W-HEADER-AUTH-BYPASSPrivilege Escalation

X-Original-URL / X-Rewrite-URL Bypass

Reverse proxy enforces ACL on the URL; backend rewrites via the header — bypass ACL on /admin.

§ Where this technique fits

W-HEADER-AUTH-BYPASS is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

HTTP request smuggling (CL.TE) → admin panel bypass
Frontend uses Content-Length, backend uses Transfer-Encoding. Smuggle a request whose path bypasses the frontend's authentication checks.
step 4 / 6

§ What commonly comes next

01
Broken Function Level Authorization (API BFLA)
W-BFLA · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

HTTP request smuggling (CL.TE) → admin panel bypass

§ What commonly comes next