Are you interested in web security and want to test your skills against potential 403 bypasses? If so, you've come to the right place! This project is a comprehensive suite of Bash scripts, meticulously designed for the purpose of probing 403 bypasses in web security. Whether you're a beginner or an expert, this tool will help you discover new ways to bypass 403 errors and access restricted resources.

• This tool offers four different scripts, each with its own unique functionality and options.

1. method-header.sh

   • You can use method-header.sh to test different HTTP methods, headers, HTTP protocol and HTTP versions work together against the target URL.
   • The script also includes a set of default values for these headers. You can add your own headers and values using the -w option, like this ./method-header.sh -d domain.com -w header: value

   1. HTTP Method

      The script supports a wide range of HTTP methods:

      1. Standard methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
      2. WebDAV methods: COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, UNLOCK
      3. Versioning methods: CHECKIN, CHECKOUT, LABEL, MERGE, REPORT, UPDATE
      4. Others: ACL, BASELINE-CONTROL, CONNECT, MKACTIVITY, MKWORKSPACE, ORDERPATCH, PATCH, SEARCH, TRACE, UNCHECKOUT, ARBITRARY, HACK, INVENTED, VERSION-CONTROL,FOO

   2. HTTP Headers

      The script includes a set of default headers and values that are commonly used in HTTP requests:

      1. Default Headers

         • Client-IP
         • Cluster-Client-IP
         • Connection
         • Content-Length
         • Forwarded-For
         • Host
         • Referer
         • True-Client-IP
         • User-Agent
         • X-Custom-IP-Authorization
         • X-Forwarded
         • X-Forwarded-For
         • X-Forwarded-Port
         • X-Original-URL
         • X-Originating-IP
         • X-ProxyUser-Ip
         • X-Remote-Addr
         • X-Remote-IP
         • X-Rewrite-URL

      2. Default values

         • 0
         • 0177.0000.0000.0001
         • 0x7F000001
         • 10.0.0.0
         • 10.0.0.1
         • 127.0.0.1
         • 127.0.0.1:443
         • 127.0.0.1:80
         • 127.1
         • 172.16.0.0
         • 172.16.0.1
         • 192.168.1.0
         • 192.168.1.1
         • 2130706433
         • 443
         • 454
         • 8080
         • close
         • Close, Accept
         • Close, Accept-Application
         • Close, Accept-Charset
         • Close, Accepted
         • Close, Accept-Encoding
         • Close, Accept-Encodxng
         • Close, Accept-Language
         • Close, Accept-Ranges
         • Close, Accept-Version
         • Close, Access-Control-Allow-Credentials
         • Close, Access-Control-Allow-Headers
         • Close, Access-Control-Allow-Methods
         • Close, Access-Control-Allow-Origin
         • Close, Access-Control-Expose-Headers
         • http://localhost/
         • localhost
         • localhost:443
         • localhost:80
         • X-Bar
         • X-FOO
         • User Agent Values:
           1. operating system:
              • Android: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36
              • iOS (iPhone): Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
              • Windows: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.
              • Mac OS X: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.
              • Linux: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.
           2. game play:
              • PlayStation: Mozilla/5.0 (PlayStation 4 1.70) AppleWebKit/536.26 (KHTML, like Gecko)
              • Xbox: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10553
           3. IOT:
              • Apple TV: AppleTV6,2/12.0.1
              • Amazon Fire TV: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTS Build/LVY48F)
              • Roku Ultra: Roku4640X/DVP-7.70 (297.70E04154A)
              • Google Chromecast: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.0 Safari/537.36 CrKey/1.5.16041

   3. HTTP Protocols

      • The script supports both HTTP and HTTPS protocols.

   4. HTTP Versions

      • The script supports HTTP versions 1.0, 1.1, and 2.

2. headers.sh

   • You can use headers.sh to fuzz various headers with different values against a target URL.
   • The script also includes a set of default values for these headers. You can add your own headers and values using the -w option, like this ./header.sh -d domain.com -w header: value

   
   Default Headers:

   • X-Originating-IP: 127.0.0.1
   • X-Forwarded-For: 127.0.0.1
   • X-Forwarded: 127.0.0.1
   • Forwarded-For: 127.0.0.1
   • X-Remote-IP: 127.0.0.1
   • X-Remote-Addr: 127.0.0.1
   • X-ProxyUser-Ip: 127.0.0.1
   • X-Original-URL: 127.0.0.1
   • Client-IP: 127.0.0.1
   • True-Client-IP: 127.0.0.1
   • Cluster-Client-IP: 127.0.0.1
   • Host: localhost

3. user-agent-fuzz.sh

   • You can use user-agent-fuzz.sh to fuzz the user-agent header with different values against a target URL.
   • It does not have a default User Agent list. You can add your own list using the -w option, like this ./user-agent-fuzz.sh -u https://domain.com -w list.txt

4. methods.sh

   • You can use methods.sh to test different HTTP methods against a target URL.
   • The script also includes a set of default methods. You can add your own methods using the -w option, like this ./method.sh -d domain.com -w METHOD

   
   Default Method:

   • GET
   • POST
   • PUT
   • DELETE
   • TRACE
   • OPTIONS
   • PATCH

For an in-depth understanding of the features offered by this tool, I invite you to visit my Medium website. The link provided will guide you to a wealth of information tailored to enhance your user experience and broaden your knowledge about the tool's capabilities. Your journey to mastery begins with a single Click.

To install this tool, simply follow these steps:

• git clone https://github.com/diiablo00/403-bypass
  

• cd 403-bypass
  

• chmod +x *.sh
  

To use this tool, simply run the desired script with the appropriate options. For example:

• ./method-header.sh -h
  

• ./headers.sh -h
  

• ./user-agent-fuzz.sh -h
  

• ./methods.sh -h
  

You can also view the help menu of each script by using the -h option.

Here is a screenshots of each tool:

./method-header.sh -h

./method-header.sh -d www.google.com

./headers.sh -h

./headers.sh -d www.google.com

./user-agent-fuzz.sh -h

./user-agent-fuzz.sh -u https://www.google.com -w list.txt

./methods.sh -h

./methods.sh -d www.google.com

If you want to contribute to this project, feel free to fork it and submit a pull request. You can also report any issues or suggestions on the Issues page.

If you have any questions or feedback, you can follow me on

• Twitter: diablo0_diablo
• Instagram: diablo0_diablo I'd love to hear from you!

For further reading and understanding, here are some articles that provide more insights into bypassing 403 protections:

• Bypassing 403 Protection To Get Pagespeed Admin Access
• Bypassing Multiple 403 Response Type Pages
• New technique 403 bypass lyncdiscover.microsoft.com
• How I bypassed 403 forbidden domain using a simple trick
• How to bypass 403 forbidden bypass
• How 403 Forbidden Bypass got me NOKIA Hall Of Fame (HOF)
• 403 forbidden bypass leads to HALL OF FAME

These articles provide valuable insights and practical examples of bypassing 403 protections. They can be a great resource for anyone interested in web security.

Remember, always stay updated and keep learning!