feroxbuster icon indicating copy to clipboard operation
feroxbuster copied to clipboard

Published 20 hours ago verified publisher icon epi052

[FEATURE REQUEST] Send additional request with appended slash

Open ghost-ng opened this issue 3 years ago • 1 comments

Is your feature request related to a problem? Please describe. I believe the feature is working as intended but maybe not the most effective

Describe the solution you'd like epi, i'd like to have a flag to append a slash "/" to each request while ALSO sending the original request (if no slash) or remove a trailing slash plus the original request

Describe alternatives you've considered Right now, I have to run two instances:

feroxbuster -u http://192.168.198.125:8080 --wordlist /usr/share/wordlists/dirb/big.txt -t 100 -x php,pl,sh,txt,html -f
200        1l        1w        0c http://192.168.198.125:8080/api/


feroxbuster -u http://192.168.198.125:8080 --wordlist /usr/share/wordlists/dirb/big.txt -t 100 -x php,pl,sh,txt,html
<intentionally left blank>

without the slash, ferox doesnt find the path The folder path is only found with a slash appended but that limits all findings to only path routes (if you used the -f option)!! Need an option to include both requests...so the tool will send a request with /api AND /api/

ghost-ng avatar Jan 31 '22 02:01 ghost-ng

Thanks for taking the time to submit an issue!

I understand what you mean, and have gone back and forth on this before. I believe my reasoning for the current implementation boiled down to:

  • principle of least surprise
  • anecdotally, most servers will have a redirect on /api to /api/, which we detect

The -e feature is really powerful, has almost no downside, and finds a lot of inter-site links, as a heads up (i.e. might find /api/ regardless of -f).

Going to leave this open for now, and invite discussion. If anything, I think this would be an opt-in kind of thing, not changing existing -f behavior.

epi052 avatar Feb 02 '22 12:02 epi052

@unkn0wnsyst3m

I believe a change around 2.6 timeframe would allow you to do this by adding --extensions /.

You should get requests for /api and /api/ with that option.

There was a change that made it so that we treat / as an extension, so I think this will work for you. Let me know if it does, and we can close this one up.

Hope it helps!

epi052 avatar Sep 27 '22 11:09 epi052

@unkn0wnsyst3m just checking in; did you get a chance to try what i suggested above?

epi052 avatar Oct 21 '22 11:10 epi052

Thanks for follow up epi. Yea all good now, thanks!!!

ghost-ng avatar Oct 21 '22 11:10 ghost-ng

glad to hear it!

epi052 avatar Oct 21 '22 12:10 epi052