OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go

Apache License 2.0

9.6k stars 1.17k forks source link

Stop on Rate limit flag #363

Open tarunKoyalwar opened 1 year ago

tarunKoyalwar commented 1 year ago

Description

Usually lot of subdomains have rate limits while bruteforcing for directories gobuster should stop if server responds with 429 status code but gobuster does not stop or exit and runs until wordlist which is meaning less and sometimes depending on implementation server might blacklist IP address

Solution

This should be implemented directly however if not at least a --stop-at-rtl flag should be available

I would love to contribute if agreed

antoninoLorenzo commented 2 weeks ago

I also encountered this issue, however rather than stopping I think a throttling mechanism would be more useful. If you are going to fix this you should consider:

throttling after 429 (your case)
throttling by default, it would be useful if something more advanced of a rate limit is in place;
edge cases such as X-RateLimit-Limit header (common in APIs)