Gilzy, updated 🕥 2022-09-27 10:23:30

403Bypasser

A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

Sample Issue

Features

  • Runs with every possible permutation for query-based payloads. For instance https://www.example.com/api/v1/users with payload ..; will result in testing the following: https://www.example.com..;/api/v1/users https://www.example.com/api..;/v1/users https://www.example.com/api/v1..;/users https://www.example.com/..;api/v1/users https://www.example.com/api/..;v1/users https://www.example.com/api/v1/..;users https://www.example.com/api/v1/users/..; https://www.example.com/api/v1/users/..;/
  • Header payloads are added to the original request. In case the header already exists in the original request its value is replaced.
  • For GET requests the extension will try to bypass Forbidden pages by changing the method to POST with an empty body.
  • The extension will attempt to downgrade HTTP/1.1 to HTTP/1.0 and remove all headers as shown by Abbas.heybati
  • Supports manual activation through context menu.
  • Payloads are supplied by the user under dedicated tab, default values are stored in query payloads.txt and header payloads.txt.
  • Issues are added under the Issue Activity tab.

Issues

ImportError: cannot import name table

opened on 2022-06-21 03:08:15 by Sahabalam

Traceback (most recent call last): File "/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/403Bypasser.py", line 4, in from javax.swing import JPanel, JButton, JList, JTable, table, JLabel, JScrollPane, JTextField, WindowConstants, GroupLayout, LayoutStyle, JFrame ImportError: cannot import name table

at org.python.core.Py.ImportError(Py.java:328)
at org.python.core.imp.importFromAs(imp.java:1168)
at org.python.core.imp.importFrom(imp.java:1132)
at org.python.pycode._pyx4.f$0(/home/alam/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/403Bypasser.py:432)
at org.python.pycode._pyx4.call_function(/home/alam/.BurpSuite/bapps/444407b96d9c4de0adb7aed89e826122/403Bypasser.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.by4.<init>(Unknown Source)
at burp.cda.Q(Unknown Source)
at burp.yo2.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
Gilzy
GitHub Repository