Closed pich4ya closed 1 year ago
interesting.
I took a brief look at the auto calibration code in ffuf. my understanding of what's going on:
response-0
response-1..n
response-1..n
to response-0
response-0
, add a filter for that specific size/word/line countDoes that sound correct?
interesting.
I took a brief look at the auto calibration code in ffuf. my understanding of what's going on:
- make a request for the base directory; let the response be
response-0
- make a few requests that shouldn't exist; let the responses be
response-1..n
compare size/word/line counts of
response-1..n
toresponse-0
- when the size/word/line doesn't match
response-0
, add a filter for that specific size/word/line countDoes that sound correct?
Likely yes!
I think feroxbuster should provide a way to not only make decision on the HTTP status code for its auto-filtering mechanism. It should take the content-length into consideration as well. So, that the 98% of HTTP status 404 with responses Content-Length: 0 should be hidden, and the 2% of responses of HTTP status 404 with the Content-Length: 50 should be displayed to the user.
when you use the -mc all -ac
options in ffuf, i assume you're using -u http://.../api/
and you know that /api/
is a valid endpoint; is that correct?
i'm guessing that the assumption for this to work is the user pointed the tool at a valid endpoint to begin with
notes for whoever implements this:
responses[0]
is actually one of the random responses mentioned below.ffuf performs the following actions:
/
character srcbased on the actions the code takes, the example provided in the ticket would have requested a bunch of non-existent pages, each (presumably) having a content length of 0. Then when /api/ was requested, it had a content length of 50, allowing it to slide through the filter(s).
this logic falls squarely in feroxbuster's heuristics module. implementation should roughly follow the steps outlined above.
somewhat related: https://github.com/epi052/feroxbuster/issues/635
happened to find a machine that replied in this exact way :wink:
i reworked how heuristics picks up 404-like pages, to include the traditional wildcards. I tested the new logic against that machine and it works as desired.
I'm considering just making auto-detection of 404s and allowing all status codes by default.
@all-contributors add @pich4ya for ideas
@epi052
I've put up a pull request to add @pich4ya! :tada:
feroxbuster performs auto-filtering based on HTTP response. By default, it will return result for the HTTP status code 200 204 301 302 307 308 401 403 405.
During a HackTheBox machine hacking, a machine contains the path /api/, in which, it returns HTTP status code 404, as same as other non-existing paths, but it contains unique/suspicious content length.
For example,
and non-existing pages.
With ffuf (https://github.com/ffuf/ffuf), we can use the
-mc all -ac
options to handle this specific case automatically.However, feroxbuster does not contain such automatic mechanism to auto-filter HTTP Status Code 404 with Content-Length: 50 and Content-Length: 0. I know we can do manual
/api/
and set--filter-size
, but we cannot know beforehand if the web server will return which Content-Length for such existing paths like/api/
with the HTTP Status Code 404.I do like
--smart
option on feroxbuster which does not exist in ffuf, however, feroxbuster does not have-mc all -ac
. Please consider adding them.