Information Security News

Bypass Url Parser: Tests MANY url bypasses to reach a 40X protected page

by ·

Bypass Url Parser

Tool that tests MANY url bypasses to reach a 40X protected page. If you wonder why this code is nothing but a dirty curl wrapper, here’s why:

  • Most of the Python requests do url/path/parameter encoding/decoding, and I hate this.
  • If I submit raw chars, I want raw chars to be sent.
  • If I send a weird path, I want it weird, not normalized.

This is surprisingly hard to achieve in Python without losing all of the lib goodies like parsing, ssl/tls encapsulation, and so on. So, be like me, use curl as a backend, it’s gonna be just fine.

Also, this tool can be used as a library, see lib_sample_usage.py

More about supported arguments

Arguments parsing

Bypass_url_parser allows to define some arguments in many ways:

  • -m, --mode-s, --spoofip and -p, --spoofport arguments can be a filename, a string, a comma-separated string list or a list (when Bypasser is used as a library);
  • -u, --url argument can be a filename, a string or a list (when Bypasser is used as a library);
  • stdin (with -) is supported for all these arguments.

For example, if you want to define several target urls (-u, --url), all the following commands produce the same result:

[pastacode lang=”markup” manual=”bypass-url-parser%20-u%20http%3A%2F%2Fthinkloveshare.com%2Ftest%0Abypass-url-parser%20-u%20%2Fpath%2Furls%0Acat%20%2Fpath%2Furls%20%7C%20bypass-url-parser%20-u%20-%0Aecho%20’http%3A%2F%2Fthinkloveshare.com%2Ftest’%20%7C%20bypass-url-parser%20-u%20-” message=”” highlight=”” provider=”manual”/]

Target definition

A target must be defined for the tool to work. 2 options:

  • -u, --url: URL(s), in GET
  • -R, --request: Request file. The protocol can’t be guessed from file, so http by default or https if --request-tls option is present.

Bypass mode

If -m, --mode is specified, you can select the desired bypass mode to run a specific test (or tests) and reduce the number of requests sent by the tool.

For now, the following bypass mode(s) are supported:

[pastacode lang=”markup” manual=”all%2C%20mid_paths%2C%20end_paths%2C%20case_substitution%2C%20char_encode%2C%20http_methods%2C%20http_versions%2C%20http_headers_method%2C%20http_headers_scheme%2C%20http_headers_ip%2C%20http_headers_port%2C%20http_headers_url” message=”” highlight=”” provider=”manual”/]

Example:

[pastacode lang=”markup” manual=”bypass-url-parser%20-u%20%2Fpath%2Furls%20-m%20%22case_substitution%2C%20char_encode%2C%20http_headers_scheme%22″ message=”” highlight=”” provider=”manual”/]

Spoofip / Spoofport

In order to customize the ip addresses and ports used in bypass attempts, the tool supports the following options:

  • With -s, --spoofip you can set some IP(s) to inject into ip-specific headers (X-Forwarded-ForX-Real-Ip, etc.)
  • With -p, --spoofport you can set some ports to inject into port-specific headers (X-Forwarded-Port)

By default, these custom entries are added to the internal IP/port lists. If you want to use only your IP(s)/port(s), you can use --spoofip-replace and/or --spoofport-replace arguments.

Example:

[pastacode lang=”markup” manual=”bypass-url-parser%20-u%20%2Fpath%2Furls%20-s%20%2Fpath%2Fcustom_ip%20–spoofip-replace%0Abypass-url-parser%20-u%20%2Fpath%2Furls%20-p%20%223000%2C%209443%2C%2010443%22″ message=”” highlight=”” provider=”manual”/]

JSON-Lines output and command piping

With the --jsonl option, it’s possible to print the results on stdout in JSON-Lines format. The standard tool’s output and results are displayed with a logger on stderr, so it is possible to pipe the JSON-Line output format with other tools:

[pastacode lang=”markup” manual=”bypass-url-parser%20-u%20%22https%3A%2F%2Fthinkloveshare.com%2Fjuicy_403_endpoint%2F%22%20-t%2020%20-S%200%20-m%20case_substitution%2Cchar_encode%20–jsonl%20%7C%20jq” message=”” highlight=”” provider=”manual”/]

Notes: With -S 2 ou -S 3, the JSON-Lines output also includes the path and the name of saved html files.

Results saving

By default, if target url is unique, the tool saves a copy of the results in /tmp/tmpXXX-bypass-url-parser/ directory.

Notes: If multiple target urls are passed to -u, results are prefixed with the url as directory (/tmp/tmpXXX-bypass-url-parser/http-target-com-8080-api-users/).

There are two arguments to customize this behavior:

  • -o, --outdir to set a custom output directory
  • -S, --save-level to choose a saving level

The saving levels are:

  • 0 (NONE): Disable output saving and output directory creation;
  • 1 (MINIMAL): Only save the program log file which contains the results: triaged-bypass.log;
  • 2 (PERTINENT): Save the program log file triaged-bypass.log and pertinent (results) curl responses in triaged-bypass.json file and separate html files (Default);
  • 3 (FULL): Save the program log file triaged-bypass.log and all curl responses in triaged-bypass.json file and separate html files.

Install & Use

Copyright (C) 2022 Laluka

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: