A comprehensive Burp Suite extension for testing access control, path traversal, and Web Cache Deception vulnerabilities β all in one tool.
Developed with π‘οΈ by Tagoletta
Installation β’ Features β’ Usage β’ Web Cache Deception β’ Build β’ Contributing
- Go to Releases
- Download
access-context-fuzzer-1.0-jar-with-dependencies.jar - Open Burp Suite β Extensions β Add
- Select the downloaded JAR file
- The "Access Context" tab will appear in Burp Suite
See Building from Source below.
Access Context Fuzzer is a Burp Suite extension designed for security researchers and penetration testers who need to systematically test for access control bypass and Web Cache Deception (WCD) vulnerabilities.
Instead of manually crafting dozens of header and path variations, this extension automatically generates and tests hundreds of bypass variants in seconds β then highlights exactly which ones behave differently from the baseline.
| Problem | Without This Tool | With Access Context Fuzzer |
|---|---|---|
| Header bypass testing | Manually add X-Forwarded-For, X-Real-IP, etc. one by one |
40+ header variants tested simultaneously |
| Path normalization bugs | Guess which encoding tricks work | Systematic fuzzing of URL encoding, double encoding, IIS Unicode, dot-segments |
| Web Cache Deception | Complex multi-step manual testing | Automated 4-phase WCD pipeline with cache header detection |
| Result analysis | Compare responses manually | Smart color-coded diff β status changes, word deltas, length anomalies highlighted automatically |
Access Context Fuzzer provides three independent fuzzing engines, each accessible via its own tab:
Tests access control enforcement by injecting IP spoofing and host manipulation headers.
What it tests:
| Category | Headers | Example |
|---|---|---|
| IP Spoofing | X-Forwarded-For, X-Real-IP, X-Client-IP, True-Client-IP, CF-Connecting-IP, and 30+ more |
X-Forwarded-For: 127.0.0.1 |
| Host Override | X-Forwarded-Host, X-Host, X-Original-Host |
X-Host: allowed-origin.com |
| Custom IPs | User-defined list | Any IP you specify |
| Custom Headers | User-defined Header: Value pairs |
Load from wordlist file |
Use case: Testing if the application relies on easily spoofable headers for access control decisions (e.g., admin panels restricted by IP).
Tests path-level access control by manipulating the URL path using various encoding and normalization techniques.
What it tests:
| Technique | Checkbox | Example | Purpose |
|---|---|---|---|
| URL Encoding | Path Normalization |
/%61%64%6d%69%6e |
Bypass path-matching rules |
| Double URL Encoding | Path Normalization |
/%2561%2564%256d%2569%256e |
Exploit double-decode vulnerabilities |
| IIS Unicode Encoding | Path Normalization |
IIS short/wide Unicode variants | Target IIS-specific normalization |
| Case Flipping | Advanced Encoders |
/Admin, /ADMIN |
Case-sensitive path matching |
| Trailing Slash | Advanced Encoders |
/admin/ |
Path normalization differences |
| Dot-Segment Injection | Advanced Encoders |
/path/..;/admin |
Tomcat/Spring path traversal |
| Double Slash Prefix | Advanced Encoders |
//admin |
Proxy path confusion |
| JSON Suffix | Advanced Encoders |
/admin.json |
Content negotiation bypass |
| Semicolon Suffix | Advanced Encoders |
/admin; |
Parameter delimiter abuse |
| X-Rewrite-URL | Rewrite Tricks |
Header: /admin |
Frontend/backend path discrepancy |
| X-Original-URL | Rewrite Tricks |
Header: /admin |
URL override |
| X-Accel-Redirect | Rewrite Tricks |
Header: /admin |
Nginx / OpenResty internal redirect bypass |
| Custom Paths | β | User-defined paths | Load from wordlist file |
Allows you to select specific text within a request and fuzz just that portion with various encodings.
What it tests:
| Encoder | Description |
|---|---|
| URL Encode | Standard percent-encoding of selected text |
| Double URL Encode | Double-layer encoding |
| IIS Unicode Encode | IIS-specific Unicode mapping |
| UTF-8 Fullwidth Slash | Fullwidth character substitution |
| Custom Payloads | User-defined replacements from file or manual input |
Use case: When you've identified a specific parameter or path segment that might be vulnerable, select it and test encoding-specific bypasses.
A dedicated 4-phase pipeline for discovering and exploiting Web Cache Deception vulnerabilities. Each phase maps directly to a checkbox in the "Built-in Payloads" panel:
π‘ Checkbox:
Delimiter Fuzzing| Config: Delimiter suffix text field
Identifies which characters the origin server treats as path delimiters.
/my-account?abc β 200 = '?' is a delimiter
/my-account#abc β 200 = '#' is a delimiter
/my-account%23abc β 200 = '%23' (encoded #) is a delimiter
/my-account%3fabc β 200 = '%3f' (encoded ?) is a delimiter
π‘ Checkbox:
Delimiter + Extension
Tests if the cache treats responses differently when combined with static file extensions.
/my-account?abc.js β Check X-Cache header
/my-account%23abc.css β Check X-Cache header
π‘ Checkbox:
Normalization Discrepancy| Config: Cache directory prefix text field
Tests whether the origin server and cache handle encoded dot-segments differently.
/aaa/..%2fmy-account β 404 = origin doesn't normalize
/aaa/..%2fresources/test β X-Cache:hit = cache DOES normalize!
/resources/..%2ftest β No cache = confirms /resources prefix rule
π‘ Checkbox:
Cache Deception Combos| Config: Cache directory prefix text field
Generates combined exploit payloads using discovered delimiters + cache normalization.
/my-account%23%2f%2e%2e%2fresources β 200 + X-Cache:hit = EXPLOIT! π―
How WCD works: The origin server sees
/my-account(because%23is treated as#delimiter), but the cache sees/resources(after normalizing..%2f). The cache stores the authenticated response, and any attacker can read it from cache.
Every fuzzing result is displayed in an intelligent, color-coded table:
| Column | Description |
|---|---|
| # | Row index |
| Variant | Name of the test (e.g., DELIM: '?', WCD: '%23' + traversal) |
| Status | HTTP status code |
| Words | Word count of the response body |
| Lines | Line count of the response body |
| Length | Response body length in bytes |
| Title | Extracted HTML <title> tag |
| RTT(ms) | Round-trip time in milliseconds |
| Notes | Auto-detected anomalies and cache headers |
Automatic anomaly detection in Notes:
| Tag | Meaning |
|---|---|
STATUS_CHANGE |
Response status differs from baseline |
WORD_DELTA |
Word count differs from baseline |
LEN_DELTA |
Body length differs by >50 bytes |
X-Cache:hit |
Response served from cache |
X-Cache:miss |
Response not in cache (first request) |
CC:public,max-age=30 |
Cache-Control header value |
Age:15 |
Cache age in seconds |
Color coding:
- π’ Green rows β Status code matches baseline (expected behavior)
- π‘ Yellow/highlighted rows β Anomalies detected (investigate these!)
Dynamic Sorting: Click any column header to instantly sort results by Status Code, Word Count, Length, or RTT. This is critical during large-scale testing β instantly isolate the 200 OK responses among hundreds of 403s, find the smallest response that might indicate a different code path, or spot the slowest response that could signal server-side processing. No need to scroll through hundreds of rows; one click reveals your bypass.
Double-click any row to open a dedicated inspection window powered by Burp Suite's native HTTP editors (HttpRequestEditor / HttpResponseEditor from the Montoya API). This is not a plain text viewer β it is the same editor component used in Burp's own Repeater and Proxy tabs.
The viewer opens as a non-modal split pane (request on the left, response on the right) with full tab support:
| Tab | Description |
|---|---|
| Raw | Full HTTP message exactly as sent/received, including headers and body |
| Pretty | Syntax-highlighted, auto-formatted view (JSON, HTML, XML) |
| Hex | Byte-level hexadecimal view for binary analysis |
| Render | Live HTML preview of the response β instantly see if the page contains API keys, tokens, or sensitive data without reading raw HTML |
π‘ You can open multiple viewer windows simultaneously to compare responses side by side. Each window is independent and stays open until you close it.
Changed your settings? No need to go back to HTTP history β click βΆ Re-run Fuzzing to re-execute with updated configuration.
- β Modify checkboxes, add custom payloads, change delay
- β Click βΆ Re-run β uses the same base request with new settings
- β Previous results are cleared automatically
Every custom text area includes π Load File and β Clear buttons.
- Supports
.txt,.lst,.csv,.listfiles - Appends to existing content (combine manual + file payloads)
- Shows line count feedback after loading
- Works with all custom fields: IPs, Headers, Paths, Payloads
Each tab includes an IP verification check to ensure your traffic is properly anonymized.
