No4bidden is a powerful penetration-testing utility designed to identify and exploit HTTP 40X (Forbidden/Unauthorized) bypass misconfigurations.
Inspired by Janus, the Roman god of gates and transitions, No4bidden sees paths where others only see walls.
Attempts dozens of 40X bypass techniques including:
- HTTP Verb Tampering
- Custom Header Injection
- Path Normalization & Traversal
- Double / Multi-Encoding
- HTTP Version Smuggling
- Combination Attacks
Load full HTTP requests directly from tools like Burp Suite, ZAP, or cURL.
Supports headers, body, cookies, and custom methods.
- Fully multithreaded scanning
- Safe concurrency with locking
- Auto-calibration for accurate detection
- Optional rate-limit auto-stop (
--rate-limit) - Adjustable threads, timeouts, and delays
Interactive guided mode to set up a scan step-by-step.
- Python 3.x
requestslibrary
git clone https://github.com/Debajyoti0-0/No4bidden.git
cd No4biddenpip install -r requirements.txtpython3 No4bidden.py --help- Basic Scan
python3 No4bidden.py -u https://example.com/admin- Wizard Mode (Beginner Friendly)
python3 No4bidden.py --wizardNo4bidden - 40X Bypass Tool
options:
-u, --url URL 🎯 Target URL to test
-r, --request-file REQUEST_FILE
📂 Load HTTP request from a file
-p, --payload-dir PAYLOAD_DIR
📁 Custom payload directory
-m, --method METHOD 📝 HTTP method (default: GET)
-H, --header HEADER 📋 Custom headers
-x, --proxy PROXY 🔌 Proxy server
-t, --timeout TIMEOUT
⏱️ Timeout in ms (default: 10000)
-d, --delay DELAY 💤 Delay between requests in ms (default: 0)
--redirect 🔄 Follow redirects
-i, --bypass-ip BYPASS_IP
🌐 Custom IP for bypass headers
-a, --user-agent USER_AGENT
👤 Custom User-Agent
--random-agent 🎲 Use random User-Agent
--threads THREADS ⚡ Number of threads (default: 50)
--rate-limit 🚫 Stop on rate limit detection
-s, --status-codes STATUS_CODES
📊 Filter by status codes (comma-separated)
--output-format {text,json}
📄 Output format
--unique 🔍 Show only unique responses
-v, --verbose 📢 Verbose output
--no-banner 🚫 Hide banner
-h, --help ❓ Show help message
Miscellaneous:
These options do not fit into any other category
--wizard 🧙 Simple wizard interface for beginner users
Examples:
🎯 python3 No4bidden.py -u https://example.com/admin
📂 python3 No4bidden.py -u https://example.com -r request.txt
🔌 python3 No4bidden.py -u https://example.com -x http://127.0.0.1:8080 -v
🧙 python3 No4bidden.py --wizard| Command | Description |
|---|---|
python3 No4bidden.py -u URL -v |
Verbose mode for debugging and thread-level details |
python3 No4bidden.py -u URL --threads 100 --delay 500 |
100 threads + 500ms delay |
python3 No4bidden.py -u URL -x http://127.0.0.1:8080 |
Route traffic via Burp/ZAP |
python3 No4bidden.py -u URL --rate-limit |
Stop when a 429 Too Many Requests appears |
python3 No4bidden.py -r request.txt |
Use a full request from a file |
python3 No4bidden.py -u URL -H "X-Custom: Value" |
Add custom headers |
| Category | Prefix | Description |
|---|---|---|
| 🔀 VERB TAMPERING | method_ |
Tests GET/POST/PUT/DELETE/TRACE/OPTIONS and variants |
| 📋 HEADERS | header_ |
Injects headers like X-Forwarded-For, X-Original-URL |
| 🛤️ CUSTOM PATHS | path_ |
Path traversal, bypass suffixes, malformed routes |
| 🔣 DOUBLE-ENCODING | encoding_ |
Tests %2f, %252f, Unicode, Base64 encoded paths |
| 🌐 HTTP VERSIONS | http_ |
Non-standard or tampered HTTP versions |
We welcome contributions!
Areas for contribution:
- More payloads
- Additional bypass techniques
- Improved output formatting
- Enhanced detection heuristics
If this project helps you, consider giving it a ⭐ star on GitHub.
“Opening gates where others see only walls.” ⚔️