Closed ajdinre closed 4 years ago
Gobuster does not parse the returned pages it only requests the files from your wordlists. So if your wordlists do not contain the word ona
it will not be picked up.
Gobuster doesn't do anything "smart" with regards to dynamic modification of the wordlist based on the results of the brute force. It doesn't parse robots.txt
automatically, it doesn't look at Location
headers, it doesn't parse anchor tags, and it certainly doesn't look at action
attributes in form
tags. It's a very simple (and rather speedy) brute-forcing tool.
The case you're describing requires parsing of HTML content and dynamically adding this to the list of testable words. It's not a redirect (as you've implied in the title). /music
returns a 200
.
Dynamic parsing and wordlist modification isn't something gobuster will be doing. Once a page has been discovered, it's then up to you to go find out what that means rather than relying on the tool to do that for you.
So I'm running gobuster scan on a HackTheBox machine. The /music page contains a login with a login button redirecting to ../ona, and running gobuster doesn't find the ona folder.
Gobuster was ran with gobuster dir -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -x php,html -t 100 -s 200,204,301,302,307,403
It seems as if Gobuster didn't pick up the ../ona folder, I tried running it multiple times, I also checked the whole log, it never found or returned an error containing "/ona"
Dirbuster picked it up right away not sure what's going on here. Maybe it doesn't understand the double dots?