Developed by JOJIN JOHN
403-bypass is a command-line tool for testing HTTP access-control bypasses and parser inconsistencies around 401, 403, and related responses.
The tool is designed for practical web security work: bug bounty, penetration testing, security reviews, and regression testing of access-control rules. It automates a broad set of request mutations, captures a baseline, filters common false positives, and highlights the responses most likely to represent a meaningful bypass.
Given a target URL, nomore403:
- Sends a baseline request to capture the blocked response.
- Optionally auto-calibrates against non-existent paths to learn the target's default error behavior.
- Runs a set of bypass techniques that mutate the request path, method, headers, or wire format.
- Scores and groups the results to reduce noise.
- Emits replayable evidence, including
curlcommands for interesting findings.
This tool does not "break authentication" by itself. It helps find differences between how frontends, proxies, WAFs, CDNs, application routers, and backends interpret the same request.
- Baseline-driven comparison against the blocked response
- Auto-calibration to reduce false positives from default
404or parent-path responses - Scored output with separate summaries for likely bypasses and interesting variations
- False-positive filtering using status, length, body hash, HTML title, body class, and WAF/block-page detection
- Replay and reproducibility for high-value findings
- Retry and backoff for transient network failures
- Concurrent execution with per-technique progress
- Raw HTTP support for request forms that
net/httpnormalizes away - JSON and JSONL output for pipelines and post-processing
- Input from a single URL, URL files, stdin, or request files
git clone https://github.com/jojin1709/403-bypass.git
cd 403-bypass
go build -o nomore403git clone https://github.com/jojin1709/403-bypass.git
cd 403-bypass
go build -o nomore403.exe
.\nomore403.exe --helpIf Go cannot write to the default cache folder on Windows, use local cache folders before testing or building:
$env:GOCACHE="$PWD\.gocache"
$env:GOPATH="$PWD\.gopath"
go test ./...
go build -o nomore403.exeThe payloads/ directory is read at runtime. Keep it beside the executable, or point the tool to it with -f.
- Go 1.24 or later to build from source
curlavailable inPATHfor techniques that depend on it, such as:http-versionshttp-parserabsolute-uri
Most techniques work without curl.
Basic scan:
./nomore403 -u https://target.tld/adminUse a proxy and verbose output:
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -vRun only selected techniques:
./nomore403 -u https://target.tld/admin -k headers,absolute-uri,raw-desyncRead targets from stdin:
cat urls.txt | ./nomore403Use a Burp-style request file:
./nomore403 --request-file request.txtWrite machine-readable output:
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonlRun the executable from the current folder:
.\nomore403.exe --helpRun a low-noise scan:
.\nomore403.exe -u https://target.tld/admin -k headers,endpaths,midpaths --top 10Run slower against WAF-protected authorized targets:
.\nomore403.exe -u https://target.tld/admin -k headers,endpaths --max-goroutines 2 --delay 1000 --top 10Save JSONL output:
.\nomore403.exe -u https://target.tld/admin --jsonl -o findings.jsonlUse a Burp-style raw request file:
.\nomore403.exe --request-file .\request.txt --jsonl -o findings.jsonltarget: https://target.tld/admin method: GET frontend: AWS ELB/ALB payloads: payloads
calib: 404 | 1245b | +/-50 | frag 703b
BASELINE
default 403 520 bytes https://target.tld/admin
FINDINGS
hdr-ip 100! 200 2048 bytes X-Original-URL: /
abs-uri 26. 403 236 bytes request-target: https://target.tld/admin
http 18. 400 122 bytes HTTP/2
no visible results: 17 techniques
============== LIKELY BYPASS ==============
[!100 HIGH] Header injection (IP) 403=>200 2048b
why: status 403->200, len delta 1528, body changed, type changed
item: X-Original-URL: /
curl: curl -i -sS -k -H 'User-Agent: nomore403' -H 'X-Original-URL: /' 'https://target.tld/admin'
Each visible line is a response that differed enough from the baseline to survive filtering.
Typical fields:
- technique alias, for example
hdr-ip,abs-uri, orparser - compact score marker such as
18.,61+, or100! - final response status
- response size
- item or payload used
The final summaries show baseline-to-result transitions:
403=>200usually deserves immediate attention403=>302can be interesting, but may still resolve back into an auth barrier403->400or403->404usually indicate parser or routing differences rather than a bypass
At the end of the run, nomore403 prints:
LIKELY BYPASS- highest-scoring results
- includes reproducible
curl
INTERESTING VARIATIONS- meaningful parser or routing differences that are worth manual review
no visible results- count of techniques that ran but produced no visible output after filtering
Scoring is heuristic. It is intended to prioritize results, not to prove exploitation.
