{"id":13762728,"url":"https://github.com/devploit/nomore403","last_synced_at":"2026-02-04T20:24:32.202Z","repository":{"id":37566809,"uuid":"401347836","full_name":"devploit/nomore403","owner":"devploit","description":"🚫 Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation. Fast. Precise. Effective.","archived":false,"fork":false,"pushed_at":"2025-06-27T17:01:45.000Z","size":7231,"stargazers_count":1474,"open_issues_count":5,"forks_count":164,"subscribers_count":15,"default_branch":"main","last_synced_at":"2026-01-25T06:20:28.850Z","etag":null,"topics":["403","403-bypass","bugbounty","bypass","ctf","go","http","pentest","pentesting","reconnaissance","security","tool","waf-bypass","websec"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devploit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-08-30T13:09:18.000Z","updated_at":"2026-01-24T21:46:20.000Z","dependencies_parsed_at":"2022-07-12T16:23:56.366Z","dependency_job_id":"d4a521e0-0a93-4f34-8229-88fa629df73b","html_url":"https://github.com/devploit/nomore403","commit_stats":null,"previous_names":["devploit/nomore403","devploit/dontgo403"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/devploit/nomore403","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devploit%2Fnomore403","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devploit%2Fnomore403/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devploit%2Fnomore403/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devploit%2Fnomore403/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devploit","download_url":"https://codeload.github.com/devploit/nomore403/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devploit%2Fnomore403/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29095203,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T20:17:23.003Z","status":"ssl_error","status_checked_at":"2026-02-04T20:16:36.396Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["403","403-bypass","bugbounty","bypass","ctf","go","http","pentest","pentesting","reconnaissance","security","tool","waf-bypass","websec"],"created_at":"2024-08-03T14:00:55.521Z","updated_at":"2026-02-04T20:24:32.187Z","avatar_url":"https://github.com/devploit.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://i.imgur.com/F4D1zhr.png\" width=\"350\" height=\"200\" alt=\"logo\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eNoMore403\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/devploit/nomore403/stargazers\"\u003e\u003cimg alt=\"GitHub stars\" src=\"https://img.shields.io/github/stars/devploit/nomore403?style=flat\u0026logo=github\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/devploit/nomore403/forks\"\u003e\u003cimg alt=\"GitHub forks\" src=\"https://img.shields.io/github/forks/devploit/nomore403?style=flat\u0026logo=github\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/devploit/nomore403\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/devploit/nomore403\"\u003e\u003c/a\u003e\n  \u003cimg alt=\"Go version\" src=\"https://img.shields.io/badge/go-1.24-blue\"\u003e\n  \u003cimg alt=\"License: MIT\" src=\"https://img.shields.io/badge/license-MIT-green\"\u003e\n  \u003cimg alt=\"Contributions welcome\" src=\"https://img.shields.io/badge/contributions-welcome-brightgreen.svg\"\u003e\n\u003c/p\u003e\n\n## Table of Contents\n- [Introduction](#introduction)\n- [Features](#features)\n- [Implemented Bypass Techniques](#implemented-bypass-techniques)\n- [Prerequisites](#prerequisites)\n- [Installation](#installation)\n- [How It Works](#how-it-works)\n- [Customization](#customization)\n- [Usage](#usage)\n- [Options](#options)\n- [Common Use Cases](#common-use-cases)\n- [Contributing](#contributing)\n- [Security Considerations](#security-considerations)\n- [License](#license)\n- [Acknowledgments](#acknowledgments)\n- [Contact](#contact)\n\n## Introduction\n\n`nomore403` is an innovative tool designed to help cybersecurity professionals and enthusiasts bypass HTTP 40X errors encountered during web security assessments. Unlike other solutions, `nomore403` automates various techniques to seamlessly navigate past these access restrictions, offering a broad range of strategies from header manipulation to method tampering.\n\n## Features\n\n- **Auto-calibration**: Automatically detects server base responses to identify successful bypasses\n- **Multiple bypass techniques**: Implements 8 different techniques to bypass restrictions\n- **High concurrency**: Uses goroutines for fast and efficient testing\n- **Customizable**: Easily add new payloads and techniques\n\n## Implemented Bypass Techniques\n\n- **Verb Tampering**: Tests different HTTP methods to access protected resources\n- **Verb Case Switching**: Manipulates HTTP method capitalization to detect incorrect implementations\n- **Headers**: Injects headers designed for bypassing like X-Forwarded-For, X-Original-URL, etc.\n- **Custom Paths**: Tests alternative paths that can bypass access restrictions\n- **Path Traversal (midpaths)**: Inserts patterns in the middle of paths to confuse parsers\n- **Double-Encoding**: Uses double URL encoding to evade filters\n- **HTTP Versions**: Tests different HTTP versions (1.0, 1.1) to identify inconsistent behaviors\n- **Path Case Switching**: Manipulates uppercase/lowercase in paths to detect case-sensitive configurations\n\n## Prerequisites\n\nBefore you install and run `nomore403`, make sure you have the following:\n- Go 1.24 or higher installed on your machine.\n\n## Installation\n\n### Compile from Source\n\nThis is the recommended method as it ensures you have all necessary files, including the payloads folder:\n\n```bash\ngit clone https://github.com/devploit/nomore403\ncd nomore403\ngo get\ngo build\n```\n\n### From Releases\n\nYou can download pre-compiled binaries for your OS from our [Releases](https://github.com/devploit/nomore403/releases) page.\n\n**Important**: When installing via pre-compiled binaries, the payloads folder might not be included. If that's the case, download it separately:\n\n```bash\n# After downloading the binary\ngit clone --depth 1 https://github.com/devploit/nomore403.git\ncp -r nomore403/payloads /path/to/your/preferred/location\n# Then use nomore403 with -f flag\nnomore403 -u https://domain.com/admin -f /path/to/your/preferred/location/payloads\n```\n\n### From Go install\n\nYou can install nomore403 directly with Go:\n\n```bash\ngo install github.com/devploit/nomore403@latest\n```\n\n**Important**: When installing via `go install`, the payloads folder will not be included. You'll need to download it separately:\n\n```bash\n# After installing with go install\ngit clone --depth 1 https://github.com/devploit/nomore403.git\ncp -r nomore403/payloads /path/to/your/preferred/location\n# Then use nomore403 with -f flag\nnomore403 -u https://domain.com/admin -f /path/to/your/preferred/location/payloads\n```\n\n## How It Works\n\n1. **Auto-calibration**: The tool makes a request to a non-existent path to determine the base response\n2. **Default request**: Makes a standard request to the target for comparison\n3. **Technique application**: Executes selected techniques in parallel\n4. **Result filtering**: Shows only responses that differ from the initial calibration (unless verbose mode is used)\n\n## Customization\n\nTo edit or add new bypasses, modify the payloads directly in the [payloads](https://github.com/devploit/nomore403/tree/main/payloads) folder. nomore403 will automatically incorporate these changes.\n\n### Payloads Folder Structure\n\n- **headers**: Headers used for bypassing\n- **ips**: IP addresses to inject in specific headers\n- **httpmethods**: Alternative HTTP methods\n- **endpaths**: Custom paths to add at the end of the target URL\n- **midpaths**: Patterns to insert in the middle of paths\n- **simpleheaders**: Common simple headers\n- **useragents**: List of User-Agents for rotation\n\n## Usage\n\n### Output example\n\n```bash\n━━━━━━━━━━━━━━ NOMORE403 CONFIGURATION ━━━━━━━━━━━━━━━━━━\nTarget:                 https://domain.com/admin\nHeaders:                false\nProxy:                  false\nUser Agent:             nomore403\nMethod:                 GET\nPayloads folder:        payloads\nCustom bypass IP:       false\nFollow Redirects:       false\nRate Limit detection:   false\nStatus:                 \nTimeout (ms):           6000\nDelay (ms):             0\nTechniques:             verbs, verbs-case, headers, endpaths, midpaths, double-encoding, http-versions, path-case\nUnique:                 false\nVerbose:                false\n\n━━━━━━━━━━━━━━━ AUTO-CALIBRATION RESULTS ━━━━━━━━━━━━━━━\n[✔] Calibration URI: https://domain.com/admin/calibration_test_123456\n[✔] Status Code: 404\n[✔] Content Length: 1821 bytes\n\n━━━━━━━━━━━━━ DEFAULT REQUEST ━━━━━━━━━━━━━\n403 \t  429 bytes https://domain.com/admin\n\n━━━━━━━━━━━━━ VERB TAMPERING ━━━━━━━━━━━━━━\n\n━━━━━ VERB TAMPERING CASE SWITCHING ━━━━━━━\n\n━━━━━━━━━━━━━ HEADERS ━━━━━━━━━━━━━━━━━━━━━\n\n━━━━━━━━━━━━━ CUSTOM PATHS ━━━━━━━━━━━━━━━━\n200 \t 2047 bytes https://domain.com/;///..admin\n\n━━━━━━━━━━━━━ DOUBLE-ENCODING ━━━━━━━━━━━━━\n\n━━━━━━━━━━━━━ HTTP VERSIONS ━━━━━━━━━━━━━━━\n403      429 bytes HTTP/1.0\n\n━━━━━━━━━━ PATH CASE SWITCHING ━━━━━━━━━━━━\n200 \t 2047 bytes https://domain.com/%61dmin\n```\n\n### Basic Usage\n\n```bash\n./nomore403 -u https://domain.com/admin\n```\n\n### Verbose Mode + Proxy + Specific techniques to use\n\n```bash\n./nomore403 -u https://domain.com/admin -x http://127.0.0.1:8080 -k headers,http-versions -v\n```\n\n### Parse request from Burp\n\n```bash\n./nomore403 --request-file request.txt\n```\n\n### Use custom header + specific IP address for bypasses\n\n```bash\n./nomore403 -u https://domain.com/admin -H \"Environment: Staging\" -i 8.8.8.8\n```\n\n### Set new max of goroutines + add delay between requests\n```bash\n./nomore403 -u https://domain.com/admin -m 10 -d 200\n```\n\n### Filter by specific status codes\n```bash\n./nomore403 -u https://domain.com/admin --status 200,302\n```\n\n## Options\n\n```bash\n./nomore403 -h\nCommand line application that automates different ways to bypass 40X codes.