feat(bypass): add path manipulation probes to header bypass

Author: stanislav-web

CHANGELOG.md

@@ -1,6 +1,18 @@
 CHANGELOG
 =======
 
+v5.14.2 (01.05.2026)
+---------------------------
+- (enhancement) extended `--header-bypass` with controlled path-manipulation probes after header-injection probes
+- (enhancement) added safe path-bypass variants: trailing slash, double leading slash, dot segment, semicolon suffix, case variation and URL-encoded segment
+- (enhancement) path-bypass probes are strict opt-in through the existing `--header-bypass` flow and do not change default scan behaviour
+- (enhancement) successful path-bypass candidates are stored in the existing `bypass` result bucket
+- (enhancement) added path-bypass report metadata: `bypass=path`, `bypass_variant`, `bypass_value`, `bypass_url`, `bypass_from_code` and `bypass_to_code`
+- (enhancement) JSON, HTML, CSV and SQLite reports preserve path-bypass evidence through detailed report items
+- (tests) added regression coverage for path-bypass generation, runtime reporting and debug output branches
+- (tests) full unittest suite passes after integration (`1221` tests)
+- (tests) coverage gate passes at `99%`
+
 v5.14.1 (01.05.2026)
 ---------------------------
 - (enhancement) expanded target input parsing with IPv4 CIDR support for batch scans

README.md

@@ -62,7 +62,7 @@ It helps security researchers, penetration testers, bug bounty hunters, DevSecOp
 - smart auto-calibration for soft-404, wildcard, and catch-all responses;
 - technology fingerprint detection CMS, ecommerce platforms, frameworks;
 - passive WAF detection and WAF-safe scan mode;
-- controlled Header Injection Bypass probes for blocked `401` and `403` paths;
+- controlled header and path bypass probes for blocked `401` and `403` resources;
 - resumable scan sessions with checkpoint autosave;
 - CI/CD fail-on result bucket rules;
 - official Docker image distribution via GitHub Container Registry;
@@ -84,7 +84,7 @@ OpenDoor focuses on **context-aware discovery** instead of blind enumeration.
 |---|---|
 | **Fingerprint-first scanning** | OpenDoor can identify probable CMS platforms, frameworks, infrastructure providers, and WAF signals before deeper discovery. This helps you scan with context instead of blindly throwing a generic wordlist at the target. |
 | **WAF-aware behavior** | OpenDoor can detect probable WAF / anti-bot behavior and switch to a safer runtime profile with `--waf-safe-mode`, reducing noisy blocked scans and making defensive responses easier to understand. |
-| **Controlled header-bypass evidence** | OpenDoor can optionally probe blocked `401` and `403` paths with controlled per-request header-injection variants. It records exact evidence such as the header name, value, original status code, and resulting status code without mutating global scan headers. |
+| **Controlled bypass evidence** | OpenDoor can optionally probe blocked `401` and `403` resources with controlled header-injection and path-manipulation variants. It records exact evidence such as bypass type, header or path variant, probe value, original status code, and resulting status code without mutating global scan headers. |
 | **Multi-signal auto-calibration** | OpenDoor does not rely only on status code or response size. It compares multiple response signals such as body hashes, HTML structure, titles, redirects, stable headers, word count, line count, and normalized dynamic tokens to reduce soft-404 and wildcard false positives. |
 | **Transport-level workflows** | OpenDoor supports direct, proxy, OpenVPN, and WireGuard transport modes. It can also rotate transport profiles per target in authorized batch scans, which is not the same as manually starting a VPN before running a scanner. |
 | **Resumable long scans** | OpenDoor can save scan checkpoints and resume later. This matters when scans are interrupted by crashes, unstable networks, blocked routes, terminal disconnects, or long multi-target jobs. |
@@ -269,9 +269,9 @@ opendoor \
   --retries 5 \
   --delay 0.5
 ```
-### Header Injection Bypass probes
+### Header and path bypass probes
 
-Use this only on systems you are authorized to test. The feature is opt-in and probes blocked paths with temporary per-request headers.
+Use this only on systems you are authorized to test. The feature is opt-in and probes blocked resources with controlled temporary headers and safe path variants.
 
 ```bash
 opendoor \
@@ -282,6 +282,7 @@ opendoor \
   --header-bypass-limit 32 \
   --reports std,json,csv,sqlite
 ```
+When --header-bypass is enabled, OpenDoor first tries configured header-injection variants and then safe path-manipulation variants such as trailing slash, dot segment, semicolon suffix, case variation, and URL-encoded segment.
 Customize trigger statuses, trusted IP values, and headers:
 
 ```bash
@@ -292,7 +293,7 @@ opendoor \
   --header-bypass-status 401,403 \
   --header-bypass-ips 127.0.0.1,10.0.0.1 \
   --header-bypass-headers X-Original-URL,X-Rewrite-URL,X-Forwarded-For,X-Real-IP \
-  --reports json,html,sqlite
+  --reports json,html,sqlite,csv
 ```
 
 ### Proxy routing

VERSION

@@ -1 +1 @@
-5.14.1
+5.14.2

docs/Usage.md

@@ -464,7 +464,8 @@ Use this mode when scanning authorized targets protected by WAF, CDN, or anti-bo
 
 Header Injection Bypass is an opt-in feature for authorized testing of blocked resources.
 
-When enabled, OpenDoor probes configured blocked statuses with controlled, temporary per-request headers. If a probe changes a blocked response into a meaningful result, OpenDoor records it in the `bypass` result bucket with exact evidence.
+When enabled, OpenDoor probes configured blocked statuses with controlled, temporary per-request headers. `--header-bypass` flow also tries safe path-manipulation variants after header probes. 
+If a probe changes a blocked response into a meaningful result, OpenDoor records it in the `bypass` result bucket with exact evidence.
 
 ### Enable header-bypass probes
 
@@ -548,6 +549,23 @@ opendoor \
   --header-bypass-limit 0
 ```
 
+### Path-manipulation probes
+
+Path-manipulation probes are enabled automatically when `--header-bypass` is enabled.
+
+OpenDoor tries header-injection variants first, then safe path variants such as:
+
+| Variant | Example |
+|---|---|
+| `trailing-slash` | `/admin` → `/admin/` |
+| `double-leading-slash` | `/admin` → `//admin` |
+| `dot-segment` | `/admin` → `/admin/.` |
+| `semicolon-suffix` | `/admin` → `/admin;/` |
+| `case-variation` | `/admin` → `/Admin` |
+| `url-encoded-segment` | `/admin panel` → `/admin%20panel` |
+
+Path probes are controlled by the same `--header-bypass-limit` option.
+
 ### Reported evidence
 
 Successful candidates are stored in the `bypass` bucket.
@@ -556,9 +574,11 @@ Detailed report items include:
 
 | Field | Meaning |
 |---|---|
-| `bypass` | Bypass type, currently `header` |
-| `bypass_header` | Header that produced the candidate |
-| `bypass_value` | Header value used for the probe |
+| `bypass` | Bypass type: `header` or `path` |
+| `bypass_header` | Header that produced the candidate for header-based probes |
+| `bypass_variant` | Path-manipulation variant name for path-based probes |
+| `bypass_value` | Header value or path value used for the probe |
+| `bypass_url` | Full probe URL for path-based probes |
 | `bypass_from_code` | Original blocked status code |
 | `bypass_to_code` | Resulting status code |
 
@@ -759,7 +779,7 @@ Available report formats:
 | `html`   | Human-readable report                         |
 | `sqlite` | Structured local database for post-processing |
 
-When `--header-bypass` is enabled and a candidate is found, report formats preserve bypass evidence:
+When `--header-bypass` is enabled and a header or path candidate is found, report formats preserve bypass evidence:
 
 | Report | Header-bypass evidence |
 |---|---|

docs/examples/header-bypass-scans.md

@@ -1,8 +1,8 @@
-# 🧩 Header-bypass scans
+# 🧩 Header and path bypass scans
 
-This page contains practical Header Injection Bypass examples for authorized testing.
+This page contains practical bypass examples for authorized testing of blocked resources.
 
-Header Injection Bypass is opt-in and probes blocked resources with temporary per-request headers.
+Header-bypass mode is opt-in. It probes blocked resources with temporary per-request headers and safe path-manipulation variants.
 
 ---
 
@@ -19,6 +19,26 @@ By default, OpenDoor probes `401` and `403` responses.
 
 ---
 
+## Header and path probe order
+
+When `--header-bypass` is enabled, OpenDoor tries probes in a controlled order:
+
+1. configured header-injection variants;
+2. safe path-manipulation variants.
+
+Path variants include:
+
+- trailing slash;
+- double leading slash;
+- dot segment;
+- semicolon suffix;
+- case variation;
+- URL-encoded segment.
+
+All successful candidates are stored in the `bypass` bucket.
+
+---
+
 ## WAF-aware header-bypass scan
 
 ```shell
@@ -98,10 +118,33 @@ Use:
 
 ---
 
+## Report metadata
+
+Header-based candidates may include:
+
+- `bypass=header`;
+- `bypass_header`;
+- `bypass_value`;
+- `bypass_from_code`;
+- `bypass_to_code`.
+
+Path-based candidates may include:
+
+- `bypass=path`;
+- `bypass_variant`;
+- `bypass_value`;
+- `bypass_url`;
+- `bypass_from_code`;
+- `bypass_to_code`.
+
+---
+
 ## Notes
 
 - Header-bypass probes are disabled by default.
-- Probe headers are temporary per-request headers.
+- Header probes use temporary per-request headers.
+- Path probes use temporary probe URLs and do not mutate the original scan target.
 - Normal scan headers are not mutated.
 - Use `--header-bypass-limit` to keep probe volume controlled.
+- Method switching and large payload sets are intentionally deferred.
 - Use this only on systems you are authorized to test.

src/lib/browser/browser.py

@@ -811,15 +811,20 @@ def __probe_header_bypass(self, url, base_response_data):
         )
 
         for variant in variants:
-            headers = {variant.get('header'): variant.get('value')}
-            response_object = self.__request_with_waf_safe_mode(url, extra_headers=headers)
+            probe_url = variant.get('url') if variant.get('type') == 'path' else url
+            extra_headers = None
+
+            if variant.get('type') != 'path':
+                extra_headers = {variant.get('header'): variant.get('value')}
+
+            response_object = self.__request_with_waf_safe_mode(probe_url, extra_headers=extra_headers)
 
             if response_object is None:
                 continue
 
             probe_response_data = self.__response.handle(
                 response_object,
-                request_url=url,
+                request_url=probe_url,
                 items_size=self.__pool.items_size,
                 total_size=self.__pool.total_items_size,
                 ignore_list=self.__reader.get_ignored_list()
@@ -832,7 +837,7 @@ def __probe_header_bypass(self, url, base_response_data):
                 metadata = HeaderBypassProbe.metadata(variant, base_response_data, probe_response_data)
                 tpl.debug(
                     key='header_bypass_candidate',
-                    header=metadata.get('bypass_header'),
+                    header=metadata.get('bypass_header') or metadata.get('bypass_variant'),
                     from_code=metadata.get('bypass_from_code') or '-',
                     to_code=metadata.get('bypass_to_code') or '-'
                 )
@@ -1186,6 +1191,10 @@ def __catch_report_data(self, status, url, size='0B', code='-', metadata=None):
                 item['bypass_header'] = metadata.get('bypass_header')
             if metadata.get('bypass_value'):
                 item['bypass_value'] = metadata.get('bypass_value')
+            if metadata.get('bypass_variant'):
+                item['bypass_variant'] = metadata.get('bypass_variant')
+            if metadata.get('bypass_url'):
+                item['bypass_url'] = metadata.get('bypass_url')
             if metadata.get('bypass_from_code') is not None:
                 item['bypass_from_code'] = str(metadata.get('bypass_from_code'))
             if metadata.get('bypass_to_code') is not None: