Are you interested in web security and want to test your skills against potential 403 bypasses? If so, you've come to the right place! This project is a comprehensive suite of Bash scripts, meticulously designed for the purpose of probing 403 bypasses in web security. Whether you're a beginner or an expert, this tool will help you discover new ways to bypass 403 errors and access restricted resources.
- This tool offers four different scripts, each with its own unique functionality and options.
-
-
You can use
method-header.sh
to test different HTTP methods, headers, HTTP protocol and HTTP versions work together against the target URL. -
The script also includes a set of default values for these headers. You can add your own headers and values using the
-w
option, like this./method-header.sh -d domain.com -w header: value
-
The script supports a wide range of HTTP methods:
- Standard methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
- WebDAV methods: COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, UNLOCK
- Versioning methods: CHECKIN, CHECKOUT, LABEL, MERGE, REPORT, UPDATE
- Others: ACL, BASELINE-CONTROL, CONNECT, MKACTIVITY, MKWORKSPACE, ORDERPATCH, PATCH, SEARCH, TRACE, UNCHECKOUT, ARBITRARY, HACK, INVENTED, VERSION-CONTROL,FOO
-
The script includes a set of default headers and values that are commonly used in HTTP requests:
-
- Client-IP
- Cluster-Client-IP
- Connection
- Content-Length
- Forwarded-For
- Host
- Referer
- True-Client-IP
- User-Agent
- X-Custom-IP-Authorization
- X-Forwarded
- X-Forwarded-For
- X-Forwarded-Port
- X-Original-URL
- X-Originating-IP
- X-ProxyUser-Ip
- X-Remote-Addr
- X-Remote-IP
- X-Rewrite-URL
-
- 0
- 0177.0000.0000.0001
- 0x7F000001
- 10.0.0.0
- 10.0.0.1
- 127.0.0.1
- 127.0.0.1:443
- 127.0.0.1:80
- 127.1
- 172.16.0.0
- 172.16.0.1
- 192.168.1.0
- 192.168.1.1
- 2130706433
- 443
- 454
- 8080
- close
- Close, Accept
- Close, Accept-Application
- Close, Accept-Charset
- Close, Accepted
- Close, Accept-Encoding
- Close, Accept-Encodxng
- Close, Accept-Language
- Close, Accept-Ranges
- Close, Accept-Version
- Close, Access-Control-Allow-Credentials
- Close, Access-Control-Allow-Headers
- Close, Access-Control-Allow-Methods
- Close, Access-Control-Allow-Origin
- Close, Access-Control-Expose-Headers
- http://localhost/
- localhost
- localhost:443
- localhost:80
- X-Bar
- X-FOO
- User Agent Values:
- operating system:
- Android: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36
- iOS (iPhone): Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
- Windows: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.
- Mac OS X: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.
- Linux: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.
- game play:
- PlayStation: Mozilla/5.0 (PlayStation 4 1.70) AppleWebKit/536.26 (KHTML, like Gecko)
- Xbox: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10553
- IOT:
- Apple TV: AppleTV6,2/12.0.1
- Amazon Fire TV: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTS Build/LVY48F)
- Roku Ultra: Roku4640X/DVP-7.70 (297.70E04154A)
- Google Chromecast: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.0 Safari/537.36 CrKey/1.5.16041
- operating system:
-
-
- The script supports both HTTP and HTTPS protocols.
-
- The script supports HTTP versions 1.0, 1.1, and 2.
-
You can use
-
-
You can use
headers.sh
to fuzz various headers with different values against a target URL. -
The script also includes a set of default values for these headers. You can add your own headers and values using the
-w
option, like this./header.sh -d domain.com -w header: value
- X-Originating-IP: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Forwarded: 127.0.0.1
- Forwarded-For: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
- X-ProxyUser-Ip: 127.0.0.1
- X-Original-URL: 127.0.0.1
- Client-IP: 127.0.0.1
- True-Client-IP: 127.0.0.1
- Cluster-Client-IP: 127.0.0.1
- Host: localhost
Default Headers: -
You can use
-
-
You can use
user-agent-fuzz.sh
to fuzz the user-agent header with different values against a target URL. -
It does not have a default User Agent list. You can add your own list using the
-w
option, like this./user-agent-fuzz.sh -u https://domain.com -w list.txt
-
You can use
-
-
You can use
methods.sh
to test different HTTP methods against a target URL. -
The script also includes a set of default methods. You can add your own methods using the
-w
option, like this./method.sh -d domain.com -w METHOD
- GET
- POST
- PUT
- DELETE
- TRACE
- OPTIONS
- PATCH
Default Method: -
You can use
For an in-depth understanding of the features offered by this tool, I invite you to visit my Medium website. The link provided will guide you to a wealth of information tailored to enhance your user experience and broaden your knowledge about the tool's capabilities. Your journey to mastery begins with a single Click.
To install this tool, simply follow these steps:
-
git clone https://github.com/diiablo00/403-bypass
-
cd 403-bypass
-
chmod +x *.sh
To use this tool, simply run the desired script with the appropriate options. For example:
-
./method-header.sh -h
-
./headers.sh -h
-
./user-agent-fuzz.sh -h
-
./methods.sh -h
You can also view the help menu of each script by using the -h
option.
Here is a screenshots of each tool:
./method-header.sh -d www.google.com
./headers.sh -d www.google.com
./user-agent-fuzz.sh -u https://www.google.com -w list.txt
./methods.sh -d www.google.com
If you want to contribute to this project, feel free to fork it and submit a pull request. You can also report any issues or suggestions on the Issues page.
If you have any questions or feedback, you can follow me on
- Twitter: diablo0_diablo
- Instagram: diablo0_diablo I'd love to hear from you!
For further reading and understanding, here are some articles that provide more insights into bypassing 403 protections:
- Bypassing 403 Protection To Get Pagespeed Admin Access
- Bypassing Multiple 403 Response Type Pages
- New technique 403 bypass lyncdiscover.microsoft.com
- How I bypassed 403 forbidden domain using a simple trick
- How to bypass 403 forbidden bypass
- How 403 Forbidden Bypass got me NOKIA Hall Of Fame (HOF)
- 403 forbidden bypass leads to HALL OF FAME
These articles provide valuable insights and practical examples of bypassing 403 protections. They can be a great resource for anyone interested in web security.
Remember, always stay updated and keep learning!