Bypass .htaccess Authentication Credentials

htaccess password bypass

Inspired by wechall.net I’ve decided to make this short tutorial to show you how to bypass a .htaccess password protection without knowing username or password. This is not really a vulnerability, this trick is based on a bad configuration by website administrator or sysadmin.

How looks like a bad .htaccess password protection:

AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName "Authorization Required"
AuthType Basic
<Limit GET POST HEAD PUT DELETE CONNECT OPTIONS HTTP>
require valid-user
</Limit>

I’ve uploaded this script here http://howtofix.pro/tools/online/htbypass/index.php to help you to test this trick. As default protected file is index.php so you have to access file with index.php at final.

How to bypass .htaccess password protection

First of all we need some tools: Mozilla Firefox and Live HTTP Headers Plugin for Mozilla Firefox

Assumed that you downloaded and installed the tools required above you have launch Live HTTP Headers plugin from Firefox. After you have launched plugin tick “Capture” on Live HTTP Headers Window:

live http headers bypass htaccess

After that you have to access the link protected with .httaccess password. In my case link is : http://howtofix.pro/tools/online/htbypass/index.php

When a username and password is required press “Cancel“.

Now Live HTTP Headers Looks Like:

http live headers helps to bypass htaccess passwords

Now you have to (1) untick “Capture” then (2) click on link which you have accessed and finally (2) click on “Replay…” button.

The new window looks like:

how to bypass .htaccess password protection

Now what we have to do is to send the following kind of request via Live HTTP Replay:

htaccess password hacked

Now type HTTP on field (1) and then click on “Replay” Button (2) . After that you’re in, you have accessed index.php file which has protected by a .htaccess password.

How to fix .htaccess bad configuration?

A simple and good code for beginners looks like this:

AuthType Basic
AuthName "restricted area"
AuthUserFile /htpassws_full_directory/.htpasswd
require valid-user

If you want to restrict to only certain kinds of requests you should read more on google coz’ it’s easy ๐Ÿ™‚

Conclusion:

You’ve just bypassed a .htaccess password protected file.

Feel free to exercise at my own link: http://howtofix.pro/tools/online/htbypass/index.php

PS: This tutorial should be only used to test protection of your OWN site/server. I do not take any responsibility for the way you’re using this information. You’re the only one who is responsable for the way of using this tutorial!

Later edit: There is a another functional version of Live Http Headers module on mozilla addons page.

Inspiration? -> wechall :))

Related posts:

11 Comments on "Bypass .htaccess Authentication Credentials"

  1. hacky says:

    Thank You ..
    Very nice tutorial …
    Working well … ๐Ÿ™‚

  2. notme says:

    It isn’t working when I click ‘CANCEL’ the live http header clear the logs,it doesn’t appear nothing there…
    I don’t know whats the problem,I’m on latest version of firefox.
    Hope you’ll help me,

    • admin says:

      I think because you haven’t followed steps in the right order. First launch Live HTTP Headers >> Tick “Capture” >> Then access vulnerable page >> Click on “target” site >> Replay….

      Please check all screenshots with more attention ๐Ÿ™‚

  3. bittu says:

    everything happening well but at the last step where we have to replay after changing to http , isn’t responding anything ,means nothing happening

  4. martin says:

    not working ……. waiting the new way to bypass htaccess

  5. danman says:

    Nice it works for everyone, but me. I cant browse anywhere when live http header are active, cant make the wondow smaller, shit plugin!Q

  6. hi says:

    It is worth noting that when you change GET to HTTP you could have that HTTP be HI, LEET, or really anything.

    • admin says:

      You are right and not! Please note that method “LEET” or something else is illegal. Some web servers will filter all methods and won’t serve an illegal request. On the other hands, PUT, DELETE or whatever are legal and will be served by server ๐Ÿ™‚

Got something to say? Go for it!