The original 403fuzzer.py :)
Fuzz 401/403ing endpoints for bypasses
Perform various checks via headers, path normalization, verbs, etc. to attempt to bypass ACL's or URL validation.
- Output the response codes and length for each request, in a nicely organized, color coded way so things are readable.
- "Smart" filter that lets you mute responses that look the same after a certain number of times.
- Feed it raw HTTP requests from Burp.
If this tool helped get you a bounty or you'd just like to buy me a beer:
Follow me on twitter! @intrudir
# clone the repo (or download it as a zip!) then navigate to the directory
git clone https://github.com/NetSPI/BypassFuzzer.git
cd BypassFuzzer
# it is best practice to create a new virtual env.
python3 -m venv .venv
# activate the venv
source .venv/bin/activate
# install dependencies
python3 -m pip install -r requirements.txt
# clone the repo (or download it as a zip!) then navigate to the directory
# if you download the .zip, remember to extract it first
cd BypassFuzzer-main\
# it is best practice to create a new virtual env.
py -m venv .venv
# activate the venv
.venv\Scripts\activate
# install dependencies
# you need to use 'python' cmd in order to use the interpreter from this environment.
python -m pip install -r .\requirements.txt
For Windows, in order to use the script, make sure you use the python
command. This ensures you are using the virtual environment.
See the help menu
bypassfuzzer.py -h
Simply paste the request into a file and run the script!
- It will parse and use
cookies
&headers
from the request. - Easiest way to authenticate for your requests
python3 bypassfuzzer.py -r request.txt
Specify a URL
python3 bypassfuzzer.py -u http://example.com/test1/test2/test3/forbidden.html
Specify cookies to use in requests:
some examples:
--cookies "cookie1=blah"
-c "cookie1=blah; cookie2=blah"
Specify a method/verb and body data to send
bypassfuzzer.py -u https://example.com/forbidden -m POST -d "param1=blah¶m2=blah2"
bypassfuzzer.py -u https://example.com/forbidden -m PUT -d "param1=blah¶m2=blah2"
Specify custom headers to use with every request
Maybe you need to add some kind of auth header like Authorization: bearer <token>
Specify -H "header: value"
for each additional header you'd like to add:
bypassfuzzer.py -u https://example.com/forbidden -H "Some-Header: blah" -H "Authorization: Bearer 1234567"
Based on response code and length. If it sees a response 8 times or more it will automatically mute it.
Repeats are changeable in the code until I add an option to specify it in flag
NOTE: Can't be used simultaneously with -hc
or -hl
(yet)
# toggle smart filter on
bypassfuzzer.py -u https://example.com/forbidden --smart
Useful if you wanna proxy through Burp
bypassfuzzer.py -u https://example.com/forbidden --proxy http://127.0.0.1:8080
# skip sending header payloads
bypassfuzzer.py -u https://example.com/forbidden -sh
# or --skip-headers
# Skip sending path normailization payloads
bypassfuzzer.py -u https://example.com/forbidden -su
# or --skip-urls
Provide comma delimited lists without spaces. Examples:
# Hide response codes
bypassfuzzer.py -u https://example.com/forbidden -hc 403,404,400
# Hide response lengths of 638
bypassfuzzer.py -u https://example.com/forbidden -hl 638
Every successful (200 OK) request & response pair gets saved to a sqlite database.
Every payload includes an index number for easy querying.
Once the attack is over, inspect your results and determine the index or payload of the data you'd like to see.
You must use BOTH of the following flags:
--display-by
index or payload--display-interactions
index number or payload string in quotes
# display by index number
bypassfuzzer.py --display-by index --display-interactions 49
# display by payload
bypassfuzzer.py --display-by payload --display-interactions "/%2e%2fAJAX/index.php"
For simplicity's sake, every time you run the tool, a fresh db is created.
You can query a specific db via the --idb
flag.
NOTE:
- the db needs to be inside the
interactions
dir to be useable. - If no db is specified via
--idb
, the newest one will be used by default.
bypassfuzzer.py --display-by index --display-interactions 49 --idb interactions_20240729_145149.db
Provide the --oob
flag with your collaborator or ISH domain
You need to check for pingbacks yourself as I currently have no way of doing that for you.
--oob abc123.oastify.com
- Add HTTP/2 support
- Looking for ideas. Ping me on twitter! @intrudir