\n\nUsage:\n  nomore403 [flags]\n\nFlags:\n  -i, --bypass-ip string      Use a specified IP address or hostname for bypassing access controls. Injects this IP in headers like 'X-Forwarded-For'.\n  -d, --delay int             Specify a delay between requests in milliseconds. Helps manage request rate (default: 0ms).\n  -f, --folder string         Specify the folder location for payloads if not in the same directory as the executable.\n  -H, --header strings        Add one or more custom headers to requests. Repeatable flag for multiple headers.\n  -h, --help                  help for nomore403\n      --http                  Use HTTP instead of HTTPS for requests defined in the request file.\n  -t, --http-method string    Specify the HTTP method for the request (e.g., GET, POST). Default is 'GET'.\n  -m, --max-goroutines int    Limit the maximum number of concurrent goroutines to manage load (default: 50). (default 50)\n      --no-banner             Disable the display of the startup banner (default: banner shown).\n  -x, --proxy string          Specify a proxy server for requests (e.g., 'http://server:port').\n      --random-agent          Enable the use of a randomly selected User-Agent.\n  -l, --rate-limit            Halt requests upon encountering a 429 (rate limit) HTTP status code.\n  -r, --redirect              Automatically follow redirects in responses.\n      --request-file string   Load request configuration and flags from a specified file.\n      --status strings        Filter output by comma-separated status codes (e.g., 200,301,403)\n  -k, --technique strings     Specify one or more attack techniques to use (e.g., headers,path-case). (default [verbs,verbs-case,headers,endpaths,midpaths,double-encoding,http-versions,path-case])\n      --timeout int           Specify a max timeout time in ms. (default 6000)\n      --unique                Show unique output based on status code and response length.\n  -u, --uri string            Specify the target URL for the request.\n  -a, --user-agent string     Specify a custom User-Agent string for requests (default: 'nomore403').\n  -v, --verbose               Enable verbose output for detailed request/response logging (not based on auto-calibrate).\n```\n\n## Common Use Cases\n\n- **Security Audits**: Identify misconfigurations in authentication systems\n- **Bug Bounty**: Discover bypasses in protected endpoints\n- **Penetration Testing**: Gain access to restricted areas during assessments\n- **Hardening**: Verify the robustness of implemented protections\n\n## Contributing\n\nWe welcome contributions of all forms. Here's how you can help:\n\n - Report bugs and suggest features\n - Submit pull requests with bug fixes and new features\n - Add new payloads to existing folders\n\n## Security Considerations\n\nWhile nomore403 is designed for educational and ethical testing purposes, it's important to use it responsibly and with permission on target systems. Please adhere to local laws and guidelines.\n\n## License\n\nnomore403 is released under the MIT License. See the [LICENSE](https://github.com/devploit/dontgo403/blob/main/LICENSE) file for details.\n\n## Acknowledgments\n\nNoMore403 draws inspiration from several projects in the web security space:\n- [Dontgo403](https://github.com/devploit/dontgo403) - The predecessor to NoMore403\n- The cybersecurity community for documenting and sharing bypass techniques\n- All contributors who have helped improve this tool\n\n## Contact\n\n[![Twitter: devploit](https://img.shields.io/badge/-Twitter-blue?style=flat-square\u0026logo=Twitter\u0026logoColor=white\u0026link=https://twitter.com/devploit/)](https://twitter.com/devploit/)\n","funding_links":[],"categories":["Miscellaneous","Weapons","Web","Go"],"sub_categories":["Forbidden Bypass","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevploit%2Fnomore403","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevploit%2Fnomore403","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevploit%2Fnomore403/lists"}