assetnote / kiterunner

Contextual Content Discovery Tool
GNU Affero General Public License v3.0
2.64k stars 296 forks source link

Scan incomplete in multiple occasions #16

Open dinosn opened 3 years ago

dinosn commented 3 years ago

Hello,

Thank you for creating the tool it's amazing for api endpoing scanning. During the tests I have encountered some issues as described below.

Case 1.

In multiple occasions and on different targets the scan is incomplete with the following being shown as result:

 100% |█████| (16850/215157, 250 it/s)              
8:40PM INF scan complete duration=68961.101014 results=0

As one can see the items processed are not matching the full list, though % indication is showing at 100%. The same case will appear on brute method.

Case 2.

On the latest version the -w parameter kr scan -w /root/.cache/kiterunner/wordlists/httparchive_apiroutes_2021_03_28.kite URL -x 30 will force quickscan which additionally requires actions to proceed:

| SETTING              | VALUE                                                                                                                            |
+----------------------+----------------------------------------------------------------------------------------------------------------------------------+
| delay                | 0s                                                                                                                               |
| full-scan            | false                                                                                                                            |
| full-scan-requests   | 215157                                                                                                                           |
| headers              | [x-forwarded-for:127.0.0.1]                                                                                                      |
| kitebuilder-apis     | [/root/.cache/kiterunner/wordlists/httparchive_apiroutes_2021_03_28.kite]                                                        |
| max-conn-per-host    | 30                                                                                                                               |
| max-parallel-host    | 50                                                                                                                               |
| max-redirects        | 3                                                                                                                                |
| max-timeout          | 3s                                                                                                                               |
| preflight-routes     | 11                                                                                                                               |
| quarantine-threshold | 10                                                                                                                               |
| quick-scan-requests  | 12                                                                                                                               |
| read-body            | false                                                                                                                            |
| read-headers         | false                                                                                                                            |
| scan-depth           | 1                                                                                                                                |
| skip-preflight       | false                                                                                                                            |
| target               | https://URL                                                                                                |
| total-routes         | 215113                                                                                                                           |
| user-agent           | Chrome. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 |
+----------------------+----------------------------------------------------------------------------------------------------------------------------------+

 100% |█████| (12/12, 6637 it/s)
8:45PM INF no results found
? Continue Scanning with full wordlist? [y/n]? [y/N] █

Accepting continue will proceed with the full list. I don't seem to find a way to proceed directly without requiring confirmation. The initial action for the tool was specified in the command line as a wordlist scan.

Thank you again for providing a great tool.

Regards, Nicolas

minight commented 3 years ago

Case 1.

This is potentially a bug with the calculations for the progress bar.

Case 2.

--kitebuilder-full-scan will allow you to immediately perform a full scan without requiring confirmation while in scan mode. The first scan performs a minimised scan where 1 path from each API is used. and if any of the paths return, then the corresponding APIs are fully tested.

Sy3Omda commented 3 years ago

---kitebuilder-full-scan will allow you to immediately perform a full scan without requiring confirmation while in scan mode. The first scan performs a minimised scan where 1 path from each API is used. and if any of the paths return, then the corresponding APIs are fully tested.

which exact list is loaded when using this argument because i see number of 53033 when passing this argument

2021-05-07_16-58