search

OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go
Apache License 2.0
10.11k stars 1.2k forks source link

Detect/report on redirect loops #64

Open 0xdevalias opened 7 years ago

0xdevalias commented 7 years ago

Currently, if a redirect loop is hit while using -r then gobuster spins a few times, then returns the following (at least if it's on the initial/base URL):

[-] Unable to connect: https://example.com/somepath/

https://github.com/OJ/gobuster/blob/7a6d1c068e3e89ee9b3c0c01cb3946957143a0c9/main.go#L412

Looking at my logs, the server is redirecting like so:

301 https://example.com/somepath/
301 https://example.com/somepath
301 https://example.com/somepath/
..etc..

Obviously, if we don't follow redirects with -r this issue won't happen.

This would be interesting to detect on, because in this instance, a non-existent folder will redirect to a 404, whereas an existing folder will enter this redirect loop.

OJ commented 7 years ago

ooh! Great catch! This could be the kind of thing that's causing other issues as well.