feroxbuster icon indicating copy to clipboard operation
feroxbuster copied to clipboard

Published 20 hours ago verified publisher icon epi052

[BUG] Replay Proxy Hanging - (workaround implemented 2.6.0)

Open godylockz opened this issue 2 years ago • 3 comments

Not exactly sure what is going on here, but seems like the replay-proxy hangs if the method is POST as it works fine with GET

HTB Box: CrossfitTwo Requires crossfit-club.htb in host file.

test.txt

signup
login

feroxbuster -u http://crossfit-club.htb/api/ -w test.txt -m POST -k --no-state --replay-proxy 127.0.0.1:8080 --replay-codes 200,301,302,401,403 -vvvv

Appears to be hanging in process_response of /src/event_handlers/outputs.rs

godylockz avatar Feb 18 '22 17:02 godylockz

thankfully, this is an easy one.

in addition to -m POST, you need to add --data some-value . Burp gets upset at posts without a body (or at least the (lack of)body that gets produced by feroxbuster.

Might be good to dig a little at what the request looks like with -m POST and no --data to see where it's malformed/weird, and then fix it up when the user specifies a post request without data.

epi052 avatar Feb 18 '22 18:02 epi052

After much digging / dinking around with different reqwest settings, I'm at a loss for a fix that doesn't require setting an arbitrary body payload when one isn't provided. I filed an issue here to see if there's any help to be had.

epi052 avatar Feb 19 '22 13:02 epi052

Pending a better solution, when --proxy or --replay-proxy is used, and --method=POST and --data isn't used, then \r\n is appended to the request body as a (hopefully) temporary workaround.

epi052 avatar Feb 24 '22 14:02 epi052