Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/carlospolop/fuzzhttpbypass
This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
https://github.com/carlospolop/fuzzhttpbypass
authentication bypass fuzzing http wfuzz
Last synced: 7 days ago
JSON representation
This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
- Host: GitHub
- URL: https://github.com/carlospolop/fuzzhttpbypass
- Owner: carlospolop
- Created: 2019-02-26T21:54:21.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2024-08-09T14:58:45.000Z (5 months ago)
- Last Synced: 2024-12-03T10:40:31.461Z (22 days ago)
- Topics: authentication, bypass, fuzzing, http, wfuzz
- Language: Python
- Size: 33.2 KB
- Stars: 230
- Watchers: 4
- Forks: 38
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# FuzzHTTPBypass
This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
This is mainly for CTFs.
## Installation
You only need to have installed **wfuzz**
```bash
pip3 install wfuzz
```## Features
- [+] Get and show **GET code**, **cookies sent** by server and **content if redirect** (all of this in the provided url)
- [+] Fuzz **HTTP Verbs(Methods)**: *GET, HEAD, POST, DELETE, CONNECT, OPTIONS, TRACE, PUT, INVENTED*
- [+] Fuzz **HTTP Headers**: *Forwarded, X-Forwarded-For, X-ProxyUser-Ip, Referer, User-Agent, Cookies*
- [+] Fuzz **HTTP Authentication**: *Basic and NTLM*
- [+] **Filter** by code or by words (appearing or not)
- [+] **Autocontained**## Example
Show responses that do not return code 403 of url http://example.com/index.php
`./fuzzhttpbypass.py -f notcontains,403 -u http://example.com/index.php`
Responses that do not contains the code 240 (show all) in http://example.com/index.php
`./fuzzhttpbypass.py -f notcontains,240 -u http://example.com/index.php`
Responses that do not contains the word "Invalid" in http://example.com/index.php (Currently, the Wfuzz API has problems with spaces so we can't use them)
`./fuzzhttpbypass.py -f notcontains,Invalid -u http://example.com/index.php`