slicingmelon/gobypass403 — reverse-engineered prompt

Build me a command line tool in Go for authorized security testing that helps check whether a site protected by a WAF or access rules can be reached with alternate request formats when it normally returns 403 or 401.

The main thing I care about is that it sends truly raw HTTP requests and keeps the exact URL path exactly as typed, without normalizing or re encoding it. I want to be able to test one URL or a whole file of URLs, try lots of common bypass tricks like path changes, case changes, encoding variations, header based tricks, method changes, and some server specific and CDN host substitution checks. It should let me tune concurrency, timeouts, retries, delays, redirects, proxy use, HTTP2, custom headers, and optionally strict scheme handling.

Please make the output useful for real testing, with filters for status codes, content type, and response size, plus a debug mode that can save a token and resend the exact same request later. If you need details, look up the current docs online.