search

OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go
Apache License 2.0
9.91k stars 1.19k forks source link

Possible bug in vhost mode when website is behind cloudflare #203

Closed erev0s closed 2 years ago

erev0s commented 4 years ago

When in vhost mode and run against a website which is NOT behind cloudflare then everything is fine. When I put the website behind cloudflare though

er@erev0s:~$ gobuster vhost -u erev0s.com -w awesome_wordlist.txt -v
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://erev0s.com
[+] Threads:      10
[+] Wordlist:     awesome_wordlist.txt
[+] User Agent:   gobuster/3.0.1
[+] Verbose:      true
[+] Timeout:      10s
===============================================================
2020/02/02 21:57:42 Starting gobuster
===============================================================
Found: sgdfsd.erev0s.com (Status: 530) [Size: 3671]
Found: agsfdg.erev0s.com (Status: 530) [Size: 3671]
Found: hi.erev0s.com (Status: 530) [Size: 3659]
Found: fgsdfg.erev0s.com (Status: 530) [Size: 3671]
Found: www.erev0s.com (Status: 301) [Size: 338]
===============================================================
2020/02/02 21:57:42 Finished
===============================================================

As you can see it reports everything as found as Cloudflare returns status 530.

Maybe this is not classified as a bug, as it may not be considered as a problem with the code but rather you did not include the specific http code. Maybe you could include similar flags like in the dir mode so there are whitelisting/blacklisting status code capabilities to the vhost as well.

thank you for this awesome tool & keep up the great work

r3k2 commented 2 years ago

I also think this is important. please add options to ignore/add custom status

hobobandy commented 2 years ago

old, but the feature still isn't in, so i pipe to grep and exclude based on size like ffuf -fs

gobuster vhost -u http://domain.com/ -w namelist.txt | grep -v '[Size: 2395]'

firefart commented 2 years ago

you an use --status-codes-blacklist 404,530 to exclude this status code

bobito25 commented 2 years ago

you an use --status-codes-blacklist 404,530 to exclude this status code

--status-codes-blacklist is for gobuster dir and not gobuster vhost?