BypassFuzzer - Burp Suite Extension

A Burp Suite extension for testing authorization bypass vulnerabilities (401/403 bypasses). This is a Java port of the Python BypassFuzzer tool, fully integrated with Burp Suite.

Table of Contents

• Features
• Requirements
• Installation
  • Building from source (optional)
• Usage
  • Basic Workflow
  • Bypass Tab
  • URL Validation tab
  • Smoke Testing
• Vulnerable Lab
• Custom Payloads
• License
• Credits

Features

Currently, there are 2 main bypasses we can attempt: Authorization bypasses & URL validation bypasses. When you send a request to Bypass Fuzzer, they are organized between 2 tabs.

• AuthZ Bypass Attack Types:
  • Header-based attacks (283+ bypass headers)
  • Path manipulation (367+ URL encodings)
  • HTTP verb/method attacks (11 methods + overrides + case variations + X-prefix/suffix)
  • Debug parameter injection (31 common debug params with case variations)
  • Cookie debug parameter injection (same params as cookies + fuzz existing cookie values)
  • Trailing dot attack (absolute domain notation)
  • Trailing slash attack (tests with/without trailing slash and /. pattern)
  • Extension attack (75+ file extensions like .json, .html, .php)
  • Content-Type attack (converts between URL-encoded, JSON, XML, multipart/form-data)
  • Encoding attack (URL, double-URL, triple-URL, unicode, unicode-overflow encoding on paths, parameter names, and parameter values in query strings and all body content types)
  • HTTP protocol attacks (e.g. HTTP/1.0, HTTP/0.9)
  • Case variation attack (random capitalizations with smart limits)
• Dedicated URL Validation Tab:
  • URL Validation playbooks based on the Portswigger Cheatsheet
  • Mark your injection points with {INJECT}
  • Includes a View Payloads preview for the exact generated list before execution
• Smart Filtering: Automatically reduces noise by hiding repeated responses with pattern tracking
• Rate Limiting & Auto-Throttling:
  • Configurable requests per second (default: unlimited)
  • Auto-throttle when rate limit errors detected (429, 503)
  • Automatically reduces speed by 50% when throttled
• Collaborator Integration: Dynamic Burp Collaborator payload generation to watch for out-of-band interactions (Burp Professional only)
• Smoke Testing:
  • Local vulnerable lab under src/test/vulnerable_lab

Requirements

• Java 17 or higher
• Burp Suite Professional or Community Edition (2023.10+)
• Gradle 7.0+ (for building)

Installation

1. Download latest JAR from the releases page
2. In Burp, go to Extensions → Installed
3. Click Add
4. Select Extension file: bypassfuzzer-burp-1.0.6.jar
5. The extension will load and a "BypassFuzzer" tab will appear

Building from source (optional)

# Build the extension JAR
./gradlew clean shadowJar

# The compiled JAR will be at:
# build/libs/bypassfuzzer-burp-1.0.6.jar

Usage

Basic Workflow

1. Send Request to BypassFuzzer:
   • In Proxy, Sitemap, or Repeater, find any 403/401, any suspiciously blocked request
   • Right-click request
   • Select "Send to BypassFuzzer"
2. Choose Attack Mode:
   • Bypass for the core AuthZ bypass playbooks
   • URL Validation for marker-driven URL validation testing

Bypass Tab

Configure the attack

1. Select attack types to enable (or use Check All/Uncheck All)

2. Optionally:

   • Enable Collaborator payloads (Burp Professional only)
   • Configure rate limiting:
   • Set requests/second (0 = unlimited, default)
   • Configure auto-throttle status codes (default: 429, 503)

3. Manual & Smart filter

   • manual filter lets you choose various options to find what you want
   • smart filter auto mutes uninteresting responses for you

4. Results table, sortable columns

5. Inspect a result's request & response

Start Fuzzing

• Click the Start Fuzzing button
• Results appear in real-time, filtered with your criteria in real-time
• Can stop fuzzing at any time with the Stop button
• Auto-throttle will activate if rate limit errors detected
• Can right click a request to color it for identification/filtering later

Scan History:

• Export results to CSV/JSON (TODO)

URL Validation tab

Configure the attack

1. Configure Attack button opens configuration window

2. {INJECT} marker is where all your pyloads get shoved into, in the request

3. Add your "allow listed" host and your attacker controlled domain (or SSRF target). The tool will try different variations of bypasses ot trick the URL validation with these values.

4. Advanced options that should work exactly like the Portswigger cheatsheet.

• Different payload families: playbooks for when you're attacking a CORS/origin header, attacking just a hostname, or if you wanna use full URLs + schemas.
• Additonal payload options
• Encoding options (I recommend Intruder's by default)

5. Start URL validation button - will close the config window for you so you can see the results

Smoke Testing

# Unit and regression tests
./gradlew test

# Attack-driven smoke suite
./gradlew smokeTestPlaybooks

The smoke testing suite starts a local vulnerable app automatically and exercises the real attack strategies, payload expansion, registry wiring, shared executor flow, and URL Validation workflow without requiring Burp.

---

Vulnerable Lab

For manual Burp validation and local attack smoke tests, use the vulnerable app in src/test/vulnerable_lab.

Manual run:

python3 src/test/vulnerable_lab/app.py

Then:

Request GET /login to receive session=lab-user

Run the extension against those requests or execute ./gradlew smokeTestPlaybooks

Real-world-style examples in the lab include:

• reverse-proxy header trust on /edge/private/reports/quarterly, where X-Forwarded-For, X-Custom-IP-Authorization, X-Original-URL, or X-Rewrite-URL can incorrectly punch through an edge-protected report route
• nested report and billing routes that return 403 until a path-normalization payload collapses them back to the protected backend path
• a weak Bearer-token admin route on /api/v2/admin/audit that returns 403 for a normal user token and is bypassed because token shape is checked more than token validity
• separate consultant-demo routes for method confusion, truthy query parameters, truthy cookies, trailing-dot host routing, content-type parser confusion, and HTTP/1.0 downgrade handling
• the existing URL-validation examples for redirect, host, and CORS trust decisions

The detailed route matrix and black-box lab checks are documented in src/test/vulnerable_lab/README.md.

Custom Payloads

You can edit the payload files before building. UI config for this will be added in a future release.

1. Header Templates: One template per line, use placeholders:

   • {IP PAYLOAD} - Replaced with IP addresses from ip_payloads.txt
   • {URL PAYLOAD} - Replaced with full target URL
   • {PATH PAYLOAD} - Replaced with URL path only
   • {PATH SWAP} - For URL-based access control bypasses; puts original path in header and swaps request path to /
   • {OOB PAYLOAD} - Dynamically generates Burp Collaborator payload (http:// and https:// URLs)
   • {OOB DOMAIN PAYLOAD} - Dynamically generates Burp Collaborator domain only
   • {WHITESPACE PAYLOAD} - Replaced with whitespace character

   Example: X-Forwarded-For: {IP PAYLOAD} Example with Collaborator: X-Forwarded-For: {OOB DOMAIN PAYLOAD} Example for URL bypass: X-Original-URL: {PATH SWAP} (sends GET / with header X-Original-URL: /edge/private/reports/quarterly)

2. IP Payloads: One IP address per line

   Example: 127.0.0.1

3. URL Payloads: One URL encoding/pattern per line

   Example: /../

4. Parameter Payloads: One parameter=value per line

   Example: debug=true

License

MIT License - see LICENSE file for details.

Credits

• Original Python tool: @intrudir
• Smart filter algorithm: @defparam
• Unicode overflow technique: PortSwigger Research
• Portswigger for the URL validation cheatsheet