- Click Check External IP to verify your public IP
- OPSEC Warning Dialog β if you haven't verified your IP, the extension blocks fuzzing and shows a confirmation dialog to prevent accidental exposure of your real IP
- Configurable delay (ms) between requests to avoid rate limiting and WAF detection
| Feature | How |
|---|---|
| Send to Repeater | Right-click any row β Send to Repeater |
| Export CSV | Click Export CSV to save all results |
| Site Map | All requests are automatically added to Burp's Site Map |
Access Context Fuzzer has been tested and proven effective against official PortSwigger Web Security Academy labs:
| Status | Lab | Technique Used | Extension Feature |
|---|---|---|---|
| β Solved | URL-based access control can be circumvented | Root-level URL rewrite via X-Original-URL header |
Header Bypass tab β URL Rewrite Override checkbox |
| β Solved | Host header authentication bypass | Host manipulation via X-Forwarded-Host |
Header Bypass tab β IP/Host spoofing |
| β Solved | Authentication bypass via information disclosure | Custom header X-Custom-IP-Authorization: 127.0.0.1 |
Header Bypass tab β Custom Headers |
| β Solved | Exploiting cache server normalization for WCD | Delimiter + encoded dot-segment + cache prefix | Cache Deception Combos checkbox |
π‘ These labs represent real-world vulnerability classes encountered in production applications. The extension automates the tedious manual testing process, reducing hours of work to seconds.
- Download the latest
access-context-fuzzer-1.0-jar-with-dependencies.jarfrom Releases - In Burp Suite, go to Extensions β Installed β Add
- Set Extension type to Java
- Select the downloaded JAR file
- Click Next β the Access Context tab appears
- Burp Suite Professional or Community Edition 2023.1+
- Java 17 or higher
- Browse to your target in Burp's built-in browser
- Find a request in Proxy β HTTP History
- Right-click the request and choose:
| Menu Item | When to Use |
|---|---|
| Access Context: Header Fuzz | Testing header-based access control (IP restrictions, host checks) |
| Access Context: Path Fuzz | Testing path-based access control (URL normalization, encoding bypass) |
| Access Context: Fuzz Selection | Testing a specific selected portion of the request |
- The extension switches to the appropriate tab and begins fuzzing
- Watch the progress bar and results table populate in real-time
- Look for green highlighted rows with
STATUS_CHANGEorWORD_DELTAin Notes
A step-by-step guide for testing WCD vulnerabilities:
Step 1: Enable "Delimiter Fuzzing" checkbox
β Find delimiters that return 200 (e.g., ?, #, %23)
Step 2: Enable "Delimiter + Extension" checkbox
β Check Notes column for X-Cache headers
Step 3: Enable "Norm Discrepancy" checkbox
β Set Cache Prefix to "/resources"
β Find normalization differences between origin and cache
Step 4: Enable "Cache Deception Combos" checkbox
β Look for rows with Status=200 AND X-Cache:hit
β That row's path is your exploit payload!
Step 5: Double-click the exploit row
β Verify API key / sensitive data in the Render tab
β Copy the path for your exploit server
- JDK 17+ (OpenJDK or Oracle JDK)
- Maven 3.6+ or Gradle 7+
# Clone the repository
git clone https://github.com/Tagoletta/AccessContextFuzzer.git
cd AccessContextFuzzer
# Compile
mvn compile
# Build JAR with dependencies
mvn package
# Output: target/access-context-fuzzer-1.0-jar-with-dependencies.jargradle build
# Output: build/libs/access-context-fuzzer-1.0.jarAccessContextFuzzer/
βββ src/
β βββ main/
β βββ java/
β β βββ burp/
β β βββ AccessContextFuzzer.java # Main extension (single file)
β βββ resources/ # (reserved for future assets)
βββ img/ # README screenshots
β βββ banner.png
β βββ overview.png
β βββ header_bypass_tab.png
β βββ path_bypass_tab.png
β βββ selection_fuzz_tab.png
β βββ wcd_settings.png
β βββ wcd_results.png
β βββ results_table.png
β βββ request_response_viewer.png
β βββ rerun_button.png
β βββ load_file.png
β βββ opsec_check.png
β βββ installation.png
β βββ context_menu.png
β βββ wcd_workflow.png
βββ .github/
β βββ workflows/
β βββ release.yml # Auto-build & release on tag push
βββ pom.xml # Maven build config
βββ build.gradle # Gradle build config
βββ settings.gradle
βββ .gitignore
βββ README.md
The following table summarizes all test variants generated by the extension:
| # | Variant | Header | Value |
|---|---|---|---|
| 1-8 | IP Spoofing (127.0.0.1) | X-Forwarded-For, X-Real-IP, X-Client-IP, True-Client-IP, CF-Connecting-IP, X-Cluster-Client-IP, Fastly-Client-IP, X-Azure-ClientIP |
127.0.0.1 |
| 9-16 | IP Spoofing (Custom IPs) | Same headers as above | User-defined IPs |
| 17-19 | Host Override | X-Forwarded-Host, X-Host, X-Original-Host |
User-defined hosts |
| 20+ | Custom Headers | User-defined | User-defined |
| # | Variant | Checkbox | Example | Technique |
|---|---|---|---|---|
| 1 | URL Encode | Path Normalization |
/%61%64%6d%69%6e |
Single URL encoding |
| 2 | Double URL Encode | Path Normalization |
/%2561%2564%256d%2569%256e |
Double encoding |
| 3 | IIS Unicode | Path Normalization |
IIS-mapped characters | IIS short filename |
| 4 | Case Flip | Advanced Encoders |
/Admin, /ADMIN |
Case sensitivity |
| 5 | Trailing Slash | Advanced Encoders |
/admin/ |
Path normalization |
| 6 | Dot-Segment | Advanced Encoders |
/..;/admin |
Tomcat/Spring bypass |
| 7 | Double Slash | Advanced Encoders |
//admin |
Nginx/OpenResty proxy path confusion β targets misconfigurations in location block matching |
| 8 | JSON Suffix | Advanced Encoders |
/admin.json |
Content negotiation bypass |
| 9 | Semicolon | Advanced Encoders |
/admin; |
Delimiter abuse |
| 10 | X-Rewrite-URL | Rewrite Tricks |
Header: /admin |
URL rewrite (IIS/ASP.NET) |
| 11 | X-Original-URL | Rewrite Tricks |
Header: /admin |
URL override (IIS/ASP.NET) |
| 12 | X-Accel-Redirect | Rewrite Tricks |
Header: /admin |
Nginx / OpenResty internal redirect bypass β targets X-Accel-Redirect header handling in Nginx reverse proxy setups |
| 13+ | Delimiter Fuzzing | Delimiter Fuzzing |
/admin?abc, /admin%23abc |
WCD Phase 1 |
| 20+ | Delimiter + Extension | Delimiter + Extension |
/admin?abc.js |
WCD Phase 2 |
| 30+ | Norm Discrepancy | Normalization Discrepancy |
/aaa/..%2fadmin |
WCD Phase 3 |
| 40+ | Cache Deception Combo | Cache Deception Combos |
/admin%23%2f%2e%2e%2fresources |
WCD Phase 4 |
Place the following screenshots in the img/ directory:
| Filename | What to Capture |
|---|---|
banner.png |
A branded banner image (1200Γ300 recommended) |
overview.png |
Full extension window showing all three tabs |
three_tabs.png |
Close-up of the tab bar (Header Bypass, Path/GET Bypass, Selection Fuzz) |
header_bypass_tab.png |
Header Bypass tab with settings and results populated |
path_bypass_tab.png |
Path/GET Bypass tab showing WCD checkboxes |
selection_fuzz_tab.png |
Selection Fuzz tab with custom payloads |
wcd_settings.png |
Close-up of the WCD settings panel (delimiter, extension, norm, combo checkboxes) |
wcd_results.png |
Results table showing X-Cache headers in Notes column |
results_table.png |
Color-coded results table with anomalies highlighted |
request_response_viewer.png |
Double-click dialog showing Burp's native Request/Response editors |
rerun_button.png |
Control panel showing the βΆ Re-run Fuzzing button |
load_file.png |
Custom textarea with Load File button and "X lines loaded" feedback |
opsec_check.png |
OPSEC panel showing verified IP address |
installation.png |
Burp Extensions tab showing the loaded extension |
context_menu.png |
Right-click context menu showing the three Access Context options |
lab_success.png |
Screenshot showing solved PortSwigger labs (green "Solved" banners) |
This tool is designed for authorized security testing only. Always ensure you have proper authorization before testing any target. The OPSEC features (IP verification, configurable delays) are provided to help testers operate safely and responsibly.
Contributions are welcome! Here's how to get started:
- Fork the repository
- Create a feature branch (
git checkout -b feature/awesome-feature) - Commit your changes (
git commit -m 'Add awesome feature') - Push to the branch (
git push origin feature/awesome-feature) - Open a Pull Request
- Additional encoding schemes (e.g., Base64, Punycode)
- GraphQL-specific bypass techniques
- Request diff viewer (visual side-by-side comparison)
- Collaborative notes / tagging for results
- Auto-detect interesting responses using ML heuristics
This project is licensed under the MIT License β see the LICENSE file for details.
- PortSwigger β for Burp Suite and the Montoya API
- PortSwigger Web Security Academy β for the Web Cache Deception labs that inspired the WCD module
- The security research community for documenting access control bypass techniques
Developed with π‘οΈ by Tagoletta
For detailed write-ups, development stories, and more security tools, visit tagmachan.com