handle weird strings in wordlist better

librecursebuster/logic.go

@@ -228,6 +228,9 @@ func (gState *State) dirBust(page SpiderPage) {
 	atomic.StoreUint32(gState.DirbProgress, 0)
 	//ensure we don't send things more than once
 	for _, word := range gState.WordList { //will receive from the channel until it's closed
+		if !gState.Cfg.NoEncode {
+			word = url.PathEscape(word)
+		}
 		atomic.AddUint32(gState.DirbProgress, 1)
 		//read words off the channel, and test it OR close out because we wanna skip it
 		if word == "" {

librecursebuster/main_test.go

@@ -472,6 +472,36 @@ func TestRobots(t *testing.T) {
 
 }
 
+func TestWeirdWords(t *testing.T) {
+	t.Parallel()
+	finished := make(chan struct{})
+	cfg := getDefaultConfig()
+	gState, urlSlice := preSetupTest(cfg, "2020", finished, t)
+	//add some woderful and weird things to the wordlist
+	for i := 0; i < 256; i++ {
+		gState.WordList = append(gState.WordList, "te"+string(i)+"st")
+		//string(i)
+	}
+	found := postSetupTest(urlSlice, gState)
+	gState.Wait()
+
+	//same as the regular test
+	//check for each specific line that should be in there..
+	tested := []string{}
+	ok := []string{
+		"/a", "/a/b", "/a/b/c", "/a/", "/spideronly",
+		"/b", "/b/c",
+		"/a/b/c/", "/a/b/c/d",
+		"/c/d", "/c", "/c/",
+	}
+	for _, i := range ok {
+		tested = append(tested, i)
+		if x, ok := found[i]; !ok || x == nil {
+			t.Error("Did not find " + i)
+		}
+	}
+}
+
 func postSetupTest(urlSlice []string, gState *State) (found map[string]*http.Response) {
 	//start up the management goroutines
 	go gState.ManageRequests()

librecursebuster/structs.go

@@ -283,6 +283,7 @@ type Config struct {
 	Methods           string
 	NoBase            bool
 	NoGet             bool
+	NoEncode          bool
 	NoHead            bool
 	NoRecursion       bool
 	NoRobots          bool

main.go

@@ -14,7 +14,7 @@ import (
 	"github.com/fatih/color"
 )
 
-const version = "1.6.7"
+const version = "1.6.8"
 
 func main() {
 	if runtime.GOOS == "windows" { //lol goos
@@ -51,17 +51,18 @@ func main() {
 	flag.BoolVar(&globalState.Cfg.ShowLen, "len", false, "Show, and write the length of the response")                                                                                                                                                                                                            //todo: write test
 	flag.BoolVar(&globalState.Cfg.NoBase, "nobase", false, "Don't perform a request to the base URL")                                                                                                                                                                                                             //todo: write test
 	flag.BoolVar(&globalState.Cfg.NoGet, "noget", false, "Do not perform a GET request (only use HEAD request/response)")                                                                                                                                                                                         //Test Written
-	flag.BoolVar(&globalState.Cfg.NoHead, "nohead", false, "Don't optimize GET requests with a HEAD (only send the GET)")                                                                                                                                                                                         //Test Written
-	flag.BoolVar(&globalState.Cfg.NoRecursion, "norecursion", false, "Disable recursion, just work on the specified directory. Also disables spider function.")                                                                                                                                                   //Test Written
-	flag.BoolVar(&globalState.Cfg.NoSpider, "nospider", false, "Don't search the page body for links and directories to add to the spider queue.")                                                                                                                                                                //Test Written
-	flag.BoolVar(&globalState.Cfg.NoStatus, "nostatus", false, "Don't print status info (for if it messes with the terminal)")                                                                                                                                                                                    //todo: write test
-	flag.BoolVar(&globalState.Cfg.NoStartStop, "nostartstop", false, "Don't show start/stop info messages")                                                                                                                                                                                                       //todo: write test
-	flag.BoolVar(&globalState.Cfg.NoWildcardChecks, "nowildcard", false, "Don't perform wildcard checks for soft 404 detection (or in plain english, don't do soft404)")                                                                                                                                          //Test Written
-	flag.BoolVar(&globalState.Cfg.NoUI, "noui", false, "Don't use sexy ui")                                                                                                                                                                                                                                       //todo: write test
-	flag.StringVar(&globalState.Cfg.Localpath, "o", "."+string(os.PathSeparator)+"busted.txt", "Local file to dump into")                                                                                                                                                                                         //todo: write test
-	flag.StringVar(&globalState.Cfg.Methods, "methods", "GET", "Methods to use for checks. Multiple methods can be specified, comma separate them. Requests will be sent with an empty body (unless body is specified)")                                                                                          //Test Written
-	flag.StringVar(&globalState.Cfg.ProxyAddr, "proxy", "", "Proxy configuration options in the form ip:port eg: 127.0.0.1:9050. Note! If you want this to work with burp/use it with a HTTP proxy, specify as http://ip:port")                                                                                   //todo: write test
-	flag.Float64Var(&globalState.Cfg.Ratio404, "ratio", 0.95, "Similarity ratio to the 404 canary page.")                                                                                                                                                                                                         //todo: write test
+	flag.BoolVar(&globalState.Cfg.NoEncode, "nodencode", false, "Don't encode non-url safe words in the wordlist")
+	flag.BoolVar(&globalState.Cfg.NoHead, "nohead", false, "Don't optimize GET requests with a HEAD (only send the GET)")                                                                                                       //Test Written
+	flag.BoolVar(&globalState.Cfg.NoRecursion, "norecursion", false, "Disable recursion, just work on the specified directory. Also disables spider function.")                                                                 //Test Written
+	flag.BoolVar(&globalState.Cfg.NoSpider, "nospider", false, "Don't search the page body for links and directories to add to the spider queue.")                                                                              //Test Written
+	flag.BoolVar(&globalState.Cfg.NoStatus, "nostatus", false, "Don't print status info (for if it messes with the terminal)")                                                                                                  //todo: write test
+	flag.BoolVar(&globalState.Cfg.NoStartStop, "nostartstop", false, "Don't show start/stop info messages")                                                                                                                     //todo: write test
+	flag.BoolVar(&globalState.Cfg.NoWildcardChecks, "nowildcard", false, "Don't perform wildcard checks for soft 404 detection (or in plain english, don't do soft404)")                                                        //Test Written
+	flag.BoolVar(&globalState.Cfg.NoUI, "noui", false, "Don't use sexy ui")                                                                                                                                                     //todo: write test
+	flag.StringVar(&globalState.Cfg.Localpath, "o", "."+string(os.PathSeparator)+"busted.txt", "Local file to dump into")                                                                                                       //todo: write test
+	flag.StringVar(&globalState.Cfg.Methods, "methods", "GET", "Methods to use for checks. Multiple methods can be specified, comma separate them. Requests will be sent with an empty body (unless body is specified)")        //Test Written
+	flag.StringVar(&globalState.Cfg.ProxyAddr, "proxy", "", "Proxy configuration options in the form ip:port eg: 127.0.0.1:9050. Note! If you want this to work with burp/use it with a HTTP proxy, specify as http://ip:port") //todo: write test
+	flag.Float64Var(&globalState.Cfg.Ratio404, "ratio", 0.95, "Similarity ratio to the 404 canary page.")                                                                                                                       //todo: write test
 	flag.BoolVar(&globalState.Cfg.NoRobots, "norobots", false, "Don't query and add robots.txt values to checks")
 	flag.BoolVar(&globalState.Cfg.FollowRedirects, "redirect", false, "Follow redirects")                                                                                                                                                                       //todo: write test
 	flag.BoolVar(&globalState.Cfg.BurpMode, "sitemap", false, "Send 'good' requests to the configured proxy. Requires the proxy flag to be set. ***NOTE: with this option, the proxy is ONLY used for good requests - all other requests go out as normal!***") //todo: write test