Page cover

Week 17 - GoBuster Tips

GoBuster: Enumeration Tips

It’s week 17 of the Web Hacking Series, and it’s on a Tuesday cause May is off to a busy start over at Echelon Risk + Cyber! If you are involved in app sec, you probably have a preference between DirBuster vs. GoBuster vs. Dirb. My personal preference (and the correct answer :p) is GoBuster! One of my favorite things about GoBuster is how you can refine the scanning options. Here are some I find most useful:

  • -s "204,301,302,307,401,403" ==> Only show results with these status codes

  • -b "302" ==> Exclude 302 status codes

  • --exclude-length 3571 ==> Exclude server responses of length 3571

  • -k ==> Disable HTTPS verification

The –exclude-length is particularly useful for dealing with a 404 error that appears to be a legitimate (200 OK) page. Know any other GoBuster tips & tricks? Share them in the comments below.