Skip to content

Releases: 0xBugatti/400OK

400OK v3.0 Enhanced

04 Apr 12:02
@0xBugatti 0xBugatti
v3.0-Enhanced
9a55a83

Choose a tag to compare

View all tags
400OK v3.0 Enhanced Latest
Latest

400OK v3.0 Enhanced

29 Techniques | 73,980+ Payloads | Cross-Platform

The most comprehensive 403/401 bypass tool in existence. Merged exclusive techniques from Forbidden-Buster, BypassFuzzer, and nomore403 into one unified tool.

What's New

7 New Techniques

Technique Source Description
auth-headers BypassFuzzer 24 auth/CSRF/session bypass headers
url-fuzz-3pos BypassFuzzer 408 payloads x 3 positions per path segment
api-version Forbidden-Buster Auto-detects /v1/ patterns, tries v2-v4
trailing-dot BypassFuzzer FQDN DNS resolution bypass (example.com.)
unicode-brute Forbidden-Buster 65,536 byte-pairs x 3 positions
useragent-fuzz Forbidden-Buster 3,454 UA strings tested exhaustively
json-tamper Forbidden-Buster Mass assignment via nested object + array wrapping

Enhancements

  • Smart Filter - Mutes repeated responses after 8 occurrences
  • 3-Path Auto-Calibration - Dynamic tolerance from 3 calibration paths
  • Color-Coded Content-Length - Visual diff from baseline
  • HTTP/2 Pure Go - No curl dependency needed
  • 69 Missing Headers merged (54 to 122)
  • 8 IP Variants added (25 to 33)

Bug Fixes

  • JSON body tamper now actually sends the tampered body
  • Race condition fixed in concurrent header requests
  • Potential panics fixed in mid-path injection
  • URL parse errors now properly returned
  • Smart filter and verb tampering results now reset between scans

Quick Start

Linux

tar -xzf 400OK-linux-amd64.tar.gz
cd 400OK-linux-amd64
./400OK -u https://target.com/admin

macOS

tar -xzf 400OK-darwin-arm64.tar.gz
cd 400OK-darwin-arm64
./400OK -u https://target.com/admin

Windows

Expand-Archive 400OK-windows-amd64.zip
cd 400OK-windows-amd64
.\400OK.exe -u https://target.com/admin

Usage

# Run all 29 techniques
./400OK -u https://target.com/admin

# Specific techniques only
./400OK -u https://target.com/admin -k auth-headers,url-fuzz-3pos,api-version

# With Burp proxy
./400OK -u https://target.com/admin -x http://127.0.0.1:8080

# JSON body tampering
./400OK -u https://target.com/api/users -k json-tamper --json-body '{"id":111}'

# Heavy techniques (opt-in due to volume)
./400OK -u https://target.com/admin -k unicode-brute,useragent-fuzz

All Flags

-u, --uri              Target URL
-k, --technique        Include techniques (comma-separated)
-e, --exclude          Exclude techniques (comma-separated)
-x, --proxy            Proxy URL
-H, --header           Custom headers (repeatable)
-i, --bypass-ip        IP to inject in bypass headers
-d, --delay            Delay between requests (ms)
-m, --max-goroutines   Max concurrent requests (default: 50)
--timeout              Request timeout (ms, default: 6000)
--smart-filter         Enable smart filter (default: true)
--smart-filter-threshold  Mute after N identical responses (default: 8)
--json-body            JSON body for mass assignment tampering
-j, --json             Export results to JSON
-v, --verbose          Show all responses
-r, --redirect         Follow redirects
-l, --rate-limit       Stop on 429 responses
--random-agent         Random User-Agent

Architecture Support

Platform amd64 arm64 armv7 386
Linux Y Y Y Y
macOS Y Y - -
Windows Y Y - Y

Built by 0xBUGATTI

Assets 11
Loading