[BUG] Information disclosure of custom headers when checking for last feroxbuster version :

[ArthurMuraro]

Describe the bug
Feroxbuster passes the user's custom headers to requests when checking if Feroxbuster is the latest version. This could lead to sensitive information disclosure, as cookies, JWTs, or HTTP auth tokens might be passed during fuzzing.

To Reproduce
Steps to reproduce the behavior:

1. Run : feroxbuster -u https://SuperSecretWebsite.com