[FEATURE REQUEST] Is there an option to not go for another request before the tool didn't receive a response from the server

epi052 / feroxbuster

A fast, simple, recursive content discovery tool written in Rust.

https://epi052.github.io/feroxbuster/

MIT License

5.54k stars 467 forks source link

[FEATURE REQUEST] Is there an option to not go for another request before the tool didn't receive a response from the server #1136

Closed jedai47 closed 3 weeks ago

jedai47 commented 2 months ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when the server ban my ip since its very slow to respond to a request, takes about 15 seconds to respond to a request

Describe the solution you'd like an option to not go for another request before the tool didn't receive a response from the server

epi052 commented 2 months ago

howdy!

you should be able to use -t 1 -L 1 to achieve what you're asking for.

https://epi052.github.io/feroxbuster-docs/docs/configuration/limit-connections/

jedai47 commented 2 months ago

i tried that but it didnt work still i see multiple requests going without waiting the response from the server, here is the url example: https://www.poledesanteduvilleneuvois.fr/

jedai47 commented 2 months ago

i also added : --rate-limit 1 but still without success

epi052 commented 2 months ago

--rate-limit 1 -L 1 should give you one request per second to the target. it may take a few requests at the beginning to slow down to 1/sec

jedai47 commented 2 months ago

well i guess we get banned in the few requests at the beginning so you think u can improve the tool behavior ?

epi052 commented 2 months ago

-L 1 forces only a single directory at a time, limiting that form of asynchronicity.

-t 1 means only a single thread is operating at a time. the requests are likely to still go out asynchronously, but the responses should be handled as they're received by the single thread, slowing down the sending once responses start flowing.

ultimately, what you want is a synchronous client, and feroxbuster doesn't support that.

if you happen to write rust code, i have a library you could use to build your own synchronous fuzzer https://github.com/epi052/feroxfuzz

jedai47 commented 2 months ago

Oh i see thanks for your response im not good on rust. Do you know any other tool that works synchronously ?

epi052 commented 2 months ago

you can check gobuster/ffuf/wfuzz. there are others, but some names are escaping me rn.

gobuster and ffuf are both async tools, so may have a similar problem to ferox in that regard. wfuzz may be single threaded but im not sure.

if you truly need something super slow, you could always wirte a simple python script with requests

for line in wordlist.readlines():
    requests.get(f'{url}/line')