Closed schinkelg closed 6 years ago
Hi @schinkelg, Thank you for pointing that out. Sometimes different domains share the same origin server. In that case, a false negative would occur as they will not be considered as a valid subdomain.
I can maybe test for same-IP subdomain hits and if they exceed a certain number, count all of them as false-positives. Nonetheless, false negatives will occur.
Can you think of any workaround for that?
I don't believe there is a workaround for false negatives in that scenario. But you can first test for a wildcard using this1willnotexist.domain.com for example. That way you won't have false negatives when a wildcard is not in use. This is the way Fierce(.pl) solves this problem if I'm not mistaken.
I've implemented a fix in this commit. It solves both the subdomain and URL bruteforcing problems (in addition to wildcard subdomain support, some sites return 200 for non-existent resources as well which breaks URL fuzzing). I'll keep this issue open for another day or two and close it afterward unless you share any further insights.
Much obliged for the suggestion, @schinkelg.
When the domain you try to bruteforce has a wildcard all entries from the wordlist are 'hits'. Expected behavior would be to test for wildcard and then only consider a different IP result a 'hit'.