Tool for testing 401/403 authorization bypass techniques
Project description
PT403BYPASS
Testing tool for identifying 401/403 bypass opportunities in web applications. It loads payload lists from templates/ (verbs, headers, IPs, user agents, path fuzz strings, extensions, default credentials, and other *.txt lists) and runs grouped tests similar in spirit to byp4xx, with Penterep-style output.
Bypass detection treats 401 and 403 as blocked responses (fixed in code). -s / -e only affect what is printed in the terminal, not which tests run.
Installation
pip install pt403bypass
Usage examples
pt403bypass -u https://example.com/admin
pt403bypass -u https://example.com/private -vv
pt403bypass -u https://example.com/secret -s 200 -m 500
pt403bypass -u https://example.com/secret -e 404
Without -s, only result lines whose HTTP status differs from the baseline are printed. -s 200 prints only lines (and the baseline URL line, if applicable) whose status is in the given list. -e 404 hides lines (and baseline) with those codes. -s and -e can be combined (must pass both filters). Use -vv / --verbose to print every line when -s is not set.
Options
-u --url Protected URL to test
-p --proxy Set proxy (e.g. http://127.0.0.1:8080)
-T --timeout Set timeout in seconds (default 10)
-c --cookie Set cookie
-a --user-agent Set User-Agent header
-H --headers Set custom header(s) as header:value
-r --redirects Follow redirects (default False)
-s --show-status Only print lines with these HTTP status codes (optional)
-e --hide-status Do not print lines with these HTTP status codes (e.g. hide 404)
-x --methods HTTP methods (default: templates/verbs.txt); merged with verbs.txt
-m --max-tests Limit number of payload tests (0 = unlimited)
-C --cache Cache compatibility flag (ptlibs)
-vv --verbose Enable verbose mode (show all result lines when -s is not set)
-v --version Show script version and exit
-h --help Show help and exit
-j --json Output in JSON format
--templates-dir Directory for *.txt templates (default: package templates/)
Path-heavy payloads (built-in paths, mid/end path lists, extensions, case tricks, extra tricks) are sent with ptlibs RawHttpClient when available so encoded paths are not normalized like requests/urllib3.
Dependencies
ptlibs
Warning
Run this tool only against systems you are explicitly authorized to test.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pt403bypass-0.0.2.tar.gz.
File metadata
- Download URL: pt403bypass-0.0.2.tar.gz
- Upload date:
- Size: 38.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fd37de4a8b1146ea7a0ac4b8f0d682a43e18ea12744af49b60b87d15c95237df
|
|
| MD5 |
59562b1eaccc0c039839722eea779813
|
|
| BLAKE2b-256 |
d7033d6fe25babb00f0e6d604eef331c12d150e56a6b3a01ab3614260864c4ab
|
File details
Details for the file pt403bypass-0.0.2-py3-none-any.whl.
File metadata
- Download URL: pt403bypass-0.0.2-py3-none-any.whl
- Upload date:
- Size: 38.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9275a42713de691d98dc9bbdbad90d4ab2f96baf2fac9f7fa27e459bb5a6b569
|
|
| MD5 |
1e6467418aca37c3adce9428d8267da7
|
|
| BLAKE2b-256 |
b457506dd2c1ffe794cdab6f849a11077cf2a20d91cfb0b0936e1291774d019e
|
