NoMoreForbidden is a tool that tries various techniques to bypass forbidden(403) pages on websites and presents their results to the user.
Note
NoMoreForbidden now has golang version. Check in https://github.com/akinerkisa/GoNMF
Note
You can try this tool with https://github.com/akinerkisa/renikApp 403 vulnerable page section.
git clone https://github.com/akinerkisa/NoMoreForbidden
cd NoMoreForbidden
pip install -r requirements.txt
python3 nmf.py -u https://www.example.com/test
| Flag | Description | Example | Default |
|---|---|---|---|
| -u | Specify URL | python3 nmf.py -u https://www.example.com/test | N/A |
| -ip | Specify ip adress for ip-based headers | python3 nmf.py -ip 1.1.1.1 | 127.0.0.1 |
| -v | Toggles showing all Valid/Invalid results | python3 nmf.py -v on/off | off |
https://google.com/test/../ etc. payloads or X-Original-URL etc. headers such as has a high false-positive rate. NoMoreForbidden is compares main page response length and bypass result response length. If them is equal, at high rate this result is false-positive. However, this system cannot always be trusted. On some websites (eg google.com) page lengths vary and this prevents the program from detecting false-positive.
IP address-based bypass only works with the origin IP. If the target uses services like Cloudflare or CloudFront, we cannot access the original IP. While testing IP address bypass, NMF checks the server, and if the website uses Cloudflare or CloudFront, NMF notifies the user of this. Additionally, SSL Handshake failed error may also indicate a cdn/waf. This is also notified to the user.
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses