From 2d3b80b234957fd57c2769ff047a0db16d56fcad Mon Sep 17 00:00:00 2001
From: shadowsurface <132829380+shadowsurface@users.noreply.github.com>
Date: Wed, 27 Nov 2024 21:27:15 +0200
Subject: [PATCH] Create 403-429-bypass.bcheck

---
 other/bypass/403-429-bypass.bcheck | 44 ++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 other/bypass/403-429-bypass.bcheck

diff --git a/other/bypass/403-429-bypass.bcheck b/other/bypass/403-429-bypass.bcheck
new file mode 100644
index 0000000..ba918a9
--- /dev/null
+++ b/other/bypass/403-429-bypass.bcheck
@@ -0,0 +1,44 @@
+metadata:
+    language: v2-beta
+    name: "403/429 bypass using HTTP Header"
+    description: "Attempts to bypass 403/429 using the HTTP headers with local IP address"
+    author: "Shadow Surface"
+    tags: "bypass"
+
+define:
+    bypass_ip = "127.0.0.1"
+
+run for each:
+    bypass_header =
+        "Forwarded",
+        "Via",
+        "X-Client-IP",
+        "X-Forwarded-For",
+        "X-Forwarded-Host",
+        "X-Forwarded-Proto",
+        "X-Forwarded-Server",
+        "X-Forward-For",
+        "X-Forwared-Host",
+        "X-Host",
+        "X-Originating-IP",
+        "X-Real-IP",
+        "X-Remote-Addr",
+        "X-Remote-IP",
+        "X-Requested-By",
+        "X-Requested-For",
+        "X-Trusted-IP"
+    
+given request then
+    if {base.response.status_code} matches "(403|429)" then
+        send request:
+            replacing headers:
+                {bypass_header}: {bypass_ip}
+
+        if not( {latest.response.status_code} is {base.response.status_code} ) then
+            report issue:
+                severity: high
+                confidence: tentative
+                detail: `Potential {base.response.status_code} bypass using {bypass_header} header.`
+                remediation: `Avoid using {bypass_header} for authorization or rate limiting.`
+        end if
+    end if