
nomore403 is a command-line tool for testing HTTP access-control bypasses and parser inconsistencies around 401, 403, and related responses.
The tool is designed for practical web security work: bug bounty, penetration testing, security reviews, and regression testing of access-control rules. It automates a broad set of request mutations, captures a baseline, filters common false positives, and highlights the responses most likely to represent a meaningful bypass.
Given a target URL, nomore403:
curl commands for interesting findings.This tool does not "break authentication" by itself. It helps find differences between how frontends, proxies, WAFs, CDNs, application routers, and backends interpret the same request.
404 or parent-path responsesnet/http normalizes awaygit clone https://github.com/devploit/nomore403
cd nomore403
go build
go install github.com/devploit/nomore403@latest
If you install with go install, the payloads/ directory is not installed automatically. Clone the repository and point the tool to that directory with -f if needed.
curl available in PATH for techniques that depend on it, such as:http-versionshttp-parserabsolute-uriMost techniques work without curl.
Basic scan:
./nomore403 -u https://target.tld/admin
Use a proxy and verbose output:
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v
Run only selected techniques:
./nomore403 -u https://target.tld/admin -k headers,absolute-uri,raw-desync
Read targets from stdin:
cat urls.txt | ./nomore403
Use a Burp-style request file:
./nomore403 --request-file request.txt
Write machine-readable output:
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl
target: https://target.tld/admin method: GET frontend: AWS ELB/ALB payloads: payloads
calib: 404 | 1245b | ±50 | frag 703b
BASELINE
default 403 520 bytes https://target.tld/admin
FINDINGS
hdr-ip 100! 200 2048 bytes X-Original-URL: /
abs-uri 26. 403 236 bytes request-target: https://target.tld/admin
http 18. 400 122 bytes HTTP/2
no visible results: 17 techniques
━━━━━━━━━━━━━━ LIKELY BYPASS ━━━━━━━━━━━━━━━━━
[!100 HIGH] Header injection (IP) 403=>200 2048b
why: status 403->200, len Δ1528, body changed, type changed
item: X-Original-URL: /
curl: curl -i -sS -k -H 'User-Agent: nomore403' -H 'X-Original-URL: /' 'https://target.tld/admin'
Each visible line is a response that differed enough from the baseline to survive filtering.
Typical fields:
hdr-ip, abs-uri, or parser18., 61+, or 100!The final summaries show baseline-to-result transitions:
403=>200 usually deserves immediate attention403=>302 can be interesting, but may still resolve back into an auth barrier403->400 or 403->404 usually indicate parser or routing differences rather than a bypassAt the end of the run, nomore403 prints:
LIKELY BYPASScurlINTERESTING VARIATIONSno visible resultsScoring is heuristic. It is intended to prioritize results, not to prove exploitation.
The tool generally rewards:
2xx3xxLocation changesThe tool generally down-ranks:
400 and 404 cases unless the response also changes substantiallyRecommended interpretation:
HIGH: likely actionable; review firstMED: plausible candidate; usually worth manual replayLOW: parser difference, routing anomaly, or lower-confidence behaviorAuto-calibration is enabled by default in non-verbose mode.
It sends requests to several non-existent paths and builds a baseline for the target's default error behavior. It also performs a fragment-based calibration request to reduce false positives caused by fragment-stripped paths.
Use these flags to control it:
--no-calibrate--strict-calibrateLocation, Content-Type, and ServerThe tool runs all techniques by default unless you specify -k.
verbspayloads/httpmethodsverbs-casemethod-overrideheadershop-by-hopConnectionheader-confusionX-Original-URLhost-overrideforwarded-trustForwarded, Client-IP, Cluster-Client-IP, and related trust chainsproto-confusionX-Forwarded-Proto, X-Forwarded-Port, and related scheme hintsip-encodingendpathspayloads/endpathsmidpathspayloads/midpathsdouble-encodingunicode%uXXXX and overlong UTF-8 path variantspath-casepath-normalizationsuffix-tricks.json, .css, ;index.html, and format-style query togglespayload-positionhttp-versionsHTTP/1.0 and HTTP/2http-parsercurl request to expose client/frontend parser differences separately from http-versionsabsolute-uricurl --request-targetraw-duplicatesraw-authorityraw-desyncSome techniques need wire-level control that Go's net/http client does not provide. Those techniques use the raw HTTP engine.
Raw techniques currently include:
raw-duplicatesraw-authorityraw-desync%uXXXX unicode path requestsNotes:
The tool may infer frontend hints such as:
These hints are used to improve technique ordering and output context.
Important:
-k, the tool still runs the full default technique setHigh-value results are replayed automatically in the final summary.
The replay output helps answer:
The final summary includes:
1/1 or 2/2 matched on replaycurl command for interesting results./nomore403 -u https://target.tld/admin
./nomore403 -u targets.txt
cat targets.txt | ./nomore403
./nomore403 --request-file request.txt
Request files are useful when replaying traffic captured in Burp or another proxy.
Use --payload-position when you want to inject payloads at explicit markers instead of relying only on built-in endpath and midpath mutation logic.
Example:
./nomore403 -u 'https://target.tld/§100§/admin/§200§' -p §
./nomore403 -u https://target.tld/admin
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v
./nomore403 -u https://target.tld/admin -k absolute-uri,raw-duplicates,raw-authority,raw-desync
./nomore403 -u https://target.tld/admin -i 10.0.0.5
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl
Run ./nomore403 --help for the full up-to-date CLI.
Key flags:
-u, --uri-k, --technique-x, --proxy-H, --header-i, --bypass-ip-v, --verbose--json--jsonl--no-calibrate--strict-calibrate--retry-count--retry-backoff-ms--host-delay--top-score-minLIKELY BYPASS--variation-score-minINTERESTING VARIATIONS--top0 to disable summariesDefault mode is optimized for interactive review and triage.
Use --json for a single structured document.
Use --jsonl when you want to:
The payloads/ directory contains lists used by several techniques.
Current files include:
httpmethodsheadersipssimpleheadersendpathsmidpathsuseragentsYou can customize these files to fit your targets or workflow.
curl-based techniques require curl in PATHUse this tool only on systems you are authorized to test.
The authors and contributors are not responsible for misuse. You are responsible for complying with applicable law, pro
$ claude mcp add nomore403 \
-- python -m otcore.mcp_server <graph>