This plugin finds .htaccess misconfigurations in the LIMIT configuration parameter. This plugin is based on a paper written by Frame and madjoker from The paper is called : “htaccess: bilbao method exposed” The idea of the technique (and the plugin) is to exploit common misconfigurations of .htaccess files like this one: <LIMIT GET> require valid-user </LIMIT> The configuration only allows authenticated users to perform GET requests, but POST requests (for example) can be performed by any user.

Plugin type



This plugin doesn’t have any user configured options.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.