byp4xx.py

    __                __ __           
   / /_  __  ______  / // / _  ___  __
  / __ \/ / / / __ \/ // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ /__  __/>  <_>  <  
/_.___/\__, / .___/  /_/ /_/|_/_/|_|  
      /____/_/                        

Python script for 40X responses bypassing. Methods from #bugbountytips, headers, verb tampering and user agents.

Installation:

git clone https://github.com/lobuhi/byp4xx.git
cd byp4xx
chmod u+x byp4xx.py
./byp4xx.py
or
python3 byp4xx.py

or

pip install git+https://github.com/lobuhi/byp4xx.git

Usage: Start URL with http or https.

python3 byp4xx.py <cURL options> <target>

Some cURL options you may use as example:
  -L follow redirections (30X responses)
  -x <ip>:<port> to set a proxy
  -m <seconds> to set a timeout
  -H for new headers
  -d for data in the POST requests body
  -...
  
 Built-in options:
  -all Verbose mode
  -ip <IP> Custom source IP address for headers
  -fuzz Experimental unicode fuzzing mode. High workload! >65k requests! Watchout!

Example:

python3 byp4xx.py https://www.google.es/test

Features:

• Multiple HTTP verbs/methods
• Multiple methods mentioned in #bugbountytips
• Multiple headers: Referer, X-Custom-IP-Authorization...
• Accepts any cURL option
• Based on Seclist
  • UserAgents
  • Extensions
  • Default credentials

Tips:

• You can add proxychains to use with BurpSuite
• Interlace is a good option for multithreading multiples URLs
• BONUS: Buy me a coffee... or a pizza! Stay cool! ^_^

TO-DO:

• File input
• Multithread/Multiprocessing?
• Random vulnerable docker to test byp4xx
• ...