Gilzy, updated 🕥 2022-09-27 10:23:30


A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

Sample Issue


  • Runs with every possible permutation for query-based payloads. For instance with payload ..; will result in testing the following:;/api/v1/users;/v1/users;/users;api/v1/users;v1/users;users;;/
  • Header payloads are added to the original request. In case the header already exists in the original request its value is replaced.
  • For GET requests the extension will try to bypass Forbidden pages by changing the method to POST with an empty body.
  • The extension will attempt to downgrade HTTP/1.1 to HTTP/1.0 and remove all headers as shown by Abbas.heybati
  • Supports manual activation through context menu.
  • Payloads are supplied by the user under dedicated tab, default values are stored in query payloads.txt and header payloads.txt.
  • Issues are added under the Issue Activity tab.


ImportError: cannot import name table

opened on 2022-06-21 03:08:15 by Sahabalam

Traceback (most recent call last): File "/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/", line 4, in from javax.swing import JPanel, JButton, JList, JTable, table, JLabel, JScrollPane, JTextField, WindowConstants, GroupLayout, LayoutStyle, JFrame ImportError: cannot import name table

at org.python.core.Py.ImportError(
at org.python.core.imp.importFromAs(
at org.python.core.imp.importFrom(
at org.python.pycode._pyx4.f$0(/home/alam/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/
at org.python.pycode._pyx4.call_function(/home/alam/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/
at org.python.core.Py.runCode(
at org.python.core.__builtin__.execfile_flags(
at org.python.util.PythonInterpreter.execfile(
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(
at java.base/java.lang.reflect.Method.invoke(
at burp.by4.<init>(Unknown Source)
at burp.cda.Q(Unknown Source)
at burp.yo2.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$
at java.base/
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(
at java.base/java.util.concurrent.ThreadPoolExecutor$
at java.base/