No4bidden is a powerful penetration-testing utility designed to identify and exploit HTTP 40X (Forbidden/Unauthorized) bypass misconfigurations.
Inspired by Janus, the Roman god of gates and transitions, No4bidden sees paths where others only see walls.
Attempts dozens of 40X bypass techniques including:
- HTTP Verb Tampering
- Custom Header Injection
- Path Normalization & Traversal
- Double / Multi-Encoding
- HTTP Version Smuggling
- Combination Attacks
Load full HTTP requests directly from tools like Burp Suite, ZAP, or cURL.
Supports headers, body, cookies, and custom methods.
- Fully multithreaded scanning
- Safe concurrency with locking
- Auto-calibration for accurate detection
- Optional rate-limit auto-stop (
--rate-limit) - Adjustable threads, timeouts, and delays
Interactive guided mode to set up a scan step-by-step.
- Python 3.x
requestslibrary
git clone https://github.com/Debajyoti0-0/No4bidden.git
cd No4biddenpip install -r requirements.txtpython3 No4bidden.py --help- Basic Scan
python3 No4bidden.py -u https://example.com/admin- Wizard Mode (Beginner Friendly)
python3 No4bidden.py --wizardNo4bidden - 40X Bypass Tool
options:
-u, --url URL π― Target URL to test
-r, --request-file REQUEST_FILE
π Load HTTP request from a file
-p, --payload-dir PAYLOAD_DIR
π Custom payload directory
-m, --method METHOD π HTTP method (default: GET)
-H, --header HEADER π Custom headers
-x, --proxy PROXY π Proxy server
-t, --timeout TIMEOUT
β±οΈ Timeout in ms (default: 10000)
-d, --delay DELAY π€ Delay between requests in ms (default: 0)
--redirect π Follow redirects
-i, --bypass-ip BYPASS_IP
π Custom IP for bypass headers
-a, --user-agent USER_AGENT
π€ Custom User-Agent
--random-agent π² Use random User-Agent
--threads THREADS β‘ Number of threads (default: 50)
--rate-limit π« Stop on rate limit detection
-s, --status-codes STATUS_CODES
π Filter by status codes (comma-separated)
--output-format {text,json}
π Output format
--unique π Show only unique responses
-v, --verbose π’ Verbose output
--no-banner π« Hide banner
-h, --help β Show help message
Miscellaneous:
These options do not fit into any other category
--wizard π§ Simple wizard interface for beginner users
Examples:
π― python3 No4bidden.py -u https://example.com/admin
π python3 No4bidden.py -u https://example.com -r request.txt
π python3 No4bidden.py -u https://example.com -x http://127.0.0.1:8080 -v
π§ python3 No4bidden.py --wizard| Command | Description |
|---|---|
python3 No4bidden.py -u URL -v |
Verbose mode for debugging and thread-level details |
python3 No4bidden.py -u URL --threads 100 --delay 500 |
100 threads + 500ms delay |
python3 No4bidden.py -u URL -x http://127.0.0.1:8080 |
Route traffic via Burp/ZAP |
python3 No4bidden.py -u URL --rate-limit |
Stop when a 429 Too Many Requests appears |
python3 No4bidden.py -r request.txt |
Use a full request from a file |
python3 No4bidden.py -u URL -H "X-Custom: Value" |
Add custom headers |
| Category | Prefix | Description |
|---|---|---|
| π VERB TAMPERING | method_ |
Tests GET/POST/PUT/DELETE/TRACE/OPTIONS and variants |
| π HEADERS | header_ |
Injects headers like X-Forwarded-For, X-Original-URL |
| π€οΈ CUSTOM PATHS | path_ |
Path traversal, bypass suffixes, malformed routes |
| π£ DOUBLE-ENCODING | encoding_ |
Tests %2f, %252f, Unicode, Base64 encoded paths |
| π HTTP VERSIONS | http_ |
Non-standard or tampered HTTP versions |
We welcome contributions!
Areas for contribution:
- More payloads
- Additional bypass techniques
- Improved output formatting
- Enhanced detection heuristics
If this project helps you, consider giving it a β star on GitHub.
βOpening gates where others see only walls.β βοΈ