add warning if wordlist item begins with forward slash

[duokebei]

Hello author: When I use feroxbuster, for example: http://xxx.com/a/api/, my idea is to scan the /api/ directory, but I look at the results of feroxbuster, it will scan the directory under xxx.com/, But it will not scan the directory under /a/api/. In fact, there are results in the /api/ directory. I have seen it under ffuf. Does feroxbuster have this parameter?

[epi052]

good morning!

take a look at the link below, follow some of its suggestions, and see how it goes:

https://epi052.github.io/feroxbuster-docs/docs/examples/force_recursion/

typically with an api endpoint, a little more manual investigation is needed to get the results back out.

If you think there is an actual bug, it would be helpful to have an endpoint that exhibits the behavior you're seeing and to know what you expect to happen instead. Thanks!

[duokebei]

早上好！

看看下面的链接，遵循它的一些建议，看看它是如何进行的：

https://epi052.github.io/feroxbuster-docs/docs/examples/force_recursion/

通常对于 api 端点，需要更多的手动调查才能返回结果。

如果您认为存在实际错误，那么拥有一个端点可以展示您所看到的行为并知道您期望发生什么，这将很有帮助。谢谢！

This is not the effect I want. What I mean is to scan xxx.com/a/api/, that is, to scan the api directory and not to scan other directories

[epi052]

maybe you're looking for --no-recursion ?

[duokebei]

maybe you're looking for --no-recursion ?

With the -n parameter, it will only scan the root directory of the website, and will not scan the contents of the specified /a/api/ directory

[epi052]

Hmm, if that's true, that might be a bug. I'll look into it here shortly

[epi052]

I'm not seeing the behavior you're describing

[duokebei]

Please see, I want to scan the /dist/ directory, but feroxbuster is scanning the contents of the root directory. The command I use is: -A -k -n -w -u

[epi052]

can you screenshot your banner (like what i showed in my screenshot), so i can see exactly what settings are turned on/off?

[duokebei]

你能截屏你的横幅吗（就像我在屏幕截图中显示的那样），这样我就可以确切地看到打开/关闭了哪些设置？

[epi052]

interesting;

can you run the same command, and add the options shown below, then upload the resulting debug file?

--debug-log debug-log.txt -vvv

You don't need to do a full scan, just a few seconds of scanning should be ok for now.

[duokebei]

有趣的;

您可以运行相同的命令，并添加如下所示的选项，然后上传生成的调试文件吗？

--debug-log debug-log.txt -vvv

您不需要进行全面扫描，目前只需扫描几秒钟就可以了。 debug-log.txt

[duokebei]

有趣的;

您可以运行相同的命令，并添加如下所示的选项，然后上生成的调试文件吗？

--debug-log debug-log.txt -vvv

您不需要进行全面扫描，目前只需扫描几秒钟就可以了。

Is this a bug?

[epi052]

not sure yet, can you upload your wordlist as well?

[duokebei]

w.txt

[roumy]

Hi I have same problem, i think it come from wordlist element starting with / in that case, the base url is taken without any additionnal path . Sample better than word

here is the corresponding wordlist.

test/1 test/2 test/3 /test2/1 /test2/2 /test3 /test4/

[duokebei]

您好 我有同样的问题，我认为它来自以 / 开头的 wordlist 元素， 在这种情况下，基本 url 是在没有任何附加路径的情况下获取的。 样例胜于文字

这是相应的单词列表。

测试/1 测试/2 测试/3 /test2/1 /test2/2 /test3 /test4/

Can this problem be solved?

[epi052]

yea, the leading forward slashes are treated as a fully-formed url path, and overwrite the existing path instead of appending to it.

I'm not inclined to call this a bug, as you're providing a list of paths (not a wordlist).

As a workaround, you can simply adjust your wordlist

sed 's#^/\{1,\}##g' w.txt > no-forward-slash-w.txt

[duokebei]

Can you improve this function in the program? Because it is true that some websites have weird paths.

[roumy]

At least improve, or better highlights the behavior during engagement. Something like "WARNING , wordlist url start with / , existing path has been overwritten !!"

[epi052]

@duokebei @roumy yea, we can add a warning when reading in the wordlist, but that's really as far as i care to take this.

passing full paths like this in the wordlist is effectively working against the tool. Consider the list above

if you, instead, split the wordlist into

api
others
1
2
test
test2
test3
test4

through recursion, you'd find all of those resources.

I'm fine with emitting a warning, so folks don't have to come to github to search issues to figure out what's going on :joy:, but my overall recommendation here is to process your wordlist into something that allows ferox to do its best work.

[duokebei]

@duokebei @roumy是的，我们可以在阅读单词表时添加警告，但就我而言，这是真的。

在单词列表中传递像这样的完整路径有效地对抗了该工具。考虑上面的列表

相反，如果您将单词表拆分为

api
others
1
2
test
test2
test3
test4

通过递归，你会找到所有这些资源。

我可以发出警告，这样人们就不必到 github 上搜索问题来弄清楚发生了什么😂，但我在这里的总体建议是将您的单词表处理成可以让 ferox 发挥最佳作用的东西。

Can the dear author make an adjustment for this situation in the program source code? Only append the path after the specified url, specify the recursion level, and recurse the level after the specified url, without generating redundant actions. thanks

[roumy]

I have no problem by editing the wordlist, Just i spend hours to understand why i missed some findings with feroxbuster whereas other (an older) tools found them. A tips that indicates my mistake would gain lots of time. I think this tool really rocks !! would be a shame to switch to other ones due to a lack of confidence in it.

[duokebei]

Another request to the author for this feature change.

[epi052]

@all-contributors add @duokebei for ideas

[allcontributors[bot]]

@epi052

I've put up a pull request to add @duokebei! :tada: