> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/sammwyy/mikuMikuBeam/llms.txt
> Use this file to discover all available pages before exploring further.

# HTTP Bypass

> Stealth HTTP attack with browser-like behavior to bypass protections

## Overview

HTTP Bypass is a sophisticated Layer 7 attack method designed to mimic legitimate browser traffic and bypass common DDoS protection mechanisms. It generates realistic HTTP requests with randomized paths, query parameters, headers, referrers, and cookies to appear as authentic user traffic.

<Note>
  This attack method is optimized to evade detection by simulating real browser behavior patterns.
</Note>

## How it works

The HTTP Bypass attack uses advanced evasion techniques:

1. **Path Randomization**: Generates random resource-like paths
   * Examples: `/abc123.js`, `/def456/test.css`, `/xyz789.png`
   * Includes common web resource extensions (js, css, png, jpg, svg)
2. **Query Parameter Injection**: 50% chance to add cache-busting parameters (`?_=random`)
3. **Browser Mimicry**: Uses `DialedMimicHTTPClient` for realistic connection patterns
4. **Header Spoofing**: Sets browser-like headers via `SetMimicHeaders()`
5. **Referrer Rotation**: 50% chance to include referrer
   * Same-origin referrer (target site's homepage)
   * Or popular sites (google.com, youtube.com, twitter.com)
6. **Cookie Injection**: 50% chance to add tracking cookies (`_ga`, `_gid`)
7. **Request Method**: 80% GET, 20% POST requests
8. **Content-Type**: POST requests use `application/x-www-form-urlencoded`

## When to use

HTTP Bypass is ideal for:

* **Testing WAF effectiveness**: Evaluate if your Web Application Firewall can detect sophisticated attacks
* **CDN bypass testing**: Check if CDN protection can distinguish attack traffic from legitimate users
* **Rate limiting validation**: Verify if rate limiting applies to "realistic" traffic
* **Bot detection testing**: Test anti-bot systems under realistic attack scenarios
* **Resilience against advanced threats**: Simulate APT-style low-and-slow attacks

<Warning>
  This method is designed to bypass security controls. Only use on systems you own or have explicit authorization to test.
</Warning>

## Usage

Basic HTTP Bypass attack:

```bash theme={null}
mmb attack http_bypass https://example.com
```

With custom configuration:

```bash theme={null}
mmb attack http_bypass https://example.com \
  --duration 180 \
  --delay 300 \
  --packet-size 256 \
  --threads 16 \
  --verbose
```

### Parameters

<ParamField path="target" type="string" required>
  Target URL including protocol (http\:// or https\://)
</ParamField>

<ParamField path="--duration" type="int" default="60">
  Attack duration in seconds
</ParamField>

<ParamField path="--delay" type="int" default="500">
  Delay between requests in milliseconds per thread
</ParamField>

<ParamField path="--packet-size" type="int" default="512">
  Size of POST body payload. Minimum 256 bytes used if value is lower.
</ParamField>

<ParamField path="--threads" type="int" default="0">
  Number of concurrent threads (0 = number of CPU cores)
</ParamField>

<ParamField path="--verbose" type="boolean" default="false">
  Show detailed logs including headers, paths, and proxy usage
</ParamField>

<ParamField path="--no-proxy" type="boolean" default="false">
  Allow running without proxies (reduces stealth)
</ParamField>

## Expected behavior

### Console output

Standard mode:

```
Starting http_bypass against https://example.com with 200 proxies
22:10:15 PPS:156 Total:156 Proxies:200
22:10:16 PPS:168 Total:324 Proxies:200
22:10:17 PPS:171 Total:495 Proxies:200
```

Verbose mode:

```
Starting http_bypass against https://example.com with 200 proxies
Verbose mode enabled - showing detailed attack logs
22:10:15 PPS:156 Total:156 Proxies:200 [SOCKS5 stealthproxy.net:1080 -> https://example.com]
22:10:16 PPS:168 Total:324 Proxies:200 [HTTP proxy.service.io:3128 -> https://example.com]
```

### Request examples

GET request with randomized path and referrer:

```http theme={null}
GET /abc123/test.js?_=xy78z456 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.google.com
Connection: keep-alive
```

POST request with cookies:

```http theme={null}
POST /def456.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.2.12345678; _gid=GA1.2.87654321
Content-Length: 256

[random 256-byte payload]
```

## Technical implementation

Implementation details from `internal/attacks/http/bypass.go:21-70`:

* **Client**: Uses `DialedMimicHTTPClient` with 6-second timeout
* **Path generation**: `randomPath()` creates resource-like URLs
* **Header spoofing**: `SetMimicHeaders()` applies browser fingerprint
* **Randomization**: Multiple randomness layers for unpredictability
* **URL manipulation**: Preserves existing path while appending random segments
* **Response handling**: Discards response bodies to conserve resources

## Evasion techniques breakdown

<AccordionGroup>
  <Accordion title="Path randomization strategy">
    The attack generates paths that look like real web resources:

    * 33% chance of nested paths (`random1/random2.ext`)
    * 67% chance of single-level paths (`random.ext`)
    * Extensions: blank (30%), .js, .css, .png, .jpg, .svg
    * Makes pattern-based blocking difficult
  </Accordion>

  <Accordion title="Header mimicry">
    The `SetMimicHeaders()` function adds:

    * Realistic `Accept` headers for HTML, CSS, JS, images
    * `Accept-Language` with locale preferences
    * `Accept-Encoding` with compression support
    * `DNT` (Do Not Track) header
    * Browser-specific connection settings
  </Accordion>

  <Accordion title="Referrer spoofing">
    50% of requests include referrers:

    * Same-origin: Points to target's homepage
    * Cross-origin: Popular sites (Google, YouTube, Twitter)
    * Simulates traffic from search engines and social media
  </Accordion>

  <Accordion title="Cookie simulation">
    Random Google Analytics-style cookies:

    * `_ga`: Primary tracking cookie
    * `_gid`: Secondary identifier
    * Makes requests appear from tracked sessions
  </Accordion>
</AccordionGroup>

## Best practices

<Steps>
  <Step title="Use with realistic delays">
    Set `--delay` to 500-1000ms to simulate human browsing patterns.
  </Step>

  <Step title="Rotate quality proxies">
    Use residential or mobile proxies for maximum stealth. Data center IPs are easier to block.
  </Step>

  <Step title="Combine with user agents">
    Configure `user_agents.txt` with current browser fingerprints for better mimicry.
  </Step>

  <Step title="Monitor target responses">
    Use `--verbose` to observe if requests are being blocked or rate-limited.
  </Step>
</Steps>

## Detection and mitigation

If you're defending against HTTP Bypass attacks:

* **Behavioral analysis**: Monitor for unusual request patterns even with valid headers
* **Session tracking**: Verify cookie consistency across requests
* **JavaScript challenges**: Require client-side execution (this attack can't execute JS)
* **CAPTCHA**: Challenge suspicious traffic sources
* **Rate limiting**: Apply per-IP and per-session limits
* **TLS fingerprinting**: Verify TLS handshake matches claimed browser

## Related attack methods

<CardGroup cols={2}>
  <Card title="HTTP Flood" icon="water" href="/attacks/http-flood">
    High-volume HTTP request flood
  </Card>

  <Card title="HTTP Slowloris" icon="hourglass-half" href="/attacks/http-slowloris">
    Slow connection attack to exhaust resources
  </Card>
</CardGroup>
