sting8k / burpsuite_403bypasser Goto Github PK
View Code? Open in Web Editor NEWBurpsuite Extension to bypass 403 restricted directory
Burpsuite Extension to bypass 403 restricted directory
Hey, I think you are using X-Original-Url / X-Rewrite-Url
vector in a wrong way. These headers usually help to bypass front server rules, which are based on URI, but you don't change URI while using these headers.
First, normal request returns 403:
GET /.git/ HTTP/1.1
Host: example.com
This attempt to bypass will return 403 too, because URI hasn't changed and the rule still applies:
GET /.git/ HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/
This one should bypass the restriction:
GET / HTTP/1.1
Host: example.com
X-Rewrite-URL: /.git/
jdk 15, burpsuite v2021.8, jython-standalone-2.7.0
NotImplementedError
at org.python.core.Py.NotImplementedError(Py.java:167)
at org.python.proxies.__main__$BurpExtender$0.doActiveScan(Unknown Source)
at burp.csj.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
.
I get this error while loading extension from python file:
java.lang.Exception: Failed to load Python interpreter from Jython JAR file at burp.e76.<init>(Unknown Source) at burp.f1z.a(Unknown Source) at burp.gvj.lambda$panelLoaded$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)
SyntaxError: Non-ASCII character in file 'C:\Users\sbdefault\Desktop\Burp Custom Extensions\403bypasser.py', but no encoding declared; see http://www.python.org/peps/pep-0263.html for details
at org.python.core.Py.SyntaxError(Py.java:171)
at org.python.core.ParserFacade.fixParseError(ParserFacade.java:105)
at org.python.core.ParserFacade.parse(ParserFacade.java:190)
at org.python.core.Py.compile_flags(Py.java:2232)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:527)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at burp.ip.<init>(Unknown Source)
at burp.xkf.a(Unknown Source)
at burp.plh.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Hi,
I've loaded the extension in BurpSuite with no errors, but when requesting a resource with a 403 response, I don't see any other requests in the Proxy HTTP History.
I'm doing something wrong?
Thanks
Traceback (most recent call last):
File "", line 1, in
OSError: (22, 'Invalid argument', 'D:\Burp_Suite_Pro_v2021.8\bp??\BurpSuite_403Bypasser-main')
at org.python.core.Py.OSError(Py.java:135)
at org.python.modules.posix.PosixModule.absolutePath(PosixModule.java:1343)
at org.python.modules.posix.PosixModule.chdir(PosixModule.java:300)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at org.python.pycode._pyx2.f$0(<string>:1)
at org.python.pycode._pyx2.call_function(<string>)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1687)
at org.python.core.Py.exec(Py.java:1731)
at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:268)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.fpz.<init>(Unknown Source)
at burp.d25.a(Unknown Source)
at burp.gix.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.