From 8043a90801b41801d00f672bfa261c1a616fc02b Mon Sep 17 00:00:00 2001 From: TrebledJ Date: Fri, 7 Feb 2025 00:34:19 +0800 Subject: [PATCH 1/2] fix: localise query replacements to url Instead of mass replacing the URL path in the entire request, replace only the path in the first HTTP line. The fix here reuses the same pattern seen in other functions in this extension. --- 403Bypasser.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/403Bypasser.py b/403Bypasser.py index f32d753..8b27d27 100644 --- a/403Bypasser.py +++ b/403Bypasser.py @@ -257,18 +257,28 @@ def tryBypassWithQueryPayload(self, request, payload, httpService): requestPath = request.getUrl().getPath() payloads = self.generatePayloads(requestPath, payload) + requestInfo = self.helpers.analyzeRequest(request) + headers = requestInfo.getHeaders() + firstline = headers[0] originalRequest = self.helpers.bytesToString(request.getRequest()) for pathToTest in payloads: + headers[0] = firstline.replace(requestPath, pathToTest) + headersAsJavaSublist = ArrayList() + for header in headers: + headersAsJavaSublist.add(String(header)) + + requestBody = originalRequest[requestInfo.getBodyOffset():] + + newRequest = self.helpers.buildHttpMessage(headersAsJavaSublist, requestBody) try: - newRequest = originalRequest.replace(requestPath, pathToTest) newRequestResult = self.callbacks.makeHttpRequest(httpService, newRequest) - newRequestStatusCode = str(self.helpers.analyzeResponse(newRequestResult.getResponse()).getStatusCode()) except: print("No response from server") newRequestStatusCode = None - pass + continue + newRequestStatusCode = str(self.helpers.analyzeResponse(newRequestResult.getResponse()).getStatusCode()) if newRequestStatusCode == "200": originalRequestUrl = str(request.getUrl()) @@ -609,4 +619,4 @@ def getHttpMessages(self): return self._httpMessages def getHttpService(self): - return self._httpService \ No newline at end of file + return self._httpService From 1a03d7fd9b27489be58867a90b0160b97a68af7e Mon Sep 17 00:00:00 2001 From: TrebledJ Date: Thu, 13 Feb 2025 18:23:07 +0800 Subject: [PATCH 2/2] fix: edge case where path is root `/` would replace the slash in `HTTP/1.1` (when requesting) and the one in `https://...` (when reporting) --- 403Bypasser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/403Bypasser.py b/403Bypasser.py index 8b27d27..cd77155 100644 --- a/403Bypasser.py +++ b/403Bypasser.py @@ -263,7 +263,7 @@ def tryBypassWithQueryPayload(self, request, payload, httpService): originalRequest = self.helpers.bytesToString(request.getRequest()) for pathToTest in payloads: - headers[0] = firstline.replace(requestPath, pathToTest) + headers[0] = firstline.replace(requestPath, pathToTest, 1) headersAsJavaSublist = ArrayList() for header in headers: headersAsJavaSublist.add(String(header)) @@ -282,7 +282,8 @@ def tryBypassWithQueryPayload(self, request, payload, httpService): if newRequestStatusCode == "200": originalRequestUrl = str(request.getUrl()) - vulnerableReuqestUrl = originalRequestUrl.replace(requestPath,pathToTest) + scheme, urlWithoutScheme = originalRequestUrl.split("://") + vulnerableReuqestUrl = scheme + "://" + urlWithoutScheme.replace(requestPath, pathToTest, 1) responseHeaders = str(self.helpers.analyzeResponse(newRequestResult.getResponse()).getHeaders()).split(",") resultContentLength = "No CL in response"