> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/authentication-bypass/http-headers/trick-0254.md).

# Authentication Bypass Via Custom HTTP Header

***

Intercept HTTP requests using a proxy (like Burp Suite). Look for custom headers that the application might use for access control or authentication logic, possibly hinted at in responses or application behavior. Identify a header potentially controlling access, such as `is_member`. Modify the header's value to meet the application's expected condition (e.g., change `is_member: false` to `is_member: true`) and forward the request to bypass restrictions.

To achieve this using a proxy tool, you can configure rules to automatically add or modify headers in requests. For instance, within the proxy's settings, you might define a match/replace rule or use a feature designed for adding static headers. A configuration might look something like this for adding a specific header:

```
Match:
  Type: Request header
  Match relationship: Is present
  Match condition: is_member
Replace:
  Type: Replace header value
  Replace condition: is_member
  Replace with: true
  Comment: Bypass membership check
```

Alternatively, if the header is missing entirely and needs to be added, a rule could be configured to insert it:

```
Match:
  Type: Request header
  Match relationship: Is missing
  Match condition: is_member
Replace:
  Type: Add header
  Replace condition: is_member
  Replace with: true
  Comment: Add missing membership header for bypass
```

These configurations instruct the proxy to inspect outgoing requests and automatically apply the specified changes to the `is_member` header, facilitating the bypass technique.

Using Burp Suite, these match and replace rules are configured in the Proxy tab, under the Options sub-tab. You can define rules that operate on different parts of the HTTP message, including request headers.

For example, to replace the value of an existing header, you would set up a rule like this:

```
Section: Request header
Type: Replace
Match: ^is_member: false$
Replace: is_member: true
```

This rule specifically targets the `is_member` header when its value is exactly `false` and replaces the entire header line with `is_member: true`. The `^` and `$` are regular expression anchors ensuring the entire line matches.

If you wanted to add a header that doesn't exist, the rule type would be 'Add', and you would specify the header name and value to insert.

```
Section: Request header
Type: Add
Match: ^$
Replace: is_member: true
```

In this simplified example, `Match: ^$` might represent a condition that is always true or applied broadly, while `Replace: is_member: true` defines the header to be added. More specific matching conditions can be used to apply the header only to certain requests.

Another way to use match and replace is to remove a header entirely. This might be useful if a header is preventing access or triggering unwanted behavior.

```
Section: Request header
Type: Remove
Match: ^X-Restrict-Access: .*$
Replace:
```

This rule would remove any header line starting with `X-Restrict-Access:` .

These match and replace rules in a proxy provide a powerful way to automatically modify HTTP requests based on predefined criteria, which is essential for testing and bypassing access controls that rely on specific header values or the presence/absence of certain headers.
