Skip to content
/ byp4xx Public

40X/HTTP bypasser in Go. Features: Verb tampering, headers, #bugbountytips, User-Agents, extensions, default credentials...

Notifications You must be signed in to change notification settings

lobuhi/byp4xx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

    __                __ __           
   / /_  __  ______  / // / _  ___  __
  / __ \/ / / / __ \/ // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ /__  __/>  <_>  <  
/_.___/\__, / .___/  /_/ /_/|_/_/|_|  
      /____/_/                        

40X bypasser in Go. Methods from #bugbountytips, headers, verb tampering, user agents and more.

Usage:

byp4xx <cURL or byp4xx options> <URL or file>

Some cURL options you may use as example:
  -L follow redirections (30X responses)
  -x <ip>:<port> to set a proxy
  -m <seconds> to set a timeout
  -H for new headers. Escape double quotes.
  -d for data in the POST requests body
  -...
  
 Built-in options:
  --all Verbose mode (by default only 2xx and 3xx codes will be prompted)
  -t or --thread Set the maximum threads. Rate limit disabled when threads are enabled. Use carefully.
  --rate Set the maximum reqs/sec. Only one thread enforced, for low rate limits. (5 reqs/sec by default)
  -xV Exclude verb tampering
  -xH Exclude headers
  -xUA Exclude User-Agents
  -xX Exclude extensions
  -xD Exclude default creds
  -xS Exclude CaSe SeNsiTiVe
  -xM Exclude middle paths
  -xE Exclude end paths
  -xB Exclude #bugbountytips

Examples:

Regular usage:

byp4xx http://localhost/test

Avoid default creds if the response is not 401:

byp4xx -xD http://localhost/test

Avoid end paths and extensions if the url ends with /:

byp4xx -xE -xX http://localhost/test

Set 2 seconds timeout, follow redirections and use proxy

byp4xx -m 2 -L -x 127.0.0.1:8080 http://localhost/test

Custom headers, you should escape double quotes:

byp4xx -H \"Authorization: Bearer <JWT>\" http://localhost/test

Features:

  • Multiple HTTP verbs/methods
  • Multiple methods mentioned in #bugbountytips
  • Multiple headers: Referer, X-Custom-IP-Authorization...
  • Accepts any cURL option
  • Based on Seclist
    • UserAgents
    • Extensions
    • Default credentials

Buy me a coffee... or a pizza! Stay cool! ^_^

About

40X/HTTP bypasser in Go. Features: Verb tampering, headers, #bugbountytips, User-Agents, extensions, default credentials...

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages