A comprehensive Burp Suite extension for testing access control, path traversal, and Web Cache Deception vulnerabilities β all in one tool.
Developed with π‘οΈ by Tagoletta
Installation β’ Features β’ Usage β’ Web Cache Deception β’ Build β’ Contributing
- Go to Releases
- Download the latest
access-context-fuzzer-*-jar-with-dependencies.jar - Open Burp Suite β Extensions β Add
- Select the downloaded JAR file
- The "Access Context" tab will appear in Burp Suite
See Building from Source below.
Access Context Fuzzer is a Burp Suite extension designed for security researchers and penetration testers who need to systematically test for access control bypass and Web Cache Deception (WCD) vulnerabilities.
Instead of manually crafting dozens of header and path variations, this extension automatically generates and tests hundreds of bypass variants in seconds β then highlights exactly which ones behave differently from the baseline.
Web Cache Deception β detection that actually confirms
- π Critical: Turkish-locale
toUpperCase()/toLowerCase()broke all cache detection. On a Turkish-locale JVM,"hit".toUpperCase()yields"HΔ°T"(dotted capital Δ°, U+0130) β soxCache.toUpperCase().contains("HIT")was alwaysfalse, and the same trap silently brokeprivateβprΔ±vateandno-storematching. EveryX-Cache/Cache-Control/Varycomparison inScanEngineandHttpUtilsnow usesLocale.ROOT. This is why cacheable responses were reported asMISSeven though every resend was really aHIT. - π―
/delimiter for path-mapping WCD: The Delimiter + Extension phase now also tests/path/abc.js(the exact vector behind PortSwigger's "Exploiting path mapping" lab), not just query/encoded delimiters. - π Automatic MISSβHIT confirmation: When a variant returns a cacheable
200X-Cache: MISSwithmax-age/s-maxage, the scanner resends the same request a few times inside the cache window. IfX-Cacheflips toHIT, the row is flaggedπ― WCD CONFIRMED (MISSβHIT)and shown asHIT ββ the cache-warming step is now automatic instead of a manual Repeater round-trip.
Verify WCD β warm + no-auth replay
- π Rewritten
Verify WCD(right-click): The old one-shot no-auth replay produced false negatives (a cold cache returns302 / MISSeven on a cacheable URL). It now (1) warms the cache with your current auth until the entry isHIT, then (2) replays without cookies/auth and compares bodies. A confirmed leak requires a no-authHITwhose body matches the authenticated response (or contains sensitive data) β cleanly separatingβ CONFIRMED WCDfromβ οΈ HIT but content differsandβ not cached without auth. Works on whichever message (request or response) is open.
New: π― WCD Findings tab
- ποΈ A dedicated tab collects every WCD result β both the scanner's automatic MISSβHIT confirmations and manual verifications β with URL, auth/no-auth status,
X-Cache, verdict, and timestamp. Double-click a row to open the request/response that proves it. No more transient popups with no history.
UI & reporting
- π·οΈ Status moved to a proper label: The cramped, text-truncated progress bar now shows just the bar; the run summary lives in a clean label β
β Done β N sent | M findings | B π― bypass | W π― WCD cacheable | Re-run available. - π― Cache HITs count as findings: Confirmed MISSβHIT results are now included in the bypass tally and surfaced via a dedicated WCD cacheable counter (previously always reported
0 bypasses). - π Tightened "interesting": Only real findings (bypass, WCD confirmed, cache-hit, sensitive data, custom-rule hits) count as interesting and pass the Show Only Interesting filter β baseline noise (
STATUS_CHANGE/WORD_DELTA/LEN_DELTA/X-Cache:miss) no longer inflates the count. - π English dialogs: The WCD verification and scan-summary dialogs are now fully English.
Settings
- βοΈ OPSEC & Network moved to Settings: The Check External IP / Delay panel was removed from the Header, Path, and Selection tabs and consolidated into a single section at the top of Settings & History, separated from per-engine payload options.
- πΎ Single, persisted delay: The three per-engine delays are unified into one
Delay (ms)that all engines share and that is saved across restarts (keyacf.delay; a legacyacf.path.delayis migrated automatically).
