Arjun icon indicating copy to clipboard operation
Arjun copied to clipboard
verified publisher icon s0md3v

Empty HTTP 200 OK response results in "URL doesn't seem to be a webpage. Skipping."

Open BreakfastSerial opened this issue 1 year ago • 3 comments

I am working with a web application, that offers a resource download endpoint (e.g. https://example.com/download?id=1), if the id is omitted, it responds with an empty HTTP 200 OK, which is expected.

I want to use Arjun to help me find alternative parameters, but It refuses to work with empty HTTP 200 OK responses.

Using Arjun v2.2.7, installed via pip on Kali.

BreakfastSerial avatar Dec 06 '24 06:12 BreakfastSerial

Can you post the response headers here? It is likely that the content-type is messed up.

s0md3v avatar Dec 19 '24 08:12 s0md3v

Sorry about the late reply, I'll have to dig out the project again, but I'll provide the response in a bit. Thank you for your work! Edit: I found the request/response in question:

If the parameter id=1 is missing, the servers response looks like:

HTTP/2 200 OK
Cache-Control: no-cache, no-store, must-revalidate,no-cache, no-store
Pragma: no-cache,no-cache
Expires: 0,-1
Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Xss-Protection: 1;
Content-Security-Policy: frame-ancestors 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer=(), camera=(); geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
Date: <DATE>
Content-Length: 0

While the response including the required parameter id=1 is:

HTTP/2 200 OK
Cache-Control: no-cache, no-store, must-revalidate,no-cache, no-store
Pragma: no-cache,no-cache
Content-Type: application/pdf
Expires: 0,-1
Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Xss-Protection: 1;
Content-Security-Policy: frame-ancestors 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer=(), camera=(); geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
Date: <DATE>
Content-Length: <LENGTH>

%PDF-1.5[...]

BreakfastSerial avatar Jan 23 '25 07:01 BreakfastSerial

Arjun works by detecting which queries cause a change in the response body. If the body isn't html/text/xml, Arjun doesn't suit this case, at least according to this following line.

https://github.com/s0md3v/Arjun/blob/master/arjun/core/utils.py#L81

omardoescode avatar Oct 01 '25 22:10 omardoescode