bypass403 is a command-line tool for exploring HTTP access-control bypasses, request-shaping differences, and parser inconsistencies around 401, 403, and related responses.
It is built for practical web security work: bug bounty, penetration testing, security reviews, and regression testing of access-control rules. The tool automates a broad set of request mutations, captures a baseline, filters common false positives, and highlights the responses most likely to represent a meaningful bypass.
Given a target URL, bypass403:
- Sends a baseline request to capture the blocked response.
- Runs a set of bypass techniques that mutate the request path, method, headers, or wire format.
- Scores and groups the results to reduce noise.
- Optionally chains into SQLi and XSS payloads when a bypassed endpoint is found.
- Saves replayable results to an output file when requested.
This tool does not break authentication by itself. It helps find differences between how frontends, proxies, WAFs, CDNs, application routers, and backends interpret the same request.
- Baseline-driven comparison against the blocked response
- Path, method, header, host, and protocol mutation coverage
- Optional SQLi payload testing
- Optional XSS payload testing
- Auto-chaining into follow-up testing on bypassed endpoints
- Concurrent execution with per-target request handling
- Proxy support for Burp or other intercepting proxies
- Custom header and cookie injection
- Output file export for later review
git clone https://github.com/0nsec/bypass403
cd bypass403
go buildgo install github.com/0nsec/bypass403@latest- Go 1.26.2 or later to build from source
- Network access to the target you want to test
Basic scan:
./bypass403 https://target.tld/admin/Use a proxy and verbose output:
./bypass403 -proxy http://127.0.0.1:8080 -v https://target.tld/admin/Enable SQLi and XSS testing with auto-chaining:
./bypass403 -all https://target.tld/admin/Run only selected follow-up modules:
./bypass403 -sqli -xss -chain https://target.tld/admin/Add custom headers:
./bypass403 -H 'Authorization: Bearer tok' -H 'X-Forwarded-For: 127.0.0.1' https://target.tld/admin/Write results to a file:
./bypass403 -o results.txt https://target.tld/admin/Demo target: https://httpbin.org/status/403
██████╗ ██╗ ██╗██████╗ █████╗ ███████╗███████╗ ██╗ ██╗ ██████╗ ██████╗
██╔══██╗╚██╗ ██╔╝██╔══██╗██╔══██╗██╔════╝██╔════╝ ██║ ██║██╔═████╗╚════██╗
██████╔╝ ╚████╔╝ ██████╔╝███████║███████╗███████╗ ███████║██║██╔██║ █████╔╝
██╔══██╗ ╚██╔╝ ██╔═══╝ ██╔══██║╚════██║╚════██║ ╚════██║████╔╝██║ ╚═══██╗
██████╔╝ ██║ ██║ ██║ ██║███████║███████║ ██║╚██████╔╝██████╔╝
╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚═════╝ ╚═════╝
[ 403 Forbidden Bypass Tool v1.0 ]
Advanced WAF/CDN/Access Control Bypass Engine
Baseline diffing • Auto-chain • 500+ payloads
0nsec , Nuknov , AnonKryptiQuz
Target: https://httpbin.org/status/403
Modules: Path | Method | Header | WAF | Protocol | Cloudflare
Timeout: 15s Delay: 0ms Verbose: false
Capturing baseline response... [403 Confirmed] — 0 bytes, 2034ms
Baseline body length: 0 bytes (responses differing >10% will be flagged)
HEADER INJECTION BYPASS
[+] [200] GET https://httpbin.org/ X-Original-URL: /status/403 (request to /)
[+] [200] GET https://httpbin.org/ X-Rewrite-URL: /status/403 (request to /)
HTTP METHOD BYPASS
[+] [200] OPTIONS https://httpbin.org/status/403 OPTIONS method
[+] SUCCESSFUL BYPASSES
[200] OPTIONS https://httpbin.org/status/403
Technique: OPTIONS method
[200] GET https://httpbin.org/
Technique: X-Original-URL: /status/403 (request to /)
Header: X-Original-URL: /status/403
[200] GET https://httpbin.org/
Technique: X-Rewrite-URL: /status/403 (request to /)
Header: X-Rewrite-URL: /status/403
Total Requests: 174
Baseline: [403] 0 bytes, 2034ms
Bypassed [200]: 3
Forbidden[403]: 86
Diff from baseline: 88
Not Found[404]: 23
Errors: 22
[!] INTERESTING RESPONSES
[400] GET https://httpbin.org/status/403;
Technique: Semicolon only
[400] GET https://httpbin.org/status/403%00
Technique: Null byte
[405] TRACE https://httpbin.org/status/403
Technique: TRACE methodThe tool currently covers these main areas:
- Path manipulation
- Method mutations
- Header-based bypasses
- Host and trust-header variations
- Protocol and scheme confusion
- Cloudflare-related and WAF-related checks
- SQLi payload follow-up testing
- XSS payload follow-up testing
Run ./bypass403 -h for the full CLI help.
Key flags:
-ua- Custom User-Agent string
-cookie- Cookie header value
-t- Concurrent threads
-timeout- Request timeout in seconds
-v- Show all results including responses that match the baseline
-sqli- Enable SQLi bypass payloads
-xss- Enable XSS bypass payloads
-all- Enable SQLi, XSS, and auto-chain together
-chain- Auto-chain follow-up testing on bypassed endpoints
-o- Output file for results
-delay- Delay between requests in milliseconds
-proxy- HTTP proxy URL
-H- Custom header; may be repeated
The CLI prints a baseline first, then visible differences that survive filtering. When the -o flag is used, it also writes a plain-text summary of all results to the selected file.
- Results are heuristic and can produce false positives or false negatives
- The tool does not prove exploitation; it only highlights promising differences
- Some techniques depend on target-specific behavior and may be noisy on heavily normalized stacks
- Proxy behavior depends on the selected transport and target behavior
Use this tool only on systems you are authorized to test.
The authors and contributors are not responsible for misuse. You are responsible for complying with applicable law, program rules, and organizational policy.
Special thanks to the project my teammates who helped shape the tool:
This project is released under the MIT License. See LICENSE.