Bypass Url Parser: Tests MANY url bypasses to reach a 40X protected page

Bypass Url Parser

Tool that tests MANY url bypasses to reach a 40X protected page. If you wonder why this code is nothing but a dirty curl wrapper, here’s why:

  • Most of the Python requests do url/path/parameter encoding/decoding, and I hate this.
  • If I submit raw chars, I want raw chars to be sent.
  • If I send a weird path, I want it weird, not normalized.

This is surprisingly hard to achieve in Python without losing all of the lib goodies like parsing, ssl/tls encapsulation, and so on. So, be like me, use curl as a backend, it’s gonna be just fine.

Also, this tool can be used as a library, see

More about supported arguments

Arguments parsing

Bypass_url_parser allows to define some arguments in many ways:

  • -m, --mode-s, --spoofip and -p, --spoofport arguments can be a filename, a string, a comma-separated string list or a list (when Bypasser is used as a library);
  • -u, --url argument can be a filename, a string or a list (when Bypasser is used as a library);
  • stdin (with -) is supported for all these arguments.

For example, if you want to define several target urls (-u, --url), all the following commands produce the same result:

bypass-url-parser -u
bypass-url-parser -u /path/urls
cat /path/urls | bypass-url-parser -u -
echo '' | bypass-url-parser -u -

Target definition

A target must be defined for the tool to work. 2 options:

  • -u, --url: URL(s), in GET
  • -R, --request: Request file. The protocol can’t be guessed from file, so http by default or https if --request-tls option is present.

Bypass mode

If -m, --mode is specified, you can select the desired bypass mode to run a specific test (or tests) and reduce the number of requests sent by the tool.

For now, the following bypass mode(s) are supported:

all, mid_paths, end_paths, case_substitution, char_encode, http_methods, http_versions, http_headers_method, http_headers_scheme, http_headers_ip, http_headers_port, http_headers_url


bypass-url-parser -u /path/urls -m "case_substitution, char_encode, http_headers_scheme"

Spoofip / Spoofport

In order to customize the ip addresses and ports used in bypass attempts, the tool supports the following options:

  • With -s, --spoofip you can set some IP(s) to inject into ip-specific headers (X-Forwarded-ForX-Real-Ip, etc.)
  • With -p, --spoofport you can set some ports to inject into port-specific headers (X-Forwarded-Port)

By default, these custom entries are added to the internal IP/port lists. If you want to use only your IP(s)/port(s), you can use --spoofip-replace and/or --spoofport-replace arguments.


bypass-url-parser -u /path/urls -s /path/custom_ip --spoofip-replace
bypass-url-parser -u /path/urls -p "3000, 9443, 10443"

JSON-Lines output and command piping

With the --jsonl option, it’s possible to print the results on stdout in JSON-Lines format. The standard tool’s output and results are displayed with a logger on stderr, so it is possible to pipe the JSON-Line output format with other tools:

bypass-url-parser -u "" -t 20 -S 0 -m case_substitution,char_encode --jsonl | jq

Notes: With -S 2 ou -S 3, the JSON-Lines output also includes the path and the name of saved html files.

Results saving

By default, if target url is unique, the tool saves a copy of the results in /tmp/tmpXXX-bypass-url-parser/ directory.

Notes: If multiple target urls are passed to -u, results are prefixed with the url as directory (/tmp/tmpXXX-bypass-url-parser/http-target-com-8080-api-users/).

There are two arguments to customize this behavior:

  • -o, --outdir to set a custom output directory
  • -S, --save-level to choose a saving level

The saving levels are:

  • 0 (NONE): Disable output saving and output directory creation;
  • 1 (MINIMAL): Only save the program log file which contains the results: triaged-bypass.log;
  • 2 (PERTINENT): Save the program log file triaged-bypass.log and pertinent (results) curl responses in triaged-bypass.json file and separate html files (Default);
  • 3 (FULL): Save the program log file triaged-bypass.log and all curl responses in triaged-bypass.json file and separate html files.

Install & Use

Copyright (C) 2022 Laluka