Describe the bug
This is clearly an edgecase, seemingly not yet discovered.
My current suspicion is, that rustls seems to not honor if --insecure cert or if TLS versions | cipher suites mismatch.
To Reproduce
- feroxbuster docker image
- transparent proxy to burpsuite with burpsuite certificate installed (works perfectly with curl, wget & other tools)
- the site to scan
- ->
--insecure cert/TLS version/cipher suite mismatch (happens only on some sites where those mismatch)
Expected behavior
A more descriptive output why the handshake/connection failed -> currently most likely culprit being rustls having issues with --insecure/handling of the certificate provided (which should be ignored due to --insecure
Traceback / Error Output
Not verbose:
Could not connect to https://example.site/, skipping... => error sending request for url (https://example.site/) ERROR: Could not connect to any target provided
Verbose:
WRN 0.377 feroxbuster::utils Error while making request: error sending request for url (https://example.site/) WRN 0.377 feroxbuster::utils err: error sending request for url (https://example.site/) Could not connect to https://example.site/, skipping... => error sending request for url (https://example.site/) WRN 0.377 feroxbuster::heuristics error sending request for url (https://example.site/) INF 0.377 feroxbuster All scans complete! INF 0.377 feroxbuster::event_handlers::statistics Stats { kind: "statistics", timeouts: 0, requests: 2, expected_per_scan: 0, total_expected: 0, errors: 1, successes: 1, redirects: 0, client_errors: 0, server_errors: 0, total_scans: 0, initial_targets: 0, links_extracted: 0, extensions_collected: 0, status_200s: 1, status_301s: 0, status_302s: 0, status_401s: 0, status_403s: 0, status_429s: 0, status_500s: 0, status_503s: 0, status_504s: 0, status_508s: 0, wildcards_filtered: 0, responses_filtered: 0, resources_discovered: 0, url_format_errors: 0, redirection_errors: 0, connection_errors: 0, request_errors: 1, certificate_errors: 0, directory_scan_times: Mutex { data: [], poisoned: false, .. }, total_runtime: Mutex { data: [ 0.0, ], poisoned: false, .. }, json: false, targets: Mutex { data: [ "https://example.site/", ], poisoned: false, .. }, }
Environment (please complete the following information):
- feroxbuster version: feroxbuster/2.13.0
- docker
Additional context
There are some sites I tested, that work correctly & some sites don't -> it's currently quite difficult to better troubleshoot & the most likely culprits/differences are listed above (but ofc, maybe there is something I've overlooked) -> If this is generally already known or can't feasibly be fixed, please let me know, so I can build a workaround 👍
Describe the bug
This is clearly an edgecase, seemingly not yet discovered.
My current suspicion is, that rustls seems to not honor if
--insecurecert or if TLS versions | cipher suites mismatch.To Reproduce
--insecurecert/TLS version/cipher suite mismatch (happens only on some sites where those mismatch)Expected behavior
A more descriptive output why the handshake/connection failed -> currently most likely culprit being rustls having issues with
--insecure/handling of the certificate provided (which should be ignored due to--insecureTraceback / Error Output
Not verbose:
Could not connect to https://example.site/, skipping... => error sending request for url (https://example.site/) ERROR: Could not connect to any target providedVerbose:
WRN 0.377 feroxbuster::utils Error while making request: error sending request for url (https://example.site/) WRN 0.377 feroxbuster::utils err: error sending request for url (https://example.site/) Could not connect to https://example.site/, skipping... => error sending request for url (https://example.site/) WRN 0.377 feroxbuster::heuristics error sending request for url (https://example.site/) INF 0.377 feroxbuster All scans complete! INF 0.377 feroxbuster::event_handlers::statistics Stats { kind: "statistics", timeouts: 0, requests: 2, expected_per_scan: 0, total_expected: 0, errors: 1, successes: 1, redirects: 0, client_errors: 0, server_errors: 0, total_scans: 0, initial_targets: 0, links_extracted: 0, extensions_collected: 0, status_200s: 1, status_301s: 0, status_302s: 0, status_401s: 0, status_403s: 0, status_429s: 0, status_500s: 0, status_503s: 0, status_504s: 0, status_508s: 0, wildcards_filtered: 0, responses_filtered: 0, resources_discovered: 0, url_format_errors: 0, redirection_errors: 0, connection_errors: 0, request_errors: 1, certificate_errors: 0, directory_scan_times: Mutex { data: [], poisoned: false, .. }, total_runtime: Mutex { data: [ 0.0, ], poisoned: false, .. }, json: false, targets: Mutex { data: [ "https://example.site/", ], poisoned: false, .. }, }Environment (please complete the following information):
Additional context
There are some sites I tested, that work correctly & some sites don't -> it's currently quite difficult to better troubleshoot & the most likely culprits/differences are listed above (but ofc, maybe there is something I've overlooked) -> If this is generally already known or can't feasibly be fixed, please let me know, so I can build a workaround 👍