0

I have an application under test. The application response with a simple HTML with a response code 200 to every requests. The HTML contains link tags and script tags which contains necessary js files and css files to render the HTML content later.

So, if I run a gobuster or dirb against the app, it responds with the same message to every request such that the tools cannot understand whether there exist actually a page or not.

What is the solution to this? Couldn't find anything in the documentation of these tools. Any workaround?

Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
  • Looks like gobuster can't do that. I know it sucks, but I could not find any option in gobuster that actually looks at the content of the response and not just the header. –  Feb 11 '20 at 10:22
  • use burp intruder along with the grep option in it. – yeah_well Feb 11 '20 at 11:10
  • @VipulNair I don't think that makes much difference since there is literally no difference between the response data of an existing page and non existing page. The redirection is initiated by the JS file which is loaded in the script inside the HTML. – Anonymous Platypus Feb 11 '20 at 13:29
  • There is a follow redirection option too i guess – yeah_well Feb 11 '20 at 14:01
  • @VipulNair This is not a redirection. The HTML is static which contains a script tag and JS is loaded in it. Then depending on the response of API, required HTML is dynamically rendered by that JS script – Anonymous Platypus Feb 11 '20 at 14:03
  • 1
    you need to run the web page, not just load its bits. look into puppeteer. – dandavis Feb 11 '20 at 17:59

0 Answers0