out that version 1.0 of the HTTP protocol can be used to bypass 403.
I’ve always had a problem with people who write write-ups. They add a lot of explanations that one gets tired of reading write-ups, so I’m going straight to explain the vulnerability 🙂

I started doing FUZZ on the lyncdiscover.microsoft.com domain and found a couple of files that were 403 Forbidden.

403 bypass
After checking, I came to the conclusion that when I clear all the header values, the server reacts to Host.
I already had a research on the HTTP protocol and used the same research here and changed the HTTP protocol version to 1.0.
And I did not set any value in the header.
tip :
When we do not put Host in the header if the server and any other security mechanism is not configured in the right way. It puts the destination address itself in the header, and this makes us known as local.
403 bypass
403 bypass
I tried another file with the same method and it was bypassed again.

Also Read : Bypass Windows Defender in Windows 11

403 bypass
403 Forbidden “Reach/Sip.svc?wsdl”
200 successfully “Reach/Sip.svc?wsdl”

I want to add one more point to this write-up…
You can also use this method to bypass (CDN) and obtain server IPs.
I will show you one.

Location Header Response

Well, as you can see, in Location, it shows us the address of the domain itself in the return.
We use the same method again and send the request, this time it will show us the main address of the server.

Location Response

I hope this writeup was useful for you.

Best Regards,
Abbas Heybati.


Tags :


Leave a Comment