Security researchers and bug bounty hunters know the pain of sifting through hundreds of 403 or 401 HTTP responses, wondering if any access control bypasses are hiding in plain sight. nomore403 tackles this exact problem with a focused Go CLI tool that doesn’t just spray payloads — it learns the target’s baseline behavior and heuristically ranks its findings to highlight the most promising bypass candidates.
What nomore403 does and its architecture
nomore403 is a command-line tool written in Go designed specifically for automating HTTP access-control bypass testing against 403 (Forbidden) and 401 (Unauthorized) responses. Its main goal is to help security testers find ways to circumvent access restrictions by applying a broad suite of mutation techniques to HTTP requests.
Under the hood, the tool first sends a baseline request to the target URL to understand the normal response behavior. Optionally, it can auto-calibrate by probing non-existent paths to learn how the target handles error conditions. This baseline comparison is critical to filtering out false positives later.
The tool then executes a large battery of mutation techniques, which include:
- HTTP method tampering (e.g., switching GET to POST, OPTIONS, etc.)
- Header injection targeting IP trust, hop-by-hop headers, or forwarded headers
- Path normalization tricks such as dot-segments (
./), unicode encoding, and double-encoding - Wire-format differentials including HTTP version variations, absolute URI forms, and raw desynchronization attacks
These mutations aim to trigger variations in server or proxy behavior that might allow access despite access control mechanisms.
Results from these tests are heuristically scored based on status code transitions, response body differences, and replay stability. The tool groups likely bypasses separately from interesting variations, reducing noise and helping testers focus on high-signal findings.
nomore403 outputs findings with ready-to-use curl commands, making it easy to reproduce or further investigate potential bypasses. It supports JSON and JSONL formats for integration into automated pipelines, and can accept targets from stdin, files, or Burp-style request files.
Technical strengths and design tradeoffs
What sets nomore403 apart is its heuristic scoring model — it doesn’t just blindly run payloads and dump results. Instead, it compares responses against a learned baseline to filter out false positives, and ranks findings by how consistently they indicate an access control bypass.
This approach reduces the common pain of dealing with noisy scans full of irrelevant variations. The scoring considers:
- Changes in HTTP status codes (e.g., 403 to 200)
- Differences in response bodies
- Replay stability by verifying if the bypass attempt is reproducible
The codebase is a self-contained Go CLI with minimal external dependencies. However, some advanced techniques rely on invoking curl for HTTP versions, parser behavior testing, and absolute URI requests. This dependency is noted in the docs — most techniques work without curl, but some require it.
The tool’s payloads are stored in a directory that needs to be manually pointed to if you install via go install, since the payload files aren’t bundled by default. This tradeoff keeps the binary lightweight but adds a minor DX step.
Overall, the code is surprisingly clean for a security tool with lots of mutation logic and heuristics. The design favors an opinionated, automated workflow with flexibility to select specific techniques via CLI flags.
The tool’s architecture balances thoroughness with noise reduction — it’s not a brute-force spray but a methodical, scored approach. That said, it’s inherently limited by the mutation techniques implemented; new or custom bypass methods require updates to the payload sets or code.
Quick start
Building from source is straightforward with Go 1.24 or later:
git clone https://github.com/devploit/nomore403
cd nomore403
go build
Alternatively, install the latest release with:
go install github.com/devploit/nomore403@latest
Remember, if you install via go install, the payloads/ directory isn’t included automatically. You’ll need to clone the repo and point -f to the payloads directory for the full capability.
A basic scan against a target URL:
./nomore403 -u https://target.tld/admin
Using a proxy with verbose output:
./nomore403 -u https://target.tld/admin -x http://127.0.0.1:8080 -v
Running only selected techniques (e.g., headers, absolute-uri, raw-desync):
./nomore403 -u https://target.tld/admin -k headers,absolute-uri,raw-desync
Reading targets from stdin:
cat urls.txt | ./nomore403
Using a Burp-style request file:
./nomore403 --request-file request.txt
Writing machine-readable JSONL output:
./nomore403 -u https://target.tld/admin --jsonl -o findings.jsonl
Verdict
nomore403 is a practical tool for security researchers and bug bounty hunters who want an automated yet intelligent way to test for HTTP 403/401 bypasses. Its heuristic scoring and baseline calibration reduce the noise common in access control testing, making it easier to spot real bypasses.
The Go implementation ensures a performant, standalone binary with minimal dependencies, though some advanced tests require curl. The necessity to manage payload files separately when using go install is a minor downside but understandable.
While it won’t catch every possible bypass method — the coverage depends on implemented mutations — it covers a broad and well-considered set of techniques. For anyone regularly testing web app access controls, nomore403 offers an efficient way to automate and prioritize findings without drowning in false positives.
It’s worth trying out in your security toolkit if you want a methodical, scored approach rather than just another payload sprayer.
Related Articles
- Evilginx 3: A Go-based transparent reverse proxy for phishing and MFA bypass — Evilginx 3 is a standalone Go framework implementing HTTP/DNS servers to transparently intercept and modify traffic for
- mitmproxy2swagger: automating OpenAPI spec generation from network captures with a human-in-the-loop workflow — mitmproxy2swagger automates REST API reverse-engineering by converting mitmproxy flows or HAR files into OpenAPI 3.0 spe
- watchtower: langgraph orchestration for automated pentesting workflows — Watchtower orchestrates 23 security tools via a LangGraph multi-agent system for automated pentesting. It uses a Planner
- DLLHijackHunter: Confirming real DLL hijacks on Windows with a canary DLL approach — DLLHijackHunter is a C# tool for Windows that confirms DLL hijack vulnerabilities by deploying test DLLs and verifying e
- Inside Mandiant’s FLARE Learning Hub: A practical Go reverse engineering reference and malware analysis training platform — Explore Mandiant’s FLARE Learning Hub, an open educational platform for malware analysis and reverse engineering with a
→ GitHub Repo: devploit/nomore403 ⭐ 1,716 · Go