forbidden v10.2 releases: Bypass 4xx HTTP response status codes


Bypass 4xx HTTP response status codes.

Script uses multithreading, and is based on brute-forcing so might have some false positives. Script uses colored output.

Results will be sorted by HTTP response status code ascending, content length descending, and ID ascending.

Extend this script to your liking.

Tested on Kali Linux v2021.4 (64-bit).

Made for educational purposes. I hope it will help!


  • various HTTP methods,
  • various HTTP methods with ‘Content-Length: 0’ header,
  • cross-site tracing (XST) with HTTP TRACE and TRACK methods,
  • file upload with HTTP PUT method,
  • various HTTP method overrides,
  • various HTTP headers,
  • various URL overrides,
  • URL override with two ‘Host’ headers,
  • various URL path bypasses,
  • basic-authentication/authorization including null session,
  • broken URL parser check.

Changelog v10.2

  • complete code rebase, fixed all possible bugs, and did exhaustive testing,
  • choose between PycURL or Python Requests engine,
  • choose to include or exclude URL query string and fragmet,
  • URL, IP, and allowed HTTP methods checks,
  • manually validated all the HTTP request headers, and added more test values,
  • implemented proper session management to not ignore given HTTP cookies on HTTP redirects,
  • clean exit on keyboard interrupt (CTRL + C) without loosing any progress,
  • and many more improvements…


apt-get install -y curl
pip3 install -r requirements.txt


Automate the script:

count=0; for subdomain in $(cat subdomains_403.txt); do count=$((count+1)); echo “#${count} | ${subdomain}”; python3 -u “${subdomain}” -t all -f GET -e path -o “forbidden_results_${count}.json”; done

Download a user agent list from here.

Copyright (c) 2021 Ivan Šincek