Skip to content

Gilzy/403Bypasser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

403Bypasser

A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

Sample Issue

Features

  • Runs with every possible permutation for query-based payloads. For instance https://www.example.com/api/v1/users with payload ..; will result in testing the following:
    https://www.example.com..;/api/v1/users
    https://www.example.com/api..;/v1/users
    https://www.example.com/api/v1..;/users
    https://www.example.com/..;api/v1/users
    https://www.example.com/api/..;v1/users
    https://www.example.com/api/v1/..;users
    https://www.example.com/api/v1/users/..;
    https://www.example.com/api/v1/users/..;/
    
  • Header payloads are added to the original request. In case the header already exists in the original request its value is replaced.
  • For GET requests the extension will try to bypass Forbidden pages by changing the method to POST with an empty body.
  • The extension will attempt to downgrade HTTP/1.1 to HTTP/1.0 and remove all headers as shown by Abbas.heybati
  • Supports manual activation through context menu.
  • Payloads are supplied by the user under dedicated tab, default values are stored in query payloads.txt and header payloads.txt.
  • Issues are added under the Issue Activity tab.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages