Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] -n (no-recursion) option fails to list base-level directories #1206

Open
bycszzz opened this issue Dec 24, 2024 · 2 comments
Open

[BUG] -n (no-recursion) option fails to list base-level directories #1206

bycszzz opened this issue Dec 24, 2024 · 2 comments
Labels
bug Something isn't working unconfirmed

Comments

@bycszzz
Copy link

bycszzz commented Dec 24, 2024

Describe the bug
When running Feroxbuster with the -n (no-recursion) option, the tool does not list any directories at the base level. According to the documentation, -n should prevent scanning deeper levels but still display the discovered directories at the current depth. Instead, it reports “found:0,” which seems incorrect since there are directories that exist and can be discovered when not using the -n option.

To Reproduce
Steps to reproduce the behavior:
1. Run Feroxbuster with the -n option on a target that contains known directories:

feroxbuster -n -u http://10.10.10.48

2.	Observe the output—no directories are listed (e.g., “found:0”).
3.	Compare the result to running the same command without the -n option:

feroxbuster -u http://10.10.10.48

In this scenario, directories (e.g., /admin/, /admin/scripts/, /admin/img/) are discovered correctly.

Expected behavior
Using the -n (no-recursion) option should list the discovered directories at the current depth without descending into them. The tool should not skip them entirely.

Environment (please complete the following information):
• feroxbuster version: v2.11.0
• OS: [macOS orbstack kali ]

Additional context
Below are partial logs showing the difference:

  • With -n:
[>-------------------] - 6s      1356/30000   3m      found:0       errors:0      
[>-------------------] - 6s      1403/30000   3m      found:0       errors:0
  • Without -n:
[>-------------------] - 1s       192/30000   152/s   http://10.10.10.48/admin/
[>-------------------] - 1s        29/30000   45/s    http://10.10.10.48/admin/scripts/
[>-------------------] - 1s        44/30000   68/s    http://10.10.10.48/admin/img/
image

Thank you for looking into this issue! If you need any additional details or logs, please let me know.
@bycszzz bycszzz added the bug Something isn't working label Dec 24, 2024
@bycszzz bycszzz changed the title [BUG] [BUG] -n (no-recursion) option fails to list base-level directories Dec 24, 2024
@epi052
Copy link
Owner

epi052 commented Dec 29, 2024

howdy, and thanks for the submission!

I don't see it in the screenshot, but want to confirm: you didn't see a message similar to the following?

[####################] - 1s      4736/4736    3686/s  http://127.1:8001/ => Directory listing (add --scan-dir-listings to scan)

I'm going to assume you didn't and take a look at this behavior, but wanted to ask in the meantime. Thanks!

@epi052
Copy link
Owner

epi052 commented Dec 29, 2024

oh, i took a look at your options, and you're only allowing 200 and 500 responses to be processed. Do the directories respond with a 200? If they return a 301 or similar, they'll be filtered out before being shown. Below is an example where no recursion is used, but the redirect code is also an allowed status code.

epi@main:~/projects/feroxbuster$ cargo run  -- -w ~/wordlists/seclists/Discovery/Web-Content/common.txt -u http://127.1:8001  -s 200,500,308 -n 
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s
     Running `target/debug/feroxbuster -w /home/epi/wordlists/seclists/Discovery/Web-Content/common.txt -u 'http://127.1:8001' -s 200,500,308 -n`

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://127.1:8001
 🚀  Threads               │ 50
 📖  Wordlist              │ /home/epi/wordlists/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ [200, 500, 308]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /home/epi/projects/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🚫  Do Not Recurse        │ true
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       35l      101w      681c http://127.0.0.1:8001/.gitignore
200      GET       70l      304w    22613c http://127.0.0.1:8001/.git/index
200      GET        1l        2w       21c http://127.0.0.1:8001/.git/HEAD
200      GET      414l     1104w    14457c http://127.0.0.1:8001/.git/config
200      GET       80l      201w     2151c http://127.0.0.1:8001/Makefile
200      GET       21l      168w     1065c http://127.0.0.1:8001/LICENSE
308      GET        2l        3w       42c http://127.0.0.1:8001/docs => http://127.0.0.1:8001/docs/
[####################] - 1s      4739/4739    0s      found:7       errors:0      
[####################] - 1s      4736/4736    7470/s  http://127.1:8001/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working unconfirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@epi052 @bycszzz