You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Feroxbuster passes the user's custom headers to requests when checking if Feroxbuster is the latest version. This could lead to sensitive information disclosure, as cookies, JWTs, or HTTP auth tokens might be passed during fuzzing.
ArthurMuraro
changed the title
[BUG] Information disclosure of custom headers when cheking for last feroxbuster version :
[BUG] Information disclosure of custom headers when checking for last feroxbuster version :
Jun 26, 2024
Describe the bug
Feroxbuster passes the user's custom headers to requests when checking if Feroxbuster is the latest version. This could lead to sensitive information disclosure, as cookies, JWTs, or HTTP auth tokens might be passed during fuzzing.
To Reproduce
Steps to reproduce the behavior:
feroxbuster -u https://SuperSecretWebsite.com/ -w <(echo "Henlo :3") -H "Authorization: Basic SuperSecretPassword\!" --proxy 127.0.0.1:8080 -k
api.github.com/repos/epi052/feroxbuster/releases/latest
and look for headersExpected behavior
Please, is it possible to remove the custom headers in all requests that are not in scope/
Environment (please complete the following information):
Bug Proof
![image](https://private-user-images.githubusercontent.com/73059809/343093864-1a83c5cc-36ff-4934-b61b-8b14c3a3e971.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2MTA1NTUsIm5iZiI6MTcyMDYxMDI1NSwicGF0aCI6Ii83MzA1OTgwOS8zNDMwOTM4NjQtMWE4M2M1Y2MtMzZmZi00OTM0LWI2MWItOGIxNGMzYTNlOTcxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEwVDExMTczNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTBmMTY3YjkyNDYwNjg2MzU1N2I4ZmUwODIzODA0ODJmZWM0MWE4ZjliZjUyYjMyMTg1Y2Q0Mjk5NjU4YzhjZDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.oDs5nQZMNXYb-GZ99enLUuPPkaqafWt6FFRYNXOPl3w)
PS : Luv your tool <3
The text was updated successfully, but these errors were encountered: