This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
This is mainly for CTFs.
You only need to have installed wfuzz
pip3 install wfuzz
- [ ] Get and show GET code, cookies sent by server and content if redirect (all of this in the provided url)
- [ ] Fuzz HTTP Verbs(Methods): GET, HEAD, POST, DELETE, CONNECT, OPTIONS, TRACE, PUT, INVENTED
- [ ] Fuzz HTTP Headers: Forwarded, X-Forwarded-For, X-ProxyUser-Ip, Referer, User-Agent, Cookies
- [ ] Fuzz HTTP Authentication: Basic and NTLM
- [ ] Filter by code or by words (appearing or not)
- [ ] Autocontained
Show responses that do not return code 403 of url http://example.com/index.php
./fuzzhttpbypass.py -f notcontains,403 -u http://example.com/index.php
Responses that do not contains the code 240 (show all) in http://example.com/index.php
./fuzzhttpbypass.py -f notcontains,240 -u http://example.com/index.php
Responses that do not contains the word "Invalid" in http://example.com/index.php (Currently, the Wfuzz API has problems with spaces so we can't use them)
./fuzzhttpbypass.py -f notcontains,Invalid -u http://example.com/index.php