Directory detection based on redirections

[ArthurMuraro]

Hello,

Firstly, I apologize if the feature already exists; I couldn't find it. I am currently conducting fuzz testing on an application that includes an initial directory named "users," housing a page called "list.php."

The application behaves as follows:

• Accessing "/users" results in a 301 redirect to "/users/" which suggests the presence of a directory named "/
• Accessing "/users/" directly yields a 404 error, as there is no "/users/index.php" page.

However, when using Feroxbuster to scan "/users/," it follows the redirection and encounters a 404 status. Consequently, it halts fuzzing for this directory, even though the directory does exist.

Is it possible to incorporate a feature that helps detect such directories, indicating that we should continue fuzzing them?

Here is my command:

feroxbuster -u http://internal.analysis.htb/ -w /opt/seclists/Discovery/Web-Content/raft-large-directories.txt --silent -d 1 | feroxbuster --stdin -o internal_full_cluster.txt -w /opt/seclists/Discovery/Web-Content/raft-large-files.txt -x php -d 2

The options "--redirects" does not help in this setup.

[epi052]

Hey there!

Off the top of my head, the easiest fix is --force-recursion. It's intended more for API scans, but will do what you want.

Setting 404 to an allowed status code probably would do it also, but dork up the rest of your scan

[ArthurMuraro]

Thanks for your answer.

Yeah, allowing 404 is too loud. I'll try the other option !

[epi052]

Lmk how it goes.

[epi052]

Another option would be to rewrite the 404 for that directory to something else in burp before it hits ferox on the return trip

[ArthurMuraro]

Interestingly, the result when adding "--force-recursion" is empty

For the following command :

feroxbuster -u http://internal.analysis.htb/ -w /opt/seclists/Discovery/Web-Content/raft-large-directories.txt --silent -d 1 | feroxbuster --stdin -o force_recursion_internal_full_cluster.txt -w /opt/seclists/Discovery/Web-Content/raft-large-files.txt -x php -d 2 --force-recursion

I get he following output :

~$ cat force_recursion_internal_full_cluster.txt 
403      GET       29l       93w     1284c http://internal.analysis.htb/
403      GET       29l       93w     1284c http://internal.analysis.htb/
403      GET       29l       93w     1284c http://internal.analysis.htb/

with the original command, even tho I don't list the "/users" directory, I get 82 others findings.

[epi052]

Hrm, that's interesting. Is this an active box or retired?

If it's active I can take a look later. In the meantime maybe try the burp rewrite rule ?

[ArthurMuraro]

It is an active (the last of the season at the moment), it is called "Analysis".

Thx.

[epi052]

thanks again, i found a bug based on this. grab a new ferox from here and lmk if it works as expected now

[ArthurMuraro]

Hello @epi052 Glad it helped you finding a new bug !

I'll try as soon as possible 😉

[ArthurMuraro]

Hey ! I tested the patched version on two different applications and it's definitely better, thanks !

Will you release a new version soon ?

[epi052]

howdy! missed this message. I'll be pushing out a new version here soon. there were a few things i wanted to get fixed up