Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/akenofu/URL_Fuzzer_401_403_Bypass

A Burp extension to Fuzz URLs for HTTP parser inconsistencies
https://github.com/akenofu/URL_Fuzzer_401_403_Bypass

burp-extensions burpsuite

Last synced: 25 days ago
JSON representation

A Burp extension to Fuzz URLs for HTTP parser inconsistencies

Host: GitHub
URL: https://github.com/akenofu/URL_Fuzzer_401_403_Bypass
Owner: akenofu
Created: 2023-10-05T02:11:27.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-10-20T22:54:06.000Z (about 1 year ago)
Last Synced: 2024-08-04T00:06:26.008Z (4 months ago)
Topics: burp-extensions, burpsuite
Language: Java
Homepage:
Size: 2.99 MB
Stars: 7
Watchers: 2
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-burp-extensions - URL Fuzzer 401/403 Bypass - A Burp extension to Fuzz URLs for HTTP parser inconsistencies (Payload Generators and Fuzzers / SSRF)

README

# URL Fuzzer 401/403 Bypass

Fuzz the URL with all available ASCII characters to identify parser inconsistencies. Based on the work of Rafael da Costa Santos (https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) and Orange Tsai (https://youtu.be/28xWcRegncw?si=t6BcScfQsz-2wFap).

## Demo

https://github.com/akenofu/URL_Fuzzer_403_Bypass/assets/44447755/611dc8bb-e538-4984-b91d-029f353d33b7

## How it works
Inserts all ASCII characters (0-255) at pre-defined insertion points in the URL.
For the path `/admin/dashboard`, the following transformations are done:
- `0x85/admin/dashboard`
- `/0x85/admin0x85/dashboard`
- `/admin0x85/dashboard`
- `/admin/dashboard0x85`
- `/admin/dashboard/0x85/`

etc...