Bug Fixes
- π Swing EDT violations in scan startup:
startFuzzing()ran on a background thread but readJTextArea,JSpinner, andJCheckBoxvalues directly β a race condition with the EDT. All UI values are now snapshotted viaScanConfigon the EDT before the task is submitted. - π Swing EDT violations in context-menu handlers: Payload builders (
HeaderPayloadBuilder,PathPayloadBuilder,SelectionPayloadBuilder) were being constructed inside the executor lambda, reading multipleJCheckBoxcomponents off the EDT. Builders are now called on the EDT before task submission. - π
flashTabTimer created off EDT: Thejavax.swing.TimerinsideflashTab()was being constructed and started from the background fuzzing thread. Wrapped inSwingUtilities.invokeLater(). Additionally, theJTabbedPane.indexOfComponent()andgetTitleAt()reads that fedflashTab()were themselves still on the background thread β moved inside theinvokeLaterlambda so all Swing reads happen on the EDT. - π DiffDialog false diff on CRLF responses:
split("\n")left trailing\ron each element when responses used Windows line endings, causing identical lines to appear as "changed". Changed tosplit("\r?\n"). - π Invalid custom rule regex silently discarded: A bad pattern in the Custom Detection Rules panel was swallowed by
catch (Exception ignored)with no feedback. Now logged to Burp's output panel. - π
btnPreviewuseless executor roundtrip: The Preview Payloads button submitted to the background thread pool only to immediately dispatch back to the EDT viainvokeLater. Removed the intermediate hop. - π Duplicate
buildOpsecPanel/createTextAreaPanelin every tab:HeaderEngineTab,PathEngineTab, andSelectionEngineTabeach declared private copies of methods already defined aspublic staticinResultsPanel. All three now delegate to the canonical implementations. - π
historyModel.getRowCount()off EDT in scan history:appendScanHistory()readDefaultTableModel.getRowCount()from the background fuzzing thread to compute the next row number, then wrapped onlyaddRow()ininvokeLater. Both the read and the write are now inside theinvokeLaterlambda. - π Parallel-mode timeout leaves HTTP request running: On a
TimeoutException, the timed-outFuturewas left running β the underlying HTTP connection stayed open until the remote server closed it.future.cancel(true)is now called before creating the fallbackFuzzResult. - π
Desktop.getDesktop().browse()blocking on EDT: The About tab's hyperlink listener calledDesktop.browse()directly on the Event Dispatch Thread. This is a blocking OS call that can freeze the entire Burp UI. Moved to a dedicated daemon thread. - π Custom path/payload/header
split("\\n")broken on Windows: Newlines typed in the Custom Paths (Path engine), Custom Payloads (Selection engine), Custom IPs, and Custom Headers (Header engine) text areas use\r\non Windows. Splitting on\nleft a trailing\ron each entry, producing payloads or header values with literal carriage-return characters. Changed tosplit("\\r?\\n")in all four locations. - π Hardcoded
User-Agent: AccessContext/3.0in OPSEC check: The IP-verification request to api.ipify.org sent a stale hardcoded version string. Now readsExtensionContext.VERSIONso the UA always matches the installed release.
Performance
- β‘ Single
bodyToString()call per response:wordCount,lineCount,getTitle,detectSensitiveData, andbodyHasheach calledrr.response().bodyToString()independently β up to 5 redundant body conversions per variant. AbodyStr()helper now fetches the body once per response; all analysis methods accept the pre-fetched string via overloaded signatures. - β‘ ThreadLocal
MessageDigestfor MD5 hashing:MessageDigest.getInstance("MD5")triggered a security-provider lookup on every call. Replaced with aThreadLocal<MessageDigest>that is reused (md.reset()) across calls on the same thread β zero lookups after warm-up. - β‘
ThemeColors.isDark()result cached: Every table cell repaint calledUIManager.getColor("Panel.background")throughisDark(). The result is now cached in avolatile booleanand refreshed only when the Look & Feel changes via aUIManagerproperty listener.
Bug Fixes
- π Session drift dialog (EDT fix): The mid-scan confirmation dialog was being called via
JOptionPane.showConfirmDialog()directly from the background fuzzing thread. Replaced withSwingUtilities.invokeAndWait()β potential deadlock on certain JVM/OS combinations. - π Null body crash in
bodyHash():.body()returns null on 204/HEAD responses. Was silently swallowed by the catch block but still caused unnecessary exception overhead. Added an explicit null check. - π CSV newline escaping: Multi-flag Notes entries contain embedded
\ncharacters. These weren't being escaped before writing, breaking row boundaries in Excel and most CSV parsers.
Performance
- β‘ Regex pre-compilation: Custom detection rules (Settings tab) were calling
Pattern.compile()on every response β O(variants Γ rules) compilations per scan. Rules are now compiled once at scan start into a cachedList<Pattern>. - β‘ Allocation-free word/line counting:
wordCount()was doingbody.split("\\s+").lengthβ allocates a fullString[]just to discard it. Replaced withStringTokenizer.countTokens().lineCount()similarly replaced with a single-passcharloop. - β‘
getTitle()static pattern:Pattern.compile()was called on every invocation. Moved to aprivate static finalfield.
- π Cache Status Column: Results table now has a dedicated Cache column showing
HIT β,MISS,PRIVATE π«,NO-STORE π«,HIT/Vary:Cookie, or the rawX-Cachevalue. WCD triage without reading the Notes column. - π CDN Profile Selector: Pick your target's CDN (Cloudflare, Akamai, Fastly, CloudFront, Nginx, Varnish) in the Path engine. Delimiter payloads are filtered to that CDN's known delimiter set β less noise, more signal.
- ποΈ Fat GET: New checkbox in Path engine. Sends the request as a GET with a body. CDNs key the cache on path and ignore the body; some origins behave differently. Surfaces WCD vectors that path-only testing misses.
- ποΈ Extended Static Extensions: Delimiter + Extension phase now covers 19 file types (was 6):
.js .css .png .jpg .gif .ico .woff .woff2 .svg .ttf .eot .mp4 .webp .avif .pdf .xml .json .txt .html. - π¬ Normalization Discrepancy Extras: Four additional Norm Discrepancy payloads:
%252F(double-encoded slash), BOM + extension,%00.css(null byte),%c0%af(overlong UTF-8). - π Sensitive Data Detection: Every response body is automatically scanned for JWT tokens, CSRF tokens, email fields, Bearer tokens, and API keys. Matches are flagged as
SENSITIVE_DATA:JWT(etc.) in Notes and highlighted pink. Confirms WCD exploitation when an unauthenticated cache replay returns sensitive content. - π WCD Scan Summary: After a Path engine scan, a popup summarises cache findings β HIT count, private/no-store count, Vary:Cookie count, and which specific variants look exploitable.
- π Verify WCD (No-Auth): New right-click context menu item. Replays the URL without cookies or auth headers in a fresh connection. If the cached response still returns authenticated content, it's a confirmed WCD finding β shown in a before/after comparison dialog.
- ποΈ Internal Refactor (1 file β 17 files): The monolithic
AccessContextFuzzer.java(was ~2000 lines) is now a proper multi-package structure:burp.core,burp.util,burp.payload,burp.ui. No behaviour changes β the entry point is now 123 lines. Makes contributing significantly more approachable.
- πΎ Settings Persistence (A): All checkboxes, spinners, delays, and custom rules now auto-save using Burp's native Preferences API and are restored on next load.
- β‘ Parallel Fuzzing Mode (B): Toggle
Parallel Modein the new β Settings & History tab to send multiple requests simultaneously. Configurable thread count (2β20). Ordered collection preserves row numbering. Disables delay and session drift check. - π Scan Summary (D): Progress bar updates to a rich summary at end of scan β
Done! β 147 sent | 12 interesting | 3 π― bypasses | Re-run available. - π Response Diff Viewer (E): Right-click any row β Compare with Baseline for a side-by-side HTML diff showing which lines changed between the baseline and the variant response.
- π Custom Detection Rules (G): Define regex patterns in the Settings tab using
regex=LABELformat. Matches in any response body are highlighted asCUSTOM:LABELin the Notes column. - π Expanded Bypass Detection (H): Now detects redirect-based bypasses (
π REDIRECT BYPASS?for 403β30x) and same-status body changes on 2xx (β οΈ BODY_BYPASS?). - π‘οΈ Configurable WAF Threshold (I): The WAF block threshold (consecutive connection resets before auto-stop) is now a spinner in Settings β default 5, range 1β50.
- π Scan History Tab (J): A new β Settings & History tab logs every completed scan with engine type, target URL, timestamp, payload count, interesting count, bypass count, and baseline status.
- ποΈ Payload Preview (K): Click π Preview Payloads on any engine tab to see a full categorized list of all variants that would be sent β without actually running the scan.
