-
-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQUEST] Fuzzing with OPTIONS method then automatically Fuzzing with method returned in Allow headers. #904
Comments
It would also be useful to have this occur on a per-directory basis. For example, OPTIONS / is the base case. Consider a case where OPTIONS / returns HEAD, GET; later, the directory /api is discovered. An OPTIONS request to /api may return something different (GET, PUT, POST, etc) Obviously it's common for there to be per-directory configurations on modern reverse proxies and load-balancers. What I'm not sure of, though, is how often (in practice) OPTIONS actually provides full and honest information (assuming it's supported at all) Just a thought, I'm not sure I have an immediate use-case for it |
APIs that implement CORS always provide full and honest information as it is mandatory because of the pre-flight requests sent by the browsers and it is way too common.
Any reasons? |
Hey there, thanks for submitting this! Im neck deep in life stuff right now. I'll be able to reply in detail in a week or two. Just wanted to let you know I saw it. Thanks again! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
howdy! I like the idea! This feature could be exposed as one of the collect family; maybe i don't have the time right now to work on this, but would happily accept a PR in the interim. Thank you for the suggestion! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
First, sorry for this comment, it lacked context and was not constructive. And it also lacked full consideration of your point referring CORS There are two parts to this:
I won't go into detail on the first bit but I will concede that services implementing CORS will become a larger portion of my scope over time. In fact, that's part of the reason that I'm interested in you checking if my next point is valid For the "full and honest" bit - I'll say that if I understand how CORS is implemented, "full and honest" is not quite true; specifically the "full" part. It can be misleading My understanding of CORS is that it ultimately operates as a whitelist mechanism It will tell a browser "You can use POST and DELETE"- as opposed to a blacklists, which might say "You can not use PUT, UPDATE, ..." Perhaps it's possible to do both, but either way, you might only be seeing a subset of the verbs supported by the endpoint(s) - specifically, those explicitly intended to be consumed by a browser This is not a criticism of CORS or a suggestion that using the latter (or any other) approach would have been batter- quite the opposite, it makes the most sense this way. I'm only stating it that way to highlight that verbs/methods that are not intended for use via a browser at all or across origins will be omitted, because they're implicitly denied by not being explicitly permitted (I think?) Perhaps you've already considered this or know exactly what I mean; if not, here's a contrived example, because everyone loves contrived examples...
In this case, taking advantage of CORS will let you know about "POST"/"SEARCH", but it will not let you know about "PUT", "DELETE" and "UPDATE" Please correct me if I'm mistaken there, you can probably tell that I don't work much with CORS since I neglected to consider it until you mentioned it ;) Is this an edge-case? Very possibly. I suppose it depends on the API frameworks in use and the most common practices of developers, right? All this to say that, as I understand it, CORS is informative but not comprehensive or authoritative It would be useful to create a starting point for verbs based on CORS information, but that information should not be trusted completely if you want thorough testing The specific implementation within something like feroxbuster that I think should be avoided is to override a list of verbs supplied by the user with a subset of those (only the ones effectively "advertised" by CORS), because it could cause some misses Again though, I have no idea how big of an impact this would have in practice. A web dev, or someone with the patience to test some whitebox applications could probably help determine that with data Hopefully that's a little more helpful than my previous comment. In the end, my thinking was based in the fact that @epi052 only has so much time to implement all of these great features. He's implemented quite a few that I was personally very interested in- so I am a little (selfishly) defensive of his time 😀 Thanks for the ideas and discussion And thanks for the great work @epi052 |
Is your feature request related to a problem? Please describe.
When fuzzing APIs we all know and are lazy to FUZZ all
GET
,POST
,PUT
,PATCH
, andDELETE
, and miss a lot of stuff as for exampleGET /foo
gives 404 whilePOST /foo
might give a 200 Ok,Describe the solution you'd like
My solution sounds simple but might be hard to implement.
-m OPTIONS
flag.200
and204
, it's just headers.Allow
&Access-Control-Allow-Headers
headers from the responses.DELETE
method)Additional context
The text was updated successfully, but these errors were encountered: