Open johnnich10 opened 3 years ago
Are you suggesting matching the status code of the final path instead/in addition to the original response
If so. We currently don't support it but I think it's a valid matching case that can be built in.
The max redirects option dictates how many redirects to follow. Not which redirect will be matched on.
It might be worthwhile adding a flag that analyses the Nth request in a redirect chain against baselines. Something like --validate-redirect where options are like off, all, last and N where n is a positive integer corresponding to the nth request to match.
Have you got any example hosts to test this against? If they're internal or private that's fine. I'll try and mock up a test server to replicate when building out the functionality.
@minight Try on https://chain.link
./kr brute https://chain.link -x 800 -d=0 --ignore-length=34 --fail-status-codes 400,401,404,403,501,502,426,411,503 -A=apiroutes-210228:20000
Look at how it clutters the stdout because for any non-existing /path/
it redirects to /path
which is 404 page which will be the case for "most" of the bruted page as they will be non-existing.
Yes. I think a feature which allows me to match the status code of the redirected path and filter them out it would be great.
Hello,
Thanks for authoring this tool. While performing testing, I noticed that the tool shows abnormally number of 301 and 302 redirects which eventually are leading to 404.
I'm currently running with
-A=raft-large-words -A=apiroutes-210228:20000 --fail-status-codes 400,401,404,403,501,502,426,411,503
and I find that, if the kiterunner encounters a path like
/test/
which issues a 301 or 302 redirection to/test
which throws 404 status code. The kiterunner would log it as a 301 entry on stdout because it sees the first redirection, and it does this for lots of redirects similar to this cluttering the stdout.I tested against multiple domains, and lots of web-server redirects
/test/
(directory request) to/test
(file request).I saw that there was a setting called
--max-redirects
, I set it to larger value but didn't help either.I'm expecting a behavior where KiteRunner not only follows the redirect "but" also checks the status code of the redirected url and match it against the fail status code. I cannot find any functionality to aid this. Also, going down to further redirects level would also be nice (I thought --max-redirects would stop this, but it didn't.. weird and this is like only 1 redirection).
Either I might have missed it or either it's not implemented (?) . Please help and thanks for all the hard work!