Week 17 - GoBuster Tips
GoBuster: Enumeration Tips
It’s week 17 of the Web Hacking Series, and it’s on a Tuesday cause May is off to a busy start over at Echelon Risk + Cyber! If you are involved in app sec, you probably have a preference between DirBuster vs. GoBuster vs. Dirb. My personal preference (and the correct answer :p) is GoBuster! One of my favorite things about GoBuster is how you can refine the scanning options. Here are some I find most useful:
-s "204,301,302,307,401,403" ==> Only show results with these status codes
-b "302" ==> Exclude 302 status codes
--exclude-length 3571 ==> Exclude server responses of length 3571
-k ==> Disable HTTPS verification
The –exclude-length is particularly useful for dealing with a 404 error that appears to be a legitimate (200 OK) page. Know any other GoBuster tips & tricks? Share them in the comments below.
