π« Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation. Fast. Precise. Effective.
NoMore403
nomore403 is a command-line tool for testing HTTP access-control bypasses and parser inconsistencies around 401, 403, and related responses.
The tool is designed for practical web security work: bug bounty, penetration testing, security reviews, and regression testing of access-control rules. It automates a broad set of request mutations, captures a baseline, filters common false positives, and highlights the responses most likely to represent a meaningful bypass.
What It Does
Given a target URL, nomore403:
- Sends a baseline request to capture the blocked response.
- Optionally auto-calibrates against non-existent paths to learn the target's default error behavior.
- Runs a set of bypass techniques that mutate the request path, method, headers, or wire format.
- Scores and groups the results to reduce noise.
- Emits replayable evidence, including
curlcommands for interesting findings.
Features
- Baseline-driven comparison against the blocked response
- Auto-calibration to reduce false positives from default
404or parent-path responses - Scored output with separate summaries for likely bypasses and interesting variations
- Replay and reproducibility for high-value findings
- Retry and backoff for transient network failures
- Concurrent execution with per-technique progress
- Raw HTTP support for request forms that
net/httpnormalizes away - JSON and JSONL output for pipelines and post-processing
- Input from a single URL, URL files, stdin, or request files
Installation
Build from source
git clone https://github.com/devploit/nomore403
cd nomore403
go build
Install with Go
go install github.com/devploit/nomore403@latest
If you install with go install, the payloads/ directory is not installed automatically. Clone the repository and point the tool to that directory with -f if needed.
Requirements
- Go 1.24 or later to build from source
curlavailable inPATHfor techniques that depend on it, such as:
http-versions
- http-parser
- absolute-uri
Most techniques work without curl.
Quick Start
Basic scan:
./nomore403 -u https://target.tld/admin
Use a proxy and verbose output:
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v
Run only selected techniques:
./nomore403 -u https://target.tld/admin -k headers,absolute-uri,raw-desync
Read targets from stdin:
cat urls.txt | ./nomore403
Use a Burp-style request file:
./nomore403 --request-file request.txt
Write machine-readable output:
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl
Example Output
target: https://target.tld/admin method: GET frontend: AWS ELB/ALB payloads: payloads
calib: 404 | 1245b | Β±50 | frag 703b
BASELINE default 403 520 bytes https://target.tld/admin
FINDINGS hdr-ip 100! 200 2048 bytes X-Original-URL: / abs-uri 26. 403 236 bytes request-target: https://target.tld/admin http 18. 400 122 bytes HTTP/2
no visible results: 17 techniques
ββββββββββββββ LIKELY BYPASS βββββββββββββββββ [!100 HIGH] Header injection (IP) 403=>200 2048b why: status 403->200, len Ξ1528, body changed, type changed item: X-Original-URL: / curl: curl -i -sS -k -H 'User-Agent: nomore403' -H 'X-Original-URL: /' 'https://target.tld/admin'
How to Read the Output
Main technique output
Each visible line is a response that differed enough from the baseline to survive filtering.
Typical fields:
- technique alias, for example
hdr-ip,abs-uri, orparser - compact score marker such as
18.,61+, or100! - final response status
- response size
- item or payload used
Summary transitions
The final summaries show baseline-to-result transitions:
403=>200usually deserves immediate attention403=>302can be interesting, but may still resolve back into an auth barrier403->400or403->404usually indicate parser or routing differences rather than a bypass
Summaries
At the end of the run, nomore403 prints:
LIKELY BYPASS
curl
INTERESTING VARIATIONS
no visible results
Scoring Model
Scoring is heuristic. It is intended to prioritize results, not to prove exploitation.
The tool generally rewards:
- transitions to
2xx - transitions to
3xx - large body-length changes
- body hash changes
Locationchanges- anomalous redirects that do not appear to resolve into a login or denied flow
- differences that survive replay
- near-identical responses
- repeated parser noise
- unstable replay results
- empty-body redirects that appear to lead back into access control
- many
400and404cases unless the response also changes substantially
HIGH: likely actionable; review firstMED: plausible candidate; usually worth manual replayLOW: parser difference, routing anomaly, or lower-confidence behavior
Auto-Calibration
Auto-calibration is enabled by default in non-verbose mode.
It sends requests to several non-existent paths and builds a baseline for the target's default error behavior. It also performs a fragment-based calibration request to reduce false positives caused by fragment-stripped paths.
Use these flags to control it:
--no-calibrate
--strict-calibrate
Location, Content-Type, and Server
Techniques
The tool runs all techniques by default unless you specify -k.
