ffuf: recursion not working properly

Hello, even with -recursion enabled, and -recursion-depth of 3 … and im using FUZZ at the end of both the URL and the wordlist … I am able to locate directories but new jobs are not added for the recursion process.

So - i have to re-run ffuf and manually scan those new directories.

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt:FUZZ -u http://masked.masked/FUZZ -r -recursion -recursion-depth 2 -o ffuf_scan -of all -e .php,.aspx,.txt,.md

:: Method           : GET                                                                                                                                                                                                                                               
 :: URL              : http://masked.maskedFUZZ                                                                                                                                                                                                                           
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt                                                                                                                                                                             
 :: Extensions       : .php .aspx .txt .md                                                                                                                                                                                                                               
 :: Output file      : ffuf_scan.{json,ejson,html,md,csv,ecsv}                                                                                                                                                                                                           
 :: File format      : all                                                                                                                                                                                                                                               
 :: Follow redirects : true                                                                                                                                                                                                                                              
 :: Calibration      : false                                                                                                                                                                                                                                             
 :: Timeout          : 10                                                                                                                                                                                                                                                
 :: Threads          : 40                                                                                                                                                                                                                                                
 :: Matcher          : Response status: 200,204,301,302,307,401,403                                                                                                                                                                                                      
________________________________________________                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                         
test                    [Status: 200, Size: 47066, Words: 2465, Lines: 651]                                                                                                                                                                                              
test.php                [Status: 200, Size: 47078, Words: 2465, Lines: 651]                                                                                                                                                                                              
index                   [Status: 200, Size: 177, Words: 22, Lines: 5]                                                                                                                                                                                                    
secret                 [Status: 200, Size: 11406, Words: 1103, Lines: 294]                                                                                                                                                                                              
                        [Status: 200, Size: 177, Words: 22, Lines: 5]                                                                                                                                                                                                    
rename                  [Status: 200, Size: 95, Words: 4, Lines: 1]                                                                                                                                                                                                      
:: Progress: [150000/150000] :: Job [1/1] :: 986 req/sec :: Duration: [0:02:32] :: Errors: 11 ::

About this issue

Original URL
State: open
Created 3 years ago
Comments: 20 (2 by maintainers)

Commits related to this issue

Fix a recursion bug when redirected to the same domain and a port was specified (#377) (#522) This fixes the situation where the URL port is specified from the command line and the "Location" redire... — committed to ffuf/ffuf by h1xxx 2 years ago
Fix a recursion bug when redirected to the same domain and a port was specified (#377) (#522) This fixes the situation where the URL port is specified from the command line and the "Location" redire... — committed to ffuf/ffuf by h1xxx 2 years ago

Most upvoted comments

Ok, got it.

It founds a file, so recursivity is not applied as expected (it’s not a directory)

curl -i 'http://localhost:8081/foo'
HTTP/1.1 200 OK
Date: Wed, 03 Feb 2021 14:20:41 GMT
Content-Length: 0

/foo/ should be a valid directory to start the recursion, but it is not a valid directory, 404 error, so we don’t have recursivity in this case

curl -i 'http://localhost:8081/foo/'
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Wed, 03 Feb 2021 14:21:21 GMT
Content-Length: 19

404 page not found

I did a Python3 server to replicate this.

mkdir -p foo/bar
python3 -m http.server 8081

and then I run ffuf:

ffuf -u "http://localhost:8081/FUZZ" -w words -t 1 -recursion -recursion-depth 3

Results:

[...header...]
 :: Method           : GET
 :: URL              : http://localhost:8081/FUZZ
 :: Wordlist         : FUZZ: words
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

foo                     [Status: 301, Size: 0, Words: 1, Lines: 1]
[INFO] Adding a new job to the queue: http://localhost:8081/foo/FUZZ
foo/                    [Status: 200, Size: 336, Words: 17, Lines: 16]
bar                     [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [15/15] :: Job [2/2] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

So it found foo/ as a directory and fuzzed on it too, finding “foo/bar” too.

Is this golang server a “real” one? Do you have some real one to replicate this?

Thanks

bsysop on Feb 3, 2021

Nice, if you can give that information in some way I could try debug it.

If you want can send it in my Twitter DM

bsysop on Jan 18, 2021