- π§ Thread Safety: Fixed thread leak on extension unload via
taskExecutor.shutdownNow(). - π₯οΈ Swing EDT Fix:
flashTab()converted from rawThread.sleep()to a properjavax.swing.Timer. - β»οΈ DRY Refactor: Eliminated 3Γ duplicate OPSEC panel code with
buildOpsecPanel()helper. - π£ Error Visibility: All silently swallowed exceptions now log to
api.logging().logToError(). - π CSV Export Fix: Export failure now shows an error dialog instead of failing silently.
Access Context Fuzzer has been significantly upgraded to tackle modern web applications, aggressive WAFs, and complex API gateways:
- π§ MD5 Body Hash Engine & "Interesting" Filter: Detects hidden state changes (
BODY_DIFF) even when the status code remains the same. Click "π Show Only Interesting" to instantly filter out noise. - π‘οΈ Adaptive Rate Limiting Anti-WAF: Automatically doubles the delay upon
429 Too Many Requestsor503, and halts the scan if the WAF starts dropping connections (status -1). - β±οΈ Real-Time Fuzz Estimation: The progress bar now dynamically estimates
(~1:45 remaining)based on rolling RTT averages. - π Session Drift Detection: Re-verifies your baseline every 50 requests. If your session expires (
SESSION_DRIFT), it pauses the scan and warns you. - ποΈ Bulk "Send to Repeater": Multi-select support! Send all "Interesting" variants to the Repeater with a single click.
- π― Scan Profiles: 1-click preset buttons (
β‘ Quick Scan,π₯ Full Scan,π― WCD Only) instantly configure the payloads. - 𧬠Deep Protocol Injection: Added WebDAV verbs, case-tampering (
gEt), HTTP/2 pseudo-header injection (:authority), and obscure unicode traversals.
| Problem | Without This Tool | With Access Context Fuzzer |
|---|---|---|
| Header bypass testing | Manually add X-Forwarded-For, X-Real-IP, etc. one by one |
40+ header variants tested simultaneously |
| Path normalization bugs | Guess which encoding tricks work | Systematic fuzzing of URL encoding, double encoding, IIS Unicode, dot-segments |
| Web Cache Deception | Complex multi-step manual testing | Automated 4-phase WCD pipeline with cache header detection |
| Result analysis | Compare responses manually | Smart color-coded diff β status changes, word deltas, length anomalies highlighted automatically |
Access Context Fuzzer provides three independent fuzzing engines, each accessible via its own tab:
Tests access control enforcement by injecting IP spoofing and host manipulation headers.
What it tests:
| Category | Headers | Example |
|---|---|---|
| IP Spoofing | X-Forwarded-For, X-Real-IP, X-Client-IP, True-Client-IP, CF-Connecting-IP, and 30+ more |
X-Forwarded-For: 127.0.0.1 |
| Host Override | X-Forwarded-Host, X-Host, X-Original-Host |
X-Host: allowed-origin.com |
| Custom IPs | User-defined list | Any IP you specify |
| Custom Headers | User-defined Header: Value pairs |
Load from wordlist file |
Use case: Testing if the application relies on easily spoofable headers for access control decisions (e.g., admin panels restricted by IP).
Tests path-level access control by manipulating the URL path using various encoding and normalization techniques.
What it tests:
| Technique | Checkbox | Example | Purpose |
|---|---|---|---|
| URL Encoding | Path Normalization |
/%61%64%6d%69%6e |
Bypass path-matching rules |
| Double URL Encoding | Path Normalization |
/%2561%2564%256d%2569%256e |
Exploit double-decode vulnerabilities |
| IIS Unicode Encoding | Path Normalization |
IIS short/wide Unicode variants | Target IIS-specific normalization |
| Case Flipping | Advanced Encoders |
/Admin, /ADMIN |
Case-sensitive path matching |
| Trailing Slash | Advanced Encoders |
/admin/ |
Path normalization differences |
| Dot-Segment Injection | Advanced Encoders |
/path/..;/admin |
Tomcat/Spring path traversal |
| Double Slash Prefix | Advanced Encoders |
//admin |
Proxy path confusion |
| JSON Suffix | Advanced Encoders |
/admin.json |
Content negotiation bypass |
| Semicolon Suffix | Advanced Encoders |
/admin; |
Parameter delimiter abuse |
| X-Rewrite-URL | Rewrite Tricks |
Header: /admin |
Frontend/backend path discrepancy |
| X-Original-URL | Rewrite Tricks |
Header: /admin |
URL override |
| X-Accel-Redirect | Rewrite Tricks |
Header: /admin |
Nginx / OpenResty internal redirect bypass |
| Custom Paths | β | User-defined paths | Load from wordlist file |
Allows you to select specific text within a request and fuzz just that portion with various encodings.
What it tests:
| Encoder | Description |
|---|---|
| URL Encode | Standard percent-encoding of selected text |
| Double URL Encode | Double-layer encoding |
| IIS Unicode Encode | IIS-specific Unicode mapping |
| UTF-8 Fullwidth Slash | Fullwidth character substitution |
| Custom Payloads | User-defined replacements from file or manual input |
Use case: When you've identified a specific parameter or path segment that might be vulnerable, select it and test encoding-specific bypasses.
A dedicated 4-phase pipeline for discovering and exploiting Web Cache Deception vulnerabilities. Each phase maps directly to a checkbox in the "Built-in Payloads" panel:
π New to Web Cache Deception? Read the in-depth guide Web Cache Deception & Poisoning to understand the theory behind every phase below before you start fuzzing.
π‘ Checkbox:
Delimiter Fuzzing| Config: Delimiter suffix text field
Identifies which characters the origin server treats as path delimiters.
/my-account?abc β 200 = '?' is a delimiter
/my-account#abc β 200 = '#' is a delimiter
/my-account%23abc β 200 = '%23' (encoded #) is a delimiter
/my-account%3fabc β 200 = '%3f' (encoded ?) is a delimiter
π‘ Checkbox:
Delimiter + Extension
Tests if the cache treats responses differently when combined with static file extensions.
/my-account?abc.js β Check X-Cache header
/my-account%23abc.css β Check X-Cache header
π‘ Checkbox:
Normalization Discrepancy| Config: Cache directory prefix text field
Tests whether the origin server and cache handle encoded dot-segments differently.
/aaa/..%2fmy-account β 404 = origin doesn't normalize
/aaa/..%2fresources/test β X-Cache:hit = cache DOES normalize!
/resources/..%2ftest β No cache = confirms /resources prefix rule
π‘ Checkbox:
Cache Deception Combos| Config: Cache directory prefix text field
Generates combined exploit payloads using discovered delimiters + cache normalization.
/my-account%23%2f%2e%2e%2fresources β 200 + X-Cache:hit = EXPLOIT! π―
How WCD works: The origin server sees
/my-account(because%23is treated as#delimiter), but the cache sees/resources(after normalizing..%2f). The cache stores the authenticated response, and any attacker can read it from cache.
Every fuzzing result is displayed in an intelligent, color-coded table:
| Column | Description |
|---|---|
| # | Row index |
| Variant | Name of the test (e.g., DELIM: '?', WCD: '%23' + traversal) |
| Status | HTTP status code |
| Cache | Cache status: HIT β
, MISS, PRIVATE π«, NO-STORE π«, HIT/Vary:Cookie, or raw X-Cache value |
| Words | Word count of the response body |
| Lines | Line count of the response body |
| Length | Response body length in bytes |
| Title | Extracted HTML <title> tag |
| RTT(ms) | Round-trip time in milliseconds |
| Notes | Auto-detected anomalies and sensitive data matches |
Automatic anomaly detection in Notes:
| Tag | Meaning |
|---|---|
SENSITIVE_DATA:JWT |
Response body contains a JWT token (also: CSRF, EMAIL, BEARER, SECRET) |
π― POTENTIAL BYPASS |
Baseline was a 40x error, but payload returned 2xx β strong bypass signal |
π REDIRECT BYPASS? |
401/403 baseline changed to a 30x redirect β possible auth bypass via redirect |
β οΈ BODY_BYPASS? |
Same 2xx status but body content changed β possible auth bypass with same code |
π PATH_CONFUSION |
404 baseline returned a non-404 response β path traversal or confusion |
CUSTOM:LABEL |
Response body matched a user-defined regex rule from the Settings tab |
STATUS_CHANGE |
Response status differs from baseline |
WORD_DELTA |
Word count differs from baseline |
LEN_DELTA |
Body length differs by >50 bytes |
BODY_DIFF |
MD5 hash of the response body differs from baseline despite same status |
RATE_LIMITED(429) |
Target is rate limiting. Delay automatically increased. |
β οΈ SESSION_DRIFT |
Original session is invalidated mid-scan |
X-Cache:hit |
Response served from cache |
X-Cache:miss |
Response not in cache (first request) |
CC:public,max-age=30 |
Cache-Control header value |
Age:15 |
Cache age in seconds |
Color coding:
- π©· Pink rows β Sensitive data in response body (
SENSITIVE_DATA:*) - π‘ Gold rows β Potential bypass detected (
π― POTENTIAL BYPASS) - π΅ Sky-blue rows β Redirect bypass hint (
π REDIRECT BYPASS?) - π Orange rows β Body-based bypass hint (
β οΈ BODY_BYPASS?) - π£ Lavender rows β Custom rule match (
CUSTOM:LABEL) - π’ Green rows β 2xx Success response
- π Light Blue rows β 3xx Redirects
- π‘ Light Yellow rows β 429 Rate Limited
- π΄ Red rows β 5xx Server errors
- βͺ Grey rows β -1 Connection Resets (WAF dropping packets)
Dynamic Sorting & Filtering: Use the "π Show Only Interesting" button to hide completely normal baseline-matching responses. Click any column header to instantly sort results by Status Code, Word Count, Length, or RTT. No need to scroll through hundreds of rows; one click reveals your bypass.
