gobuster
gobuster copied to clipboard
Possible bug in vhost mode when website is behind cloudflare
When in vhost mode and run against a website which is NOT behind cloudflare then everything is fine. When I put the website behind cloudflare though
er@erev0s:~$ gobuster vhost -u erev0s.com -w awesome_wordlist.txt -v
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://erev0s.com
[+] Threads: 10
[+] Wordlist: awesome_wordlist.txt
[+] User Agent: gobuster/3.0.1
[+] Verbose: true
[+] Timeout: 10s
===============================================================
2020/02/02 21:57:42 Starting gobuster
===============================================================
Found: sgdfsd.erev0s.com (Status: 530) [Size: 3671]
Found: agsfdg.erev0s.com (Status: 530) [Size: 3671]
Found: hi.erev0s.com (Status: 530) [Size: 3659]
Found: fgsdfg.erev0s.com (Status: 530) [Size: 3671]
Found: www.erev0s.com (Status: 301) [Size: 338]
===============================================================
2020/02/02 21:57:42 Finished
===============================================================
As you can see it reports everything as found as Cloudflare returns status 530.
Maybe this is not classified as a bug, as it may not be considered as a problem with the code but rather you did not include the specific http code. Maybe you could include similar flags like in the dir mode so there are whitelisting/blacklisting status code capabilities to the vhost as well.
thank you for this awesome tool & keep up the great work
I also think this is important. please add options to ignore/add custom status
old, but the feature still isn't in, so i pipe to grep and exclude based on size like ffuf -fs
gobuster vhost -u http://domain.com/ -w namelist.txt | grep -v '[Size: 2395]'
you an use --status-codes-blacklist 404,530
to exclude this status code
you an use
--status-codes-blacklist 404,530
to exclude this status code
--status-codes-blacklist is for gobuster dir and not gobuster vhost?