Version 1.1.0

Author: devploit

.DS_Store

@@ -20,6 +20,7 @@ request.txt
 
 # Built binary
 nomore403
+nomore403.exe
 
 # Idea
 .idea/*

.gitignore

@@ -43,12 +43,7 @@ To edit or add new bypasses, modify the payloads directly in the [payloads](http
 ### Output example
 
 ```bash
-    ________  ________  ________  ________  ________  ________  ________  ________  ________
-   ╱     ╱  ╲╱        ╲╱    ╱   ╲╱        ╲╱        ╲╱        ╲╱    ╱   ╲╱        ╲╱__      ╲
-  ╱         ╱    ╱    ╱         ╱    ╱    ╱    ╱    ╱       __╱         ╱    ╱    ╱__       ╱
- ╱         ╱         ╱         ╱         ╱        _╱       __/____     ╱         ╱         ╱
- ╲__╱_____╱╲________╱╲__╱__╱__╱╲________╱╲____╱___╱╲________╱    ╱____╱╲________╱╲________╱  
-
+━━━━━━━━━━━━━━ NOMORE403 CONFIGURATION ━━━━━━━━━━━━━━━━━━
 Target:                 https://domain.com/admin
 Headers:                false
 Proxy:                  false
@@ -61,26 +56,33 @@ Rate Limit detection:   false
 Status:                 
 Timeout (ms):           6000
 Delay (ms):             0
-Techniques:             verbs, verbs-case, headers, endpaths, midpaths, http-versions, path-case
+Techniques:             verbs, verbs-case, headers, endpaths, midpaths, double-encoding, http-versions, path-case
 Unique:                 false
 Verbose:                false
 
+━━━━━━━━━━━━━━━ AUTO-CALIBRATION RESULTS ━━━━━━━━━━━━━━━
+[✔] Calibration URI: https://domain.com/admin/calibration_test_123456
+[✔] Status Code: 404
+[✔] Content Length: 1821 bytes
+
 ━━━━━━━━━━━━━ DEFAULT REQUEST ━━━━━━━━━━━━━
 403 	  429 bytes https://domain.com/admin
 
 ━━━━━━━━━━━━━ VERB TAMPERING ━━━━━━━━━━━━━━
 
+━━━━━ VERB TAMPERING CASE SWITCHING ━━━━━━━
+
 ━━━━━━━━━━━━━ HEADERS ━━━━━━━━━━━━━━━━━━━━━
 
 ━━━━━━━━━━━━━ CUSTOM PATHS ━━━━━━━━━━━━━━━━
 200 	 2047 bytes https://domain.com/;///..admin
 
+━━━━━━━━━━━━━ DOUBLE-ENCODING ━━━━━━━━━━━━━
+
 ━━━━━━━━━━━━━ HTTP VERSIONS ━━━━━━━━━━━━━━━
 403      429 bytes HTTP/1.0
-403      429 bytes HTTP/1.1
-403      429 bytes HTTP/2
 
-━━━━━━━━━━━━━ CASE SWITCHING ━━━━━━━━━━━━━━
+━━━━━━━━━━ PATH CASE SWITCHING ━━━━━━━━━━━━
 200 	 2047 bytes https://domain.com/%61dmin
 ```
 
@@ -138,12 +140,12 @@ Flags:
   -r, --redirect              Automatically follow redirects in responses.
       --request-file string   Load request configuration and flags from a specified file.
       --status strings        Filter output by comma-separated status codes (e.g., 200,301,403)
-  -k, --technique strings     Specify one or more attack techniques to use (e.g., headers,path-case). (default [verbs,verbs-case,headers,endpaths,midpaths,http-versions,path-case])
+  -k, --technique strings     Specify one or more attack techniques to use (e.g., headers,path-case). (default [verbs,verbs-case,headers,endpaths,midpaths,double-encoding,http-versions,path-case])
       --timeout int           Specify a max timeout time in ms. (default 6000)
-      --unique                Show unique output based on status code and response length
+      --unique                Show unique output based on status code and response length.
   -u, --uri string            Specify the target URL for the request.
   -a, --user-agent string     Specify a custom User-Agent string for requests (default: 'nomore403').
-  -v, --verbose               Enable verbose output for detailed request/response logging.
+  -v, --verbose               Enable verbose output for detailed request/response logging (not based on auto-calibrate).
 ```
 
 ## Contributing

LICENSE

@@ -3,6 +3,9 @@ package cmd
 import (
 	"bufio"
 	"crypto/tls"
+	"fmt"
+	"github.com/fatih/color"
+	"github.com/slicingmelon/go-rawurlparser"
 	"io"
 	"log"
 	"net"
@@ -12,8 +15,6 @@ import (
 	"os"
 	"strings"
 	"time"
-
-	"github.com/slicingmelon/go-rawurlparser"
 )
 
 // parseFile reads a file given its filename and returns a list containing each of its lines.
@@ -95,22 +96,12 @@ func request(method, uri string, headers []header, proxy *url.URL, rateLimit boo
 		URL: &url.URL{
 			Scheme: parsedURL.Scheme,
 			Host:   parsedURL.Host,
-			Opaque: parsedURL.Path, // Use Opaque to prevent path normalization
+			Opaque: parsedURL.Path,
 		},
 		Header: make(http.Header),
 		Close:  true,
 	}
 
-	//log.Printf("Debug - Raw URL parsed: %s", uri)
-	// Don't use URL.String() for debugging, as it will perform encodings and normalization
-	// log.Printf("Debug - Request Components - Scheme: %s, Host: %s, Path: %s, RawPath: %s, Opaque: %s",
-	// 	req.URL.Scheme,
-	// 	req.URL.Host,
-	// 	req.URL.Path,
-	// 	req.URL.RawPath,
-	// 	req.URL.Opaque,
-	// )
-
 	for _, header := range headers {
 		req.Header.Add(header.key, header.value)
 	}
@@ -177,3 +168,28 @@ func loadFlagsFromRequestFile(requestFile string, schema bool, verbose bool, tec
 	// Assign the extracted values to the corresponding flag variables
 	requester(uri, proxy, userAgent, reqHeaders, bypassIP, folder, httpMethod, verbose, technique, nobanner, rateLimit, timeout, redirect, randomAgent)
 }
+
+func runAutocalibrate(options RequestOptions) int {
+	calibrationURI := options.uri
+	if !strings.HasSuffix(calibrationURI, "/") {
+		calibrationURI += "/"
+	}
+	calibrationURI += "calibration_test_123456"
+
+	statusCode, response, err := request("GET", calibrationURI, options.headers, options.proxy, options.rateLimit, options.timeout, options.redirect)
+	if err != nil {
+		log.Printf("[!] Error during calibration request: %v\n", err)
+		return 0
+	}
+
+	// Save default response
+	defaultSc := statusCode
+	defaultCl := len(response)
+
+	fmt.Println(color.MagentaString("\n━━━━━━━━━━━━━━━ AUTO-CALIBRATION RESULTS ━━━━━━━━━━━━━━━"))
+	fmt.Printf("[✔] Calibration URI: %s\n", calibrationURI)
+	fmt.Printf("[✔] Status Code: %d\n", defaultSc)
+	fmt.Printf("[✔] Content Length: %d bytes\n", defaultCl)
+
+	return defaultCl
+}