Double-click any row to open a dedicated inspection window powered by Burp Suite's native HTTP editors (HttpRequestEditor / HttpResponseEditor from the Montoya API). This is not a plain text viewer β it is the same editor component used in Burp's own Repeater and Proxy tabs.
The viewer opens as a non-modal split pane (request on the left, response on the right) with full tab support:
| Tab | Description |
|---|---|
| Raw | Full HTTP message exactly as sent/received, including headers and body |
| Pretty | Syntax-highlighted, auto-formatted view (JSON, HTML, XML) |
| Hex | Byte-level hexadecimal view for binary analysis |
| Render | Live HTML preview of the response β instantly see if the page contains API keys, tokens, or sensitive data without reading raw HTML |
π‘ You can open multiple viewer windows simultaneously to compare responses side by side. Each window is independent and stays open until you close it.
Changed your settings? No need to go back to HTTP history β click βΆ Re-run Fuzzing to re-execute with updated configuration.
- β Modify checkboxes, add custom payloads, change delay
- β Click βΆ Re-run β uses the same base request with new settings
- β Previous results are cleared automatically
Every custom text area includes π Load File and β Clear buttons.
- Supports
.txt,.lst,.csv,.listfiles - Appends to existing content (combine manual + file payloads)
- Shows line count feedback after loading
- Works with all custom fields: IPs, Headers, Paths, Payloads
Each tab includes an IP verification check to ensure your traffic is properly anonymized.
- Click Check External IP to verify your public IP
- OPSEC Warning Dialog β if you haven't verified your IP, the extension blocks fuzzing and shows a confirmation dialog to prevent accidental exposure of your real IP
- Configurable delay (ms) between requests to avoid rate limiting and WAF detection
| Feature | How |
|---|---|
| Send to Repeater | Extensively supports Multi-select (Ctrl+Click, Shift+Click). Right-click to find "Send All Selected" or "Send All Interesting". |
| Export CSV | Click Export CSV to save all tabular results |
| Site Map | All fuzzing requests are natively integrated and added to Burp's Site Map |
Access Context Fuzzer has been tested and proven effective against official PortSwigger Web Security Academy labs:
| Status | Lab | Technique Used | Extension Feature |
|---|---|---|---|
| β Solved | URL-based access control can be circumvented | Root-level URL rewrite via X-Original-URL header |
Header Bypass tab β URL Rewrite Override checkbox |
| β Solved | Host header authentication bypass | Host manipulation via X-Forwarded-Host |
Header Bypass tab β IP/Host spoofing |
| β Solved | Authentication bypass via information disclosure | Custom header X-Custom-IP-Authorization: 127.0.0.1 |
Header Bypass tab β Custom Headers |
| β Solved | Exploiting cache server normalization for WCD | Delimiter + encoded dot-segment + cache prefix | Cache Deception Combos checkbox |
π‘ These labs represent real-world vulnerability classes encountered in production applications. The extension automates the tedious manual testing process, reducing hours of work to seconds.
- Download the latest
access-context-fuzzer-*-jar-with-dependencies.jarfrom Releases - In Burp Suite, go to Extensions β Installed β Add
- Set Extension type to Java
- Select the downloaded JAR file
- Click Next β the Access Context tab appears
- Burp Suite Professional or Community Edition 2023.1+
- Java 17 or higher
- Browse to your target in Burp's built-in browser
- Find a request in Proxy β HTTP History
- Right-click the request and choose:
| Menu Item | When to Use |
|---|---|
| Access Context: Header Fuzz | Testing header-based access control (IP restrictions, host checks) |
| Access Context: Path Fuzz | Testing path-based access control (URL normalization, encoding bypass) |
| Access Context: Fuzz Selection | Testing a specific selected portion of the request |
- The extension switches to the appropriate tab and begins fuzzing
- Watch the progress bar and results table populate in real-time
- Look for green highlighted rows with
STATUS_CHANGEorWORD_DELTAin Notes
A step-by-step guide for testing WCD vulnerabilities:
Step 1: Enable "Delimiter Fuzzing" checkbox
β Find delimiters that return 200 (e.g., ?, #, %23)
Step 2: Enable "Delimiter + Extension" checkbox
β Check Notes column for X-Cache headers
Step 3: Enable "Norm Discrepancy" checkbox
β Set Cache Prefix to "/resources"
β Find normalization differences between origin and cache
Step 4: Enable "Cache Deception Combos" checkbox
β Look for rows with Status=200 AND X-Cache:hit
β That row's path is your exploit payload!
Step 5: Double-click the exploit row
β Verify API key / sensitive data in the Render tab
β Copy the path for your exploit server
- JDK 17+ (OpenJDK or Oracle JDK)
- Maven 3.6+
# Clone the repository
git clone https://github.com/Tagoletta/AccessContextFuzzer.git
cd AccessContextFuzzer
# Compile
mvn compile
# Build JAR with dependencies
mvn package
# Output: target/access-context-fuzzer-2.4.0-jar-with-dependencies.jarAccessContextFuzzer/
βββ src/
β βββ main/
β βββ java/
β βββ burp/
β βββ AccessContextFuzzer.java # Entry point (123 lines)
β βββ core/
β β βββ ExtensionContext.java # Shared state / DI container
β β βββ ScanEngine.java # Scan orchestration, WCD logic
β β βββ FuzzerEngine.java # Per-engine UI state
β β βββ FuzzResult.java # Data class: response + RTT
β β βββ Variant.java # Data class: name + request
β βββ payload/
β β βββ HeaderPayloadBuilder.java # Header bypass variants
β β βββ PathPayloadBuilder.java # Path + WCD variants
β β βββ SelectionPayloadBuilder.java # Selection encoding variants
β βββ ui/
β β βββ HeaderEngineTab.java
β β βββ PathEngineTab.java
β β βββ SelectionEngineTab.java
β β βββ ResultsPanel.java
β β βββ SettingsTab.java
β β βββ DiffDialog.java
β βββ util/
β βββ HttpUtils.java # Static helpers: status, cache, diff
β βββ EncoderUtils.java # URL/Unicode encoding helpers
βββ img/ # README screenshots
βββ .github/
β βββ workflows/
β βββ release.yml # Auto-build & release on tag push
βββ pom.xml # Maven build config
βββ .gitignore
βββ README.md
The following table summarizes all test variants generated by the extension:
| # | Variant | Header | Value |
|---|---|---|---|
| 1-8 | IP Spoofing (127.0.0.1) | X-Forwarded-For, X-Real-IP, X-Client-IP, True-Client-IP, CF-Connecting-IP, X-Cluster-Client-IP, Fastly-Client-IP, X-Azure-ClientIP |
127.0.0.1 |
| 9-16 | IP Spoofing (Custom IPs) | Same headers as above | User-defined IPs |
| 17-19 | Host Override | X-Forwarded-Host, X-Host, X-Original-Host |
User-defined hosts |
| 20-30 | WebDAV & Method Swap | METHOD |
MKCOL, COPY, PROPPATCH, GET, gEt, post |
| 31-38 | Content-Type Override | Content-Type, Accept |
application/xml, text/html |
| 39-45 | HTTP/2 & Scheme Injection | :authority, :path, X-Forwarded-Scheme, Front-End-Https |
localhost, https, on |
| 46+ | Custom Headers | User-defined | User-defined |
| # | Variant | Checkbox | Example | Technique |
|---|---|---|---|---|
| 1 | URL Encode | Path Normalization |
/%61%64%6d%69%6e |
Single URL encoding |
| 2 | Double URL Encode | Path Normalization |
/%2561%2564%256d%2569%256e |
Double encoding |
| 3 | IIS Unicode | Path Normalization |
IIS-mapped characters | IIS short filename |
| 4 | Case Flip | Advanced Encoders |
/Admin, /ADMIN |
Case sensitivity |
| 5 | Trailing Slash | Advanced Encoders |
/admin/ |
Path normalization |
| 6 | Dot-Segment | Advanced Encoders |
/..;/admin |
Tomcat/Spring bypass |
| 7 | Overlong UTF-8 & Unicode | Advanced Encoders |
..%c0%af, %ef%bc%8f, ..%5c |
Apache/IIS deep bypass |
| 8 | Double Slash | Advanced Encoders |
//admin |
Nginx/OpenResty proxy path confusion β targets misconfigurations in location block matching |
| 9 | JSON Suffix | Advanced Encoders |
/admin.json |
Content negotiation bypass |
| 9 | Semicolon | Advanced Encoders |
/admin; |
Delimiter abuse |
| 10 | X-Rewrite-URL | Rewrite Tricks |
Header: /admin |
URL rewrite (IIS/ASP.NET) |
| 11 | X-Original-URL | Rewrite Tricks |
Header: /admin |
URL override (IIS/ASP.NET) |
| 12 | X-Accel-Redirect | Rewrite Tricks |
Header: /admin |
Nginx / OpenResty internal redirect bypass β targets X-Accel-Redirect header handling in Nginx reverse proxy setups |
| 13+ | Delimiter Fuzzing | Delimiter Fuzzing |
/admin?abc, /admin%23abc |
WCD Phase 1 |
| 20+ | Delimiter + Extension | Delimiter + Extension |
/admin?abc.js |
WCD Phase 2 |
| 30+ | Norm Discrepancy | Normalization Discrepancy |
/aaa/..%2fadmin |
WCD Phase 3 |
| 40+ | Cache Deception Combo | Cache Deception Combos |
/admin%23%2f%2e%2e%2fresources |
WCD Phase 4 |
Place the following screenshots in the img/ directory:
| Filename | What to Capture |
|---|---|
banner.png |
A branded banner image (1200Γ300 recommended) |
overview.png |
Full extension window showing all three tabs |
three_tabs.png |
Close-up of the tab bar (Header Bypass, Path/GET Bypass, Selection Fuzz) |
header_bypass_tab.png |
Header Bypass tab with settings and results populated |
path_bypass_tab.png |
Path/GET Bypass tab showing WCD checkboxes |
selection_fuzz_tab.png |
Selection Fuzz tab with custom payloads |
wcd_settings.png |
Close-up of the WCD settings panel (delimiter, extension, norm, combo checkboxes) |
wcd_results.png |
Results table showing X-Cache headers in Notes column |
results_table.png |
Color-coded results table with anomalies highlighted |
request_response_viewer.png |
Double-click dialog showing Burp's native Request/Response editors |
rerun_button.png |
Control panel showing the βΆ Re-run Fuzzing button |
load_file.png |
Custom textarea with Load File button and "X lines loaded" feedback |
opsec_check.png |
OPSEC panel showing verified IP address |
installation.png |
Burp Extensions tab showing the loaded extension |
context_menu.png |
Right-click context menu showing the three Access Context options |
lab_success.png |
Screenshot showing solved PortSwigger labs (green "Solved" banners) |
This tool is designed for authorized security testing only. Always ensure you have proper authorization before testing any target. The OPSEC features (IP verification, configurable delays) are provided to help testers operate safely and responsibly.
Contributions are welcome! Here's how to get started:
- Fork the repository
- Create a feature branch (
git checkout -b feature/awesome-feature) - Commit your changes (
git commit -m 'Add awesome feature') - Push to the branch (
git push origin feature/awesome-feature) - Open a Pull Request
- Additional encoding schemes (e.g., Base64, Punycode)
- GraphQL-specific bypass techniques
- Collaborative notes / tagging for results
- Auto-detect interesting responses using ML heuristics
- WCD two-phase verification (automated attacker re-request to confirm cached content)
- Persistent scan history across Burp restarts (serialize to file)
This project is licensed under the MIT License β see the LICENSE file for details.
- PortSwigger β for Burp Suite and the Montoya API
- PortSwigger Web Security Academy β for the Web Cache Deception labs that inspired the WCD module
- The security research community for documenting access control bypass techniques
- Web Cache Deception & Poisoning β a deep dive into the attack classes this extension automates
Developed with π‘οΈ by Tagoletta
For detailed write-ups, development stories, and more security tools, visit tagmachan.com















