yunemse48 / 403bypasser Goto Github PK

License: MIT License

Python 100.00%

403bypasser's Introduction

403bypasser

Türkçe

403bypasser, hedef sayfalardaki erişim kontrolü kısıtlamalarını aşmak için kullanılan teknikleri otomatikleştirir. Bu araç geliştirilmeye devam edecektir, katkılara açıktır.

English

403bypasser automates the techniques used to circumvent access control restrictions on target pages. 403bypasser will continue to be improved and it is open to contributions.

Installation

Clone the repository to your machine. git clone https://github.com/yunemse48/403bypasser.git
Install required modules by running the code pip install -r requirements.txt
READY!

Usage

Arguments:

Argument	Description	Examples	Note
-u	single URL to scan	http://example.com or http://example.com/	All these example usages are interpreted in the same way
-U	path to list of URLs	./urllist.txt, ../../urllist.txt, etc.	Just provide the path where the file is located :)
-d	single directory to scan	admin or /admin or admin/ or /admin/	All these example usages are interpreted in the same way
-D	path to list of directories	./dirlist.txt, ../../dirlist.txt, etc.	Just provide the path where the file is located :)

Usage 1: python3 403bypasser.py -u https://example.com -d /secret
Usage 2: python3 403bypasser.py -u https://example.com -D dirlist.txt
Usage 3: python3 403bypasser.py -U urllist.txt -d /secret
Usage 4: python3 403bypasser.py -U urllist.txt -D dirlist.txt

IMPORTANT NOTE: All the followings are interpreted the same. Therefore, which pattern you use is just a matter of preference.

python3 403bypasser.py -u https://example.com -d secret
python3 403bypasser.py -u https://example.com -d /secret
python3 403bypasser.py -u https://example.com -d /secret/
python3 403bypasser.py -u https://example.com -d secret/
python3 403bypasser.py -u https://example.com/ -d secret
ALL THE SAME!

Since Python is a cross-platform language, one can run this program on different operating systems.

Output

The output of the program is saved (in the current directory) in a file with the name of the domain name given as input.
For example:
python3 403bypasser.py -u https://example.com -d /secret is given. Then the output is saved to example.txt in the current directory.

Release Notes

Changes in v2.0: Considerable changes have been done in this version. The project is completely moved to Python 3 from Bash. New and wide variety of techniques have been added.

Changes in v1.1: It's now possible to pass files (lists) to 403bypasser as input via arguments. Furthermore, two more test cases added: poisoning with 1)X-Original-URL and 2)X-Rewrite-URL headers.

To-Do List

GUI
Add Rate-Limit / Threads Option
Add an Option for Scan Types (fast, normal, aggressive or only path manipulation / header manipulation)
Export cURL Command for Each Request
Add Parameters to Save Output According to HTTP Status Codes
Add Parameters to Save Output According to Page Size Anomalies

Which Cases Does This Tool Check?

1. Request Method Manipulation

Convert GET request to POST request

2. Path Manipulation

/%2e/secret
/secret/
/secret..;/
/secret/..;/
/secret%20
/secret%09
/secret%00
/secret.json
/secret.css
/secret.html
/secret?
/secret??
/secret???
/secret?testparam
/secret#
/secret#test
/secret/.
//secret//
/./secret/./

3. Overriding the Target URL via Non-Standard Headers

X-Original-URL: /secret
X-Rewrite-URL: /secret

4. Other Headers & Values

Headers:

X-Custom-IP-Authorization
X-Forwarded-For
X-Forward-For
X-Remote-IP
X-Originating-IP
X-Remote-Addr
X-Client-IP
X-Real-IP

Values:

localhost
localhost:80
localhost:443
127.0.0.1
127.0.0.1:80
127.0.0.1:443
2130706433
0x7F000001
0177.0000.0000.0001
0
127.1
10.0.0.0
10.0.0.1
172.16.0.0
172.16.0.1
192.168.1.0
192.168.1.1

403bypasser's People

Contributors

Stargazers

Watchers

Forkers

s0ca swajyadip1997 hunter0x8 rassec faisalrathore 3cr3sc3nt shrimant12 muhaprime moustafaalqasrawi furk4nyildiz alishahmughal123 sahil-69 azatagaly tmacbg hollow667 tink2hack 7rust bbhunter slooppe marciopocebon saugatasil cutff prongedfork cryptoknife dimension262611 hacker22o2 insightglacier sashka3076 cyb3r-n3rd evi1r0s3 afwu zha0 5l1v3r1 3453-315h parkjunmin sengkyaut rich-imad kimusan minkione qran253 seqrity tehseensagar judd3rm0n optionalg securityanalysts prageeth1985 john-80 attacker-codeninja yaelahrip darknesschieftain luisabellan polling-repo-continua hackinfinity latkes blockchainchad bug-tools sayeedm44 manasharsh 77-0 joker72655561 creazygan hackerajofficial febinrev ab41j1t4000 exploit-archive wargg vigneshsahoo g0rdonx developer191 k4k4 oakkaya m310n belalmuflih luckyzmj dinghi-security ajohnson5498 redhotchilihacker kingx48 bhishma14 hxlxmjxbbxs leomatias s41n1k xsshim t0w3n asura88 jeromeyoung binarytrails 0x337 storenth azhariramadhan excloudx6 spiderhehehoho tommalvoriddle hussamhussam 0x24bin 0xsojalsec whoamiiiii bruto001 bugbountydude aliprx

403bypasser's Issues

If the URI does not have a directory, it is only a / directory, an error will be reported

Py instantly closes once the script loads

how do i install

i do not understand

how do i preform x-original-url or x-rewrite-url?

Add header option for authenticated scan

Add headers option to run authenticated scan. Best way would be to add a feature to read a text file which has the original request captured from Burp Suite. Just like sqlmap -r req.txt

Add proxy option to view full request

Based on a scenario, the tool showed 200 but when adding the same header in Burp Suite shows 302. It would be helpful to get the exact request being passed.

You must specify a valid URL for -u (--url) argument! Exitting..

Hey, I have a txt file where I have some urls to try. When I try this command: python3 403bypasser.py -u archivo_modificado.txt -d secret. I got an error, the file is in the same folder and thats the right path. So I dont know whats wrong

Add all urls

Hey mate ,
add all urls list at once so it`s easy to do on all URLS.
cat urls.txt | ./bypass_403.sh

How do you do anything with it?

Along with the directions making absolutely no sense, I just don't even understand how to run it. I used the git thingy but I couldn't actually find the file anywhere. And when I just downloaded it normally it crashed on startup.

How do i actually analyze the output?

The question says it all

add

Hi, please add this

SyntaxError

`SyntaxError: ('no viable alternative at input '"STATUS: {colour}{p.status_code}{reset}\tSIZE: {len(p.content)}"'', ('D:\Lily\Soft\Pentest\BurpSuiteV2023.2\BurpSuite-Extensions\403bypasser\403bypasser.py', 173, 16, ' info = f"STATUS: {colour}{p.status_code}{reset}\tSIZE: {len(p.content)}"\n'))

at org.python.core.ParserFacade.fixParseError(ParserFacade.java:95)
at org.python.core.ParserFacade.parse(ParserFacade.java:190)
at org.python.core.Py.compile_flags(Py.java:2249)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:527)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at burp.Zmhw.Zw(Unknown Source)
at burp.Zlpg.Zy(Unknown Source)
at burp.Zmqv.Zt(Unknown Source)
at burp.Zah6.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

Project dependencies may have API risk issues

Hi, In 403bypasser, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

requests
argparse
validators
tldextract
colorama
pyfiglet

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project,
The version constraint of dependency requests can be changed to >=0.2.1,<=0.2.3.
The version constraint of dependency requests can be changed to >=0.7.0,<=2.24.0.
The version constraint of dependency requests can be changed to ==2.26.0.
The version constraint of dependency argparse can be changed to >=1.2.1,<=1.4.0.
The version constraint of dependency validators can be changed to >=0.2.0,<=0.20.0.
The version constraint of dependency colorama can be changed to ==0.1.
The version constraint of dependency colorama can be changed to >=0.1.3,<=0.1.6.
The version constraint of dependency colorama can be changed to ==0.1.10.
The version constraint of dependency colorama can be changed to >=0.1.13,<=0.1.14.
The version constraint of dependency colorama can be changed to >=0.1.16,<=0.4.5.
The version constraint of dependency pyfiglet can be changed to >=0.7,<=0.8.post1.

The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the requests

requests.get
requests.post

The calling methods from the argparse

argparse.ArgumentParser.parse_args
argparse.ArgumentParser

The calling methods from the validators

validators.url

The calling methods from the colorama

colorama.init

The calling methods from the pyfiglet

pyfiglet.Figlet.renderText
pyfiglet.Figlet

The calling methods from the all methods

tldextract.extract
Arguments
self.dir.self.url.center
self.urls.append
sys.exit
self.checkURL
open
argparse.ArgumentParser
self.createNewPaths
requests.get
self.url.rstrip
Program.initialise
argparse.ArgumentParser.add_argument
os.path.exists
d.lstrip
domain_name.locals.manipulateRequest
validators.url
self.dir.endswith
self.manipulateHeaders
argparse.ArgumentParser.parse_args
Program
Query
self.dir.rstrip
self.dir.startswith
locals
results_2.append
file.readlines
self.dirs.append
pyfiglet.Figlet
PathRepository
colorama.init
Arguments.return_dirs
self.createNewHeaders
pyfiglet.Figlet.renderText
self.newHeaders.append
Arguments.return_urls
self.writeToFile
print
self.checkStatusCode
self.rewriteHeaders.append
requests.post
self.manipulatePath
self.checkDir
self.newPaths.append
len
file.write
x.strip
self.url.endswith
results.append

@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.