-
-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Ferox buster doesn't recognise 301 with protocol change #815
Comments
do you have a public bug bounty target or hackthebox (or some other platform) with a target that has this behavior handy? Otherwise I need to build a server to test etc.. |
Thank you for all your submissions, btw, i really appreciate it! |
It's nothing I can publicly share tough I think it's not uncommon so maybe you will stumble on something yourself ;) Anyway if you want me to test some test builds to know if it works let me know. |
I have encountered same issue again, this time with 2.10.0. I attach a log as I can't do much more :D
|
I did dig a little more and I think it's caused by Nginx misconfiguration. Here similar issue is described: https://serverfault.com/questions/885046/how-to-prevent-nginx-redirecting-from-https-to-http-on-aws |
that's interesting. so https://example/js => http://example/js/ so, we'd either want to ignore the https->http redirect altogether, or follow from https, to http, and back to https-with-slash i know i've been slacking on responses, but do you happen to recall if using |
Sorry post was using wrong account.
However I have found another target with same properties and no http:
|
Describe the bug
If application makes a 301 redirection and switches protocols feroxbuster doesn't recognise the redirection.
To Reproduce
Scan an application that behaves like the one below:
200 GET 459l 1201w 16218c https://example.com/
301 GET 7l 20w 237c https://example.com/css => http://example.com/css/
301 GET 7l 20w 236c https://example.com/js => http://example.com/js/
Just to make things clear after redirecting to http://example.com/js/ app redirects browser back to https://example.com/js/.
I have encountered multiple applications with this behaviour
Expected behavior
Feroxbuster either should have a flag to ignore protocol change or in case of protocol change follow redirection to make sure it doesn't point to same application.
The text was updated successfully, but these errors were encountered: