How we, @vidocsecurity, bypass 401 and 403 - practical tips for fellow #bugbounty hunters <thread>
Try fuzzing HTTP method/user agents, you would be surprised how many times simply changing User-Agent to e.g. mobile specific client worked.
Play with forward/referer type of headers and their values. Try different variants, fuzz common custom headers that follow the pattern with different formats of localhost/custom IP address.
Try path fuzzing with creative string literals, downgrade HTTP version.
Try to know as much as you can about the target technology. Good recon is a key, there are some technology-specific hacks, e.g. Spring in some older versions have specific workaround related to useSuffixPatternMatch. If set to true (default) /admin would also match /admin[.].*
When nothing works try less common techniques such as exploiting hop-to-hop headers - this is my favorite method, and I will write a separate thread about it. More about this technique can be found in our article: vidocsecurity.com/blog/401-and-4…