Method and verb mutations
verbs
payloads/httpmethods
verbs-case
method-override
Header- and trust-based mutations
headers
hop-by-hop
Connection
header-confusion
X-Original-URL
host-override
forwarded-trust
Forwarded, Client-IP, Cluster-Client-IP, and related trust chains
proto-confusion
X-Forwarded-Proto, X-Forwarded-Port, and related scheme hints
ip-encoding
Path and normalization mutations
endpaths
payloads/endpaths
midpaths
payloads/midpaths
double-encoding
unicode
%uXXXX and overlong UTF-8 path variants
path-case
path-normalization
suffix-tricks
.json, .css, ;index.html, and format-style query toggles
payload-position
Frontend and wire-format mutations
http-versions
HTTP/1.0 and HTTP/2
http-parser
curl request to expose client/frontend parser differences separately from http-versions
absolute-uri
curl --request-target
raw-duplicates
raw-authority
raw-desync
Raw HTTP Behavior
Some techniques need wire-level control that Go's net/http client does not provide. Those techniques use the raw HTTP engine.
Raw techniques currently include:
raw-duplicatesraw-authorityraw-desync- some
%uXXXXunicode path requests
- raw requests are sent automatically where needed
- raw techniques do not currently support upstream proxies
- raw behavior is useful for:
Fingerprinting and Technique Order
The tool may infer frontend hints such as:
- AWS ELB / ALB
- CloudFront
- Cloudflare
- Nginx
- Envoy
- Apache
- IIS
Important:
- fingerprinting does not disable techniques by default
- unless you use
-k, the tool still runs the full default technique set
Reproducibility and Replay
High-value results are replayed automatically in the final summary.
The replay output helps answer:
- did the behavior repeat?
- did it keep the same status and response shape?
- is this likely stable enough to investigate or report?
- replay counts such as
1/1or2/2 matched on replay - a replayable
curlcommand for interesting results
Input Modes
Single target
./nomore403 -u https://target.tld/admin
File containing URLs
./nomore403 -u targets.txt
Stdin
cat targets.txt | ./nomore403
Request file
./nomore403 --request-file request.txt
Request files are useful when replaying traffic captured in Burp or another proxy.
Custom Payload Positions
Use --payload-position when you want to inject payloads at explicit markers instead of relying only on built-in endpath and midpath mutation logic.
Example:
./nomore403 -u 'https://target.tld/Β§100Β§/admin/Β§200Β§' -p Β§
Common Workflows
Fast triage
./nomore403 -u https://target.tld/admin
Investigate with an intercepting proxy
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v
Run only raw and frontend-focused techniques
./nomore403 -u https://target.tld/admin -k absolute-uri,raw-duplicates,raw-authority,raw-desync
Test a custom trusted IP
./nomore403 -u https://target.tld/admin -i 10.0.0.5
Save JSONL for later analysis
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl
Flags
Run ./nomore403 --help for the full up-to-date CLI.
Key flags:
-u, --uri
-k, --technique
-x, --proxy
-H, --header
-i, --bypass-ip
-v, --verbose
--json
--jsonl
--no-calibrate
--strict-calibrate
--retry-count
--retry-backoff-ms
--host-delay
--top-score-min
LIKELY BYPASS
--variation-score-min
INTERESTING VARIATIONS
--top
0 to disable summaries
Output Formats
Human-readable terminal output
Default mode is optimized for interactive review and triage.
JSON
Use --json for a single structured document.
JSON Lines
Use --jsonl when you want to:
- process results incrementally
- store evidence in pipelines
- import findings into your own tooling
Payload Files
The payloads/ directory contains lists used by several techniques.
Current files include:
httpmethodsheadersipssimpleheadersendpathsmidpathsuseragents
Limitations
- raw HTTP techniques do not currently support upstream proxies
- scoring is heuristic and can produce false positives or false negatives
- redirect scoring currently uses heuristics on the immediate redirect response, not a fully followed redirect chain
- some techniques depend on target-specific behavior and may appear noisy on heavily normalized stacks
curl-based techniques requirecurlinPATH
Security and Responsible Use
Use this tool only on systems you are authorized to test.
The authors and contributors are not responsible for misuse. You are responsible for complying with applicable law, program rules, and organizational policy.
Contributing
Contributions are welcome.
Useful contribution areas include:
- bug fixes
- better payloads
- new bypass techniques
- raw HTTP improvements
- frontend fingerprinting
- documentation and examples
- a clearly distinct parsing or trust-boundary behavior
- reproducible evidence
- tests that verify the request shape or replay behavior
License
This project is released under the MIT License. See LICENSE.