Login
nomore403 is an innovative tool designed to help cybersecurity professionals and enthusiasts bypass HTTP 40X errors encountered during web security assessments. Unlike other solutions, nomore403 automates various techniques to seamlessly navigate past these access restrictions, offering a broad range of strategies from header manipulation to method tampering.
Before you install and run nomore403, make sure you have the following: - Go 1.15 or higher installed on your machine.
Grab the latest release for your OS from our Releases page.
If you prefer to compile the tool yourself:
FreshRSS git clone https://github.com/devploit/nomore403
cd nomore403
go get
go build
To edit or add new bypasses, modify the payloads directly in the payloads folder. nomore403 will automatically incorporate these changes.
________ ________ ________ ________ ________ ________ ________ ________ ________
โฑ โฑ โฒโฑ โฒโฑ โฑ โฒโฑ โฒโฑ โฒโฑ โฒโฑ โฑ โฒโฑ โฒโฑ__ โฒ
โฑ โฑ โฑ โฑ โฑ โฑ โฑ โฑ โฑ __โฑ โฑ โฑ โฑ__ โฑ
โฑ โฑ โฑ โฑ โฑ _โฑ __/____ โฑ โฑ โฑ
โฒ__โฑ_____โฑโฒ________โฑโฒ__โฑ__โฑ__โฑโฒ________โฑโฒ____โฑ___โฑโฒ________โฑ โฑ____โฑโฒ________โฑโฒ________โฑ
Target: https://domain.com/admin
Headers: false
Proxy: false
User Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0; 1ButtonTaskbar)
Method: GET
Payloads folder: payloads
Custom bypass IP: false
Follow Redirects: false
Rate Limit detection: false
Verbose: false
โโโโโโโโโโโโโ DEFAULT REQUEST โโโโโโโโโโโโโ
403 429 bytes https://domain.com/admin
โโโโโโโโโโโโโ VERB TAMPERING โโโโโโโโโโโโโโ
โโโโโโโโโโโโโ HEADERS โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโ CUSTOM PATHS โโโโโโโโโโโโโโโโ
200 2047 bytes https://domain.com/;///..admin
โโโโโโโโโโโโโ HTTP VERSIONS โโโโโโโโโโโโโโโ
403 429 bytes HTTP/1.0
403 429 bytes HTTP/1.1
403 429 bytes HTTP/2
โโโโโโโโโโโโโ CASE SWITCHING โโโโโโโโโโโโโโ
200 2047 bytes https://domain.com/%61dmin
./nomore403 -u https://domain.com/admin
./nomore403 -u https://domain.com/admin -x http://127.0.0.1:8080 -v
./nomore403 --request-file request.txt
./nomore403 -u https://domain.com/admin -H "Environment: Staging" -b 8.8.8.8
./nomore403 -u https://domain.com/admin -m 10 -d 200
./nomore403 -h
Command line application that automates different ways to bypass 40X codes.
Usage:
nomore403 [flags]
Flags:
-i, --bypass-ip string Use a specified IP address or hostname for bypassing access controls. Injects this IP in headers like 'X-Forwarded-For'.
-d, --delay int Specify a delay between requests in milliseconds. Helps manage request rate (default: 0ms).
-f, --folder string Specify the folder location for payloads if not in the same directory as the executable.
-H, --header strings Add one or more custom headers to requests. Repeatable flag for multiple headers.
-h, --help help for nomore403
--http Use HTTP instead of HTTPS for requests defined in the request file.
-t, --http-method string Specify the HTTP method for the request (e.g., GET, POST). Default is 'GET'.
-m, --max-goroutines int Limit the maximum number of concurrent goroutines to manage load (default: 50). (default 50)
--no-banner Disable the display of the startup banner (default: banner shown).
-x, --proxy string Specify a proxy server for requests, e.g., 'http://server:port'.
--random-agent Enable the use of a randomly selected User-Agent.
-l, --rate-limit Halt requests upon encountering a 429 (rate limit) HTTP status code.
-r, --redirect Automatically follow redirects in responses.
--request-file string Load request configuration and flags from a specified file.
-u, --uri string Specify the target URL for the request.
-a, --user-agent string pecify a custom User-Agent string for requests (default: 'nomore403').
-v, --verbose Enable verbose output for detailed request/response logging.
We welcome contributions of all forms. Here's how you can help:
While nomore403 is designed for educational and ethical testing purposes, it's important to use it responsibly and with permission on target systems. Please adhere to local laws and guidelines.
nomore403 is released under the MIT License. See the LICENSE file for details.
REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications.
It can also be helpful to bypass WAFs and weak vulnerability mitigations. For more information, take a look at the REcollapse blog post.
The goal of this tool is to generate payloads for testing. Actual fuzzing shall be done with other tools like Burp (intruder), ffuf, or similar.
Requirements: Python 3
pip3 install --user --upgrade -r requirements.txt or ./install.sh
Docker
docker build -t recollapse . or docker pull 0xacb/recollapse
$ recollapse -h
usage: recollapse [-h] [-p POSITIONS] [-e {1,2,3}] [-r RANGE] [-s SIZE] [-f FILE]
[-an] [-mn MAXNORM] [-nt]
[input]
REcollapse is a helper tool for black-box regex fuzzing to bypass validations and
discover normalizations in web applications
positional arguments:
input original input
options:
-h, --help show this help message and exit
-p POSITIONS, --positions POSITIONS
pivot position modes. Example: 1,2,3,4 (default). 1: starting,
2: separator, 3: normalization, 4: termination
-e {1,2,3}, --encoding {1,2,3}
1: URL-encoded format (default), 2: Unicode format, 3: Raw
format
-r RANGE, --range RANGE
range of bytes for fuzzing. Example: 0,0xff (default)
-s SIZE, --size SIZE numb er of fuzzing bytes (default: 1)
-f FILE, --file FILE read input from file
-an, --alphanum include alphanumeric bytes in fuzzing range
-mn MAXNORM, --maxnorm MAXNORM
maximum number of normalizations (default: 3)
-nt, --normtable print normalization table
Let's consider this_is.an_example as the input.
Positions
$this_is.an_example
this$_$is$.$an$_$example
this_is.an_example$
Encoding
application/x-www-form-urlencoded or query parameters: %22this_is.an_example
application/json: \u0022this_is.an_example
multipart/form-data: "this_is.an_example
Range
Specify a range of bytes for fuzzing: -r 1-127. This will exclude alphanumeric characters unless the -an option is provided.
Size
Specify the size of fuzzing for positions 1, 2 and 4. The default approach is to fuzz all possible values for one byte. Increasing the size will consume more resources and generate many more inputs, but it can lead to finding new bypasses.
File
Input can be provided as a positional argument, stdin, or a file through the -f option.
Alphanumeric
By default, alphanumeric characters will be excluded from output generation, which is usually not interesting in terms of responses. You can allow this with the -an option.
Maximum number or normalizations
Not all normalization libraries have the same behavior. By default, three possibilities for normalizations are generated for each input index, which is usually enough. Use the -mn option to go further.
Normalization table
Use the -nt option to show the normalization table.
$ recollapse -e 1 -p 1,2,4 -r 10-11 https://legit.example.com
%0ahttps://legit.example.com
%0bhttps://legit.example.com
https%0a://legit.example.com
https%0b://legit.example.com
https:%0a//legit.example.com
https:%0b//legit.example.com
https:/%0a/legit.example.com
https:/%0b/legit.example.com
https://%0alegit.example.com
https://%0blegit.example.com
https://legit%0a.example.com
https://legit%0b.example.com
https://legit.%0aexample.com
https://legit.%0bexample.com
https://legit.example%0a.com
https://legit.example%0b.com
https://legit.example.%0acom
https://legit.example.%0bcom
https://legit.example.com%0a
https://legit.example.com%0b
This technique has been presented on BSidesLisbon 2022
Blog post: https://0xacb.com/2022/11/21/recollapse/
Slides:
Videos:
Normalization table: https://0xacb.com/normalization_table
Thanks
and
WAF bypass Tool is an open source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. Check your WAF before an attacker does. WAF Bypass Tool is developed by Nemesida WAF team with the participation of community.
It is forbidden to use for illegal and illegal purposes. Don't break the law. We are not responsible for possible risks associated with the use of this software.
The latest waf-bypass always available via the Docker Hub. It can be easily pulled via the following command:
# docker pull nemesida/waf-bypass
# docker run nemesida/waf-bypass --host='example.com'
# git clone https://github.com/nemesida-waf/waf_bypass.git /opt/waf-bypass/
# python3 -m pip install -r /opt/waf-bypass/requirements.txt
# python3 /opt/waf-bypass/main.py --host='example.com'
'--proxy' (--proxy='http://proxy.example.com:3128') - option allows to specify where to connect to instead of the host.
'--header' (--header 'Authorization: Basic YWRtaW46YWRtaW4=' --header 'X-TOKEN: ABCDEF') - option allows to specify the HTTP header to send with all requests (e.g. for authentication). Multiple use is allowed.
'--user-agent' (--user-agent 'MyUserAgent 1/1') - option allows to specify the HTTP User-Agent to send with all requests, except when the User-Agent is set by the payload ("USER-AGENT").
'--block-code' (--block-code='403' --block-code='222') - option allows you to specify the HTTP status code to expect when the WAF is blocked. (default is 403). Multiple use is allowed.
'--threads' (--threads=15) - option allows to specify the number of parallel scan threads (default is 10).
'--timeout' (--timeout=10) - option allows to specify a request processing timeout in sec. (default is 30).
'--json-format' - an option that allows you to display the result of the work in JSON format (useful for integrating the tool with security platforms).
'--details' - display the False Positive and False Negative payloads. Not available in JSON format.
'--exclude-dir' - exclude the payload's directory (--exclude-dir='SQLi' --exclude-dir='XSS'). Multiple use is allowed.
Depending on the purpose, payloads are located in the appropriate folders:
When compiling a payload, the following zones, method and options are used:
Base64, HTML-ENTITY, UTF-16) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16). Applicable only to for ARGS, BODY, COOKIE and HEADER zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON.Except for some cases described below, the zones are independent of each other and are tested separately (those if 2 zones are specified - the script will send 2 requests - alternately checking one and the second zone).
For the zones you can use %RND% suffix, which allows you to generate an arbitrary string of 6 letters and numbers. (e.g.: param%RND=my_payload or param=%RND% OR A%RND%B)
You can create your own payloads, to do this, create your own folder on the '/payload/' folder, or place the payload in an existing one (e.g.: '/payload/XSS'). Allowed data format is JSON.
API testing payloads located in this directory are automatically appended with a header 'Content-Type: application/json'.
For MFD (multipart/form-data) payloads located in this directory, you must specify the BODY (required) and BOUNDARY (optional). If BOUNDARY is not set, it will be generated automatically (in this case, only the payload must be specified for the BODY, without additional data ('... Content-Disposition: form-data; ...').
If a BOUNDARY is specified, then the content of the BODY must be formatted in accordance with the RFC, but this allows for multiple payloads in BODY a separated by BOUNDARY.
Other zones are allowed in this directory (e.g.: URL, ARGS etc.). Regardless of the zone, header 'Content-Type: multipart/form-data; boundary=...' will be added to all requests.
