May 22, 2026 19 min to read

SALA7 Bypass

Burp Suite Extension for 403/401/429 Bypass Testing

Sala7-Bypass

Introduction

Access control mechanisms are the gatekeepers of modern web applications. They decide who can access what resources, when, and under what conditions. Yet these very mechanisms, when improperly implemented, become the weakest links in an otherwise robust security posture.

The HTTP status codes 403 Forbidden, 401 Unauthorized, and 429 Too Many Requests represent the primary signals that an access control boundary has been enforced. But what happens when these boundaries can be circumvented? The answer is simple: unauthorized data access, privilege escalation, and complete system compromise.

OWASP consistently ranks Broken Access Control as the #1 web application security risk. In 2023 alone, access control bypasses constituted 18% of all critical-severity reports on HackerOne, with median bounties reaching $4,500 for authentication bypasses. The business impact is equally severe: the average data breach costs $4.45 million, with regulatory penalties under GDPR reaching 4% of global revenue.

Despite this prevalence, systematic testing for access control bypasses remains inconsistently implemented. Manual testing—sending individual requests with modified headers in Burp Repeater—is time-consuming, error-prone, and fails to achieve comprehensive coverage. A typical application with 200+ endpoints, each potentially vulnerable to 40+ header injection vectors, 2 method switching variants, and 3 authentication removal combinations, requires testing 27,000 request variants. Manual testing of this scale is simply impractical.

This is where Sala7-Bypass enters the picture.

The Problem with Manual Testing

Before Sala7-Bypass, penetration testers faced a fragmented landscape of tools and techniques:

Table

The consistent pattern? Specialization without integration. Each tool addresses a subset of bypass techniques, but none provides the unified, configurable, and observable platform that comprehensive testing demands.

What is Sala7-Bypass?

Sala7-Bypass is a Burp Suite Professional extension designed specifically for systematic, comprehensive, and observable 403/401/429 bypass testing. Built on PortSwigger’s modern Montoya API, it integrates natively into Burp’s proxy, repeater, and intruder workflows while providing capabilities that no existing tool offers in unified form.

Design Philosophy

1. Comprehensive Coverage: Test all major bypass vectors—IP spoofing (40+ headers), method switching (GET↔POST with parameter migration), authentication removal (Cookie/Authorization), path manipulation (X-Original-URL/X-Rewrite-URL), and rate limiting bypass (IP rotation)—within a single interface.
2. Intelligent Automation: Automatically detect successful bypasses by comparing original and modified response statuses, classify bypass types, track per-technique success rates, and adapt behavior based on configuration.
3. Transparent Observability: Every request, every modification, every response, and every bypass decision is visible, logged, color-coded, and exportable. You understand not just that a bypass succeeded, but how, which technique, which headers, and with what success rate.

Architecture & Design

Modular Architecture

Sala7-Bypass implements a six-class architecture with strict separation of concerns:

Table

Data Flow

[Browser/Tool] → [Burp HTTP Stack] → [BurpExtender.handleHttpRequestToBeSent()]
                                              ↓
                                    [RequestModifier] (transformations)
                                    [BypassEngine] (state checks)
                                              ↓
                                    [LogEntry] (immutable data capture)
                                              ↓
                                    [Burp Server] → [Response]
                                              ↓
                                    [BurpExtender.handleHttpResponseReceived()]
                                              ↓
                                    [BypassEngine] (success evaluation)
                                    [LogEntry] (status updates)
                                              ↓
                                    [LogTableModel] (data binding)
                                    [BypassExtensionUI] (rendering)

Thread Safety

Operating within Burp’s multi-threaded environment, Sala7-Bypass ensures thread safety through:

Table

Core Features Deep Dive

1. Request Interception Engine

Sala7-Bypass intercepts all HTTP traffic through Burp’s Montoya API, applying a sequential decision pipeline:

Gate 1: Extension Enabled → Gate 2: Scope Restriction → Gate 3: Loop Prevention → Gate 4: Auth Filter → Gate 5: Content-Type Filter → Transformation Pipeline

Each gate implements early-exit logic, minimizing performance impact for traffic that should not be processed.

2. Response Analysis Engine

When responses return, the engine:

1. Correlates responses with pending requests using deterministic keys
2. Detects blocking codes (401/403/429)
3. Classifies bypass success by comparing original vs modified status
4. Triggers automatic bypass attempts for blocked responses

3. Bypass Attempt Engine

For each blocked response, the engine:

1. Hashes the request for deduplication
2. Checks retry limits and previous success
3. Iterates through bypass header sets
4. Applies method switching and auth removal (if configured)
5. Sends bypass requests asynchronously
6. Logs results with full metadata

Bypass Techniques Implementation

3.1 IP Spoofing Bypass

The most prevalent bypass vector, exploiting applications that derive client identity from HTTP headers rather than transport-layer connections.

40+ Header Pool:

Table

IP Encoding Variants:

Table

Implementation:

private static List<Map<String, String>> generateBypassHeaders() {
    List<Map<String, String>> headersList = new ArrayList<>();
    for (String ip : IP_VALUES) {
        headersList.add(Map.of("X-Forwarded-For", ip));
        headersList.add(Map.of("X-Real-IP", ip));
        // ... 40+ headers ...
    }
    return headersList;
}

3.2 HTTP Method Switching

Exploits method-bound access controls by switching GET↔POST with automatic parameter migration.

GET → POST Conversion:

• Extracts URL parameters (?key=value)
• Migrates to request body (key=value)
• Adds Content-Type: application/x-www-form-urlencoded
• Removes query string from URL

POST → GET Conversion:

• Extracts body parameters
• Migrates to URL query string (?key=value)
• Clears request body
• Removes Content-Type header

Implementation:

public static HttpRequest switchMethod(HttpRequest request) {
    String method = request.method();
    if (method.equalsIgnoreCase("GET")) {
        return convertGetToPost(request);
    } else if (method.equalsIgnoreCase("POST")) {
        return convertPostToGet(request);
    }
    return request;
}

3.3 Authentication Header Removal

Tests “fail-open” behaviors where missing authentication grants access rather than denying it.

Selective Removal:

Table

Hierarchical Control:

removeAuth (master toggle)
    ├── removeCookie (subordinate)
    └── removeAuthorization (subordinate)

This enables pre-configuration: set subordinate toggles, then enable/disable all auth removal with a single click.

3.4 Path-Based Bypass

Exploits path normalization discrepancies between reverse proxies and application servers.

Headers Tested:

Table

When the proxy routes based on the actual request path but the application authorizes based on the header-specified path, injecting an allowed path bypasses restrictions.

3.5 Rate Limiting Bypass

Circumvents per-IP rate limiting through IP rotation.

Strategy:

Table

Rate Limit Tracking:

private final Map<String, Integer> retryCount = new ConcurrentHashMap<>();

public boolean shouldBypass(String requestHash, int maxRetries) {
    if (hasSuccess(requestHash)) return false;
    if (getRetryCount(requestHash) >= maxRetries) return false;
    return true;
}

3.6 Combined Attack Vectors

Applies multiple techniques simultaneously for layered protection bypass.

Scoring System:

Table

Success Condition: 2+ points (bypassing layered but independently flawed controls)

User Interface & Experience

Tabbed Interface (5 Tabs)

Table

Live Logging System

7-Column Table:

Table

Interactive Features

Table

Enhanced Request/Response Viewer

Double-click any row to open a 1600×1000 dialog with:

• Left Panel: Request inspection (Original/Modified toggle, Raw/Pretty/Diff tabs)
• Right Panel: Response inspection (Original/Modified/Bypass selector, Pretty/Raw/Hex tabs)
• Bottom Panel: Quick modifications (GET↔POST, No Cookie, No Auth, Bypass Headers toggles), status info, action buttons (Send, Replay, Repeater, Copy, Close)

Statistics & Visual Feedback

Statistics Dashboard

Real-time computation on every log update:

Table

Color Feedback:

• Bypass > 0: Labels turn bright green (#32FF32)
• Bypass = 0: Labels remain white

Visual Color Coding

Status Codes:

Table

Bypass Type Badges:

Table

Configuration & Customization

Controls Tab

Table

Advanced Tab

Table

Payloads Tab

Default Pool: 750+ header combinations across 5 categories

Operations:

• Add: Custom header-value pair
• Remove: Delete selected row
• Clear: Empty all entries
• Reset: Restore default 750+ pool
• Save: Export to JSON file
• Load: Import from JSON file

Data Export & Reporting

CSV Export

Column Structure:

Time,URL,OriginalMethod,ModifiedMethod,OriginalStatus,ModifiedStatus,Action,BypassType,Bypass,RealBypass,Success,ResponseTime,BypassDetails

Escaping Rules:

• URLs enclosed in double quotes
• Double quotes escaped as ""
• Newlines normalized to spaces

JSON Export

Schema:

[
  {
    "timestamp": "14:32:17",
    "url": "https://example.com/admin",
    "originalMethod": "GET",
    "modifiedMethod": "POST",
    "originalStatus": 403,
    "modifiedStatus": 200,
    "action": "BYPASS",
    "bypassType": "METHOD",
    "isBypass": true,
    "isRealBypass": true,
    "isSuccess": true,
    "responseTime": 145,
    "bypassDetails": "Original: 403 -> Modified: 200 | GET -> POST | Mods: METHOD_SWITCH:GET->POST"
  }
]

Payload Import/Export

Format:

[
  {
    "name": "X-Forwarded-For",
    "value": "127.0.0.1",
    "enabled": true
  }
]

Security Considerations

Loop Prevention

The X-Burp-Processed: true header prevents recursive request processing:

• Injected in handleHttpRequestToBeSent()
• Checked before processing and bypass triggering
• Removed from bypass attempts before sending

Request Deduplication

BypassEngine.hashRequest() creates deterministic identifiers:

return request.method() + "|" + request.url() + "|" + request.bodyToString().hashCode();

Prevents duplicate bypass attempts for identical requests.

Thread Safety

Table

Resource Cleanup

ExecutorService shutdown sequence:

1. shutdown() — graceful termination
2. awaitTermination(5, SECONDS) — wait for completion
3. shutdownNow() — forceful cleanup if timeout exceeded

Future Roadmap

Table

(Success Popups): The extension triggers real-time popup notifications upon successful bypass detection, instantly highlighting the technique used and the original blocked status. This immediate feedback loop helps testers identify working vectors without manually sifting through proxy history.

Controls Tab): The main dashboard offers granular control over the bypass engine, from enabling loop prevention and scope restrictions to toggling authentication stripping. These switches allow precise tuning of how aggressively the extension modifies intercepted traffic.

(Live Logs Table): The Live Logs tab presents a clean, color-coded table of all bypass attempts with a right-click context menu for quick actions. Statistics at the top summarize total attempts, blocked responses, and real success rate at a glance.

(Request Viewer): A built-in diff viewer compares the original 403 Forbidden response against the modified successful request, exposing exactly which header or method change flipped the server’s decision. This transparency is critical for understanding why a bypass worked.

(Advanced Settings): Advanced configuration covers concurrent threading, request delays, and optional sound alerts for successful hits. Crucially, it lets users define whether automatic bypass attempts should include method switching or authorization removal.

(Payloads Tab): The Payloads tab exposes the full arsenal of bypass headers—X-Forwarded-For, X-Real-IP, X-Originating-IP and more—with editable values and enable toggles. Users can customize, add, or remove payloads to adapt to specific target behaviors.

(About Tab): A clean About screen credits the developer and adds a personal touch with the ninja artwork and Arabic prayer text. It reminds users that behind the tool is a dedicated builder invested in the community.

(Test Lab & Full Stats): The extension was validated against a custom test laboratory simulating IP-based, method-based, path-based, auth-header, rate-limiting, and combined bypass scenarios. The final statistics—11 real bypasses out of 24 blocked attempts—demonstrate a solid 45.8% success rate across diverse protection mechanisms.

Conclusion

Sala7-Bypass transforms access control testing from manual, error-prone individual request manipulation into systematic, observable, and reportable automated testing. By combining five major bypass vectors—IP spoofing, method switching, authentication removal, path manipulation, and rate limiting circumvention—within a single Burp Suite extension, it increases bypass discovery probability while reducing testing time from hours to minutes.

The integrated real-time statistics, color-coded visual feedback, and one-click export capabilities provide the transparency that professional penetration testers need to understand, verify, and report their findings with confidence.

Key Takeaway: Access control bypasses are not edge cases—they are endemic. Sala7-Bypass provides the systematic approach needed to find them efficiently.