The tool generally rewards:
- transitions to
2xx - transitions to
3xx - large body-length changes
- body hash changes
- HTML title changes
- body-class changes, such as
waf-blocktohtmlorlogintojson Locationchanges- anomalous redirects that do not appear to resolve into a login or denied flow
- differences that survive replay
The tool generally down-ranks:
- near-identical responses
200responses that have the same body hash as the blocked baseline- responses with the same HTML title and same body class as the blocked baseline
- Cloudflare, WAF, or generic block pages
- repeated parser noise
- unstable replay results
- empty-body redirects that appear to lead back into access control
- many
400and404cases unless the response also changes substantially
Recommended interpretation:
HIGH: likely actionable; review firstMED: plausible candidate; usually worth manual replayLOW: parser difference, routing anomaly, or lower-confidence behavior
Many sites return 200 for a rewritten or fragment-stripped URL while still serving the same error, homepage, login page, or WAF block page. The tool now fingerprints responses with:
- body hash
- HTML
<title> - body class, for example
waf-block,login,access-denied,not-found,json, orhtml - WAF/block-page signals from body text and headers such as
CF-Ray
This means a result like 403->200 is no longer treated as strong by status alone. If it has the same body, same title, or the same WAF/block page as the baseline, it is pushed down into low-confidence output.
In JSON and JSONL output, check these fields:
{
"status_code": 200,
"score": 18,
"likelihood": "low",
"score_reason": "status 403->200, same body as baseline, same body class",
"body_hash": "9f31...",
"title": "Oooops! WAF has blocked the action.",
"body_class": "waf-block",
"waf_block": true
}Treat waf_block: true, same body as baseline, or same body class as signs that the result probably needs manual review before calling it a bypass.
Auto-calibration is enabled by default in non-verbose mode.
It sends requests to several non-existent paths and builds a baseline for the target's default error behavior. It also performs a fragment-based calibration request to reduce false positives caused by fragment-stripped paths.
Use these flags to control it:
--no-calibrate- compare only against the default blocked response
--strict-calibrate- also compare body hash and key headers such as
Location,Content-Type, andServer
- also compare body hash and key headers such as
The tool runs all techniques by default unless you specify -k.
verbs- alternative HTTP methods from
payloads/httpmethods
- alternative HTTP methods from
verbs-case- randomized casing of HTTP methods
method-override- query, header, and body-based method override patterns
headers- umbrella technique covering:
- IP trust headers
- simple headers
- Host variations
- umbrella technique covering:
hop-by-hop- hop-by-hop stripping tricks using
Connection
- hop-by-hop stripping tricks using
header-confusion- rewrite and path-override headers such as
X-Original-URL
- rewrite and path-override headers such as
host-override- host override and forwarded-host variants
forwarded-trustForwarded,Client-IP,Cluster-Client-IP, and related trust chains
proto-confusionX-Forwarded-Proto,X-Forwarded-Port, and related scheme hints
ip-encoding- localhost and trusted-address variants in dotted, integer, hex, and IPv6 forms
endpaths- suffix and end-of-path mutations from
payloads/endpaths
- suffix and end-of-path mutations from
midpaths- path insertion and traversal-style mutations from
payloads/midpaths
- path insertion and traversal-style mutations from
double-encoding- encoded path variants, including aggressive double-encoding forms
unicode%uXXXXand overlong UTF-8 path variants
path-case- path segment case switching
path-normalization- dot-segment and semicolon normalization variants
suffix-tricks- suffix and extension tricks such as
.json,.css,;index.html, and format-style query toggles
- suffix and extension tricks such as
payload-position- inserts payloads at explicitly marked positions in the URL
http-versions- compares the same request across
HTTP/1.0andHTTP/2
- compares the same request across
http-parser- sends a deliberately minimal
curlrequest to expose client/frontend parser differences separately fromhttp-versions
- sends a deliberately minimal
absolute-uri- uses absolute-form request targets through
curl --request-target
- uses absolute-form request targets through
raw-duplicates- duplicate security-relevant headers with raw HTTP
raw-authority- duplicate or conflicting authority and host signals
raw-desync- request forms aimed at frontend/backend parsing differences, including conflicting transfer semantics
Some techniques need wire-level control that Go's net/http client does not provide. Those techniques use the raw HTTP engine.
