Skip to content

MartinPSDev/BypassNinja

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
assets
assets
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
RULES.md
RULES.md
 
 
bypassninja.py
bypassninja.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

logo

BypassNinja is a tool designed to evade HTTP (403) blocks by utilizing various methods and headers. Below is how to use the tool.

Requirements

  • Python 3.x
  • Required libraries can be installed using pip:
pip install -r requirements.txt

Usage

To run the tool, use the following command in the terminal:

python bypassninja.py <URL> [options]

banner

Parameters

  • <URL>: The target URL (e.g., https://example.com).
  • -p, --path: Specify the path to test (default: /).
  • -o, --output: Output file for results in JSON format.
  • --proxy: Proxy URL (e.g., http://127.0.0.1:8080).
  • -t, --threads: Number of concurrent threads (default: 20).
  • --timeout: Request timeout in seconds (default: 10.0).
  • -d, --delay: Delay between requests per thread in seconds (default: 0).
  • -v, --verbose: Verbose output (show all non-successful attempts).
  • -r, --retry: Number of retries for failed requests (default: 1).
  • -c, --cookie: Cookies string (e.g., 'name1=value1; name2=value2').
  • --follow-redirects: Follow redirects (may impact bypass detection).
  • --headers: Custom headers as a JSON string (e.g., '{"Header": "Value"}').
  • --payloads: File containing custom path mutation payloads (one per line).
  • --max-requests: Maximum number of requests to make (randomly selected).
  • --burst: Burst mode (uses only GET/POST methods).
  • --no-verify: Disable SSL verification.
  • --stop-on-success: Stop after the first success (2xx) or redirect (3xx).

Example Command

python bypassninja.py https://target.com -p /admin --output results.json --threads 10 --stop-on-success

This command will attempt to evade blocks on https://example.com at the path /admin, using 10 threads and saving the results to results.json. The tool will stop after finding the first success or redirect.

Recommended command

python3 bypassninja.py https://target.com --timeout 3 -d 1 -o report --stop-on-success

output

New Features: WAF Bypass Techniques (4/10/2025)

IP Address Representation Variations

Based on an article written by Zakhar Fedotkin PortSwigger's URL Validation Bypass research, BypassNinja now implements various IP address representation techniques to bypass WAF restrictions:

  • Octal Format: Converting IP segments to octal (e.g., 127.0.0.10177.0000.0000.0001)
  • Hexadecimal Format: Converting to hex notation (e.g., 127.0.0.10x7F.0x00.0x00.0x01)
  • Binary Format: Full binary representation of IP segments
  • Partial Decimal: Combined decimal notation
  • DWORD Notation: 32-bit integer representation
  • IPv6 Mapped: IPv4 mapped to IPv6 format (e.g., ::FFFF:127.0.0.1)

Notes

  • Ensure you have permission to perform testing on the target.
  • Use the tool responsibly and ethically.

Author

  • @M4rt1n_0x1337 - Initial work - X

About

Bypass 403

Topics

automation pentesting bugbounty security-tools waf-bypass bypass-techniques http-403

Resources

Readme
Activity

Stars

13 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages