assetnote
kr scan receives status code 200, however, replaying the request returns 404
I was playing a CTF (https://tryhackme.com/room/nahamstore) and was scanning a subdomain http://marketing.nahamstore.thm/ with the following command using the routes-large.kite file from the kiterunner github page: kr scan http://nahamstore.thm/ -w ../../kiterunner/routes-large.kite 2>&1 | tee marketingLargeKiteScan.log
The scan returned a some endpoints with status code 200. However, when I replayed the attack and send it to burp, I received a 404.
I used this command to replay the attack: kr kb replay -q --proxy=http://localhost:8080 -w ../../kiterunner/routes-large.kite "POST 200 [ 910, 125, 25] http://marketing.nahamstore.thm/09c2afcff60bb4dd3af7c5c5d74a482f/user/v1/add 0cf68b5253ddd70baf080aebf5430edb9f642f60"
Interestingly enough, in the CLI output it did talk about "response after redirects", however, burp doesn't seem to be redirected when I do the request and neither does my browser. Ontop of that, shouldn't kiterunner follow the redirect by default and return the correct status code?
I tried blacklisting redirects from the domain http://marketing.nahamstore.thm, however, this did not help.
Is this a bug or am I using the tool wrong?
Hi @TheCodeAddiction - this could be a bug. We'll try and reproduce this on our side and see what's going on. Thanks for reporting it.
does somebody would be nice enough to explin to me how to install it on kali , i try to install it by git clone and the code but it didnt install it on my kali machine
Hi @TheCodeAddiction - this could be a bug. We'll try and reproduce this on our side and see what's going on. Thanks for reporting it.
This is still an issue, any update on the status for a fix? It makes the tool useless as the report is 100% wrong...