Raw techniques currently include:
raw-duplicatesraw-authorityraw-desync- some
%uXXXXunicode path requests
Notes:
- raw requests are sent automatically where needed
- raw techniques do not currently support upstream proxies
- raw behavior is useful for:
- duplicate headers
- exact request targets
- transfer-encoding and content-length edge cases
The tool may infer frontend hints such as:
- AWS ELB / ALB
- CloudFront
- Cloudflare
- Nginx
- Envoy
- Apache
- IIS
These hints are used to improve technique ordering and output context.
Important:
- fingerprinting does not disable techniques by default
- unless you use
-k, the tool still runs the full default technique set
High-value results are replayed automatically in the final summary.
The replay output helps answer:
- did the behavior repeat?
- did it keep the same status and response shape?
- is this likely stable enough to investigate or report?
The final summary includes:
- replay counts such as
1/1or2/2 matched on replay - a replayable
curlcommand for interesting results
./nomore403 -u https://target.tld/admin./nomore403 -u targets.txtcat targets.txt | ./nomore403./nomore403 --request-file request.txtRequest files are useful when replaying traffic captured in Burp or another proxy.
Use --payload-position when you want to inject payloads at explicit markers instead of relying only on built-in endpath and midpath mutation logic.
Example:
./nomore403 -u 'https://target.tld/§100§/admin/§200§' -p §./nomore403 -u https://target.tld/admin./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v./nomore403 -u https://target.tld/admin -k absolute-uri,raw-duplicates,raw-authority,raw-desync./nomore403 -u https://target.tld/admin -i 10.0.0.5./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl.\nomore403.exe -u https://target.tld/admin --json -o findings.json./nomore403 --request-file request.txt -k headers,endpaths --jsonl -o findings.jsonl.\nomore403.exe --request-file .\request.txt -k headers,endpaths --jsonl -o findings.jsonlLinux/macOS:
go test ./...
go build -o nomore403Windows PowerShell:
$env:GOCACHE="$PWD\.gocache"
$env:GOPATH="$PWD\.gopath"
go test ./...
go build -o nomore403.exeThe repository includes:
.github/workflows/test.yml- runs
go test ./... - runs
go build ./... - triggers on pushes to
mainand pull requests
- runs
.github/workflows/release.yml- builds Windows
.exe - builds Linux amd64
- builds macOS amd64 and arm64
- packages the
payloads/folder with each binary - publishes artifacts automatically when you push a version tag
- builds Windows
Create a release from your terminal:
git tag v0.1.0
git push origin v0.1.0On Windows PowerShell:
git tag v0.1.0
git push origin v0.1.0Run ./nomore403 --help for the full up-to-date CLI.
Key flags:
-u, --uri- target URL, file of URLs, or input path
-k, --technique- comma-separated list of techniques to run
-x, --proxy- upstream proxy
-H, --header- add custom headers
-i, --bypass-ip- IP or hostname used in trust-header techniques
-v, --verbose- show all visible results, not just filtered output
--json- write structured JSON
--jsonl- write one JSON object per result
--no-calibrate- disable auto-calibration
--strict-calibrate- compare more response fields during filtering
--retry-count- number of retries for transient errors
--retry-backoff-ms- exponential backoff base in milliseconds
--host-delay- delay between batched targets on the same host
--top-score-min- minimum score for
LIKELY BYPASS
- minimum score for
--variation-score-min- minimum score for
INTERESTING VARIATIONS
- minimum score for
--top- maximum number of entries per summary section, or
0to disable summaries
- maximum number of entries per summary section, or
Default mode is optimized for interactive review and triage.
Use --json for a single structured document.
Use --jsonl when you want to:
- process results incrementally
- store evidence in pipelines
- import findings into your own tooling
The payloads/ directory contains lists used by several techniques.
Current files include:
httpmethodsheadersipssimpleheadersendpathsmidpathsuseragents
You can customize these files to fit your targets or workflow.
- raw HTTP techniques do not currently support upstream proxies
- scoring is heuristic and can produce false positives or false negatives
- redirect scoring currently uses heuristics on the immediate redirect response, not a fully followed redirect chain
- some techniques depend on target-specific behavior and may appear noisy on heavily normalized stacks
curl-based techniques requirecurlinPATH
Use this tool only on systems you are authorized to test.
The authors and contributors are not responsible for misuse. You are responsible for complying with applicable law, program rules, and organizational policy.
Contributions are welcome.
Useful contribution areas include:
- bug fixes
- better payloads
- new bypass techniques
- raw HTTP improvements
- frontend fingerprinting
- documentation and examples
Before contributing a technique, prefer:
- a clearly distinct parsing or trust-boundary behavior
- reproducible evidence
- tests that verify the request shape or replay behavior
This project is released under the MIT License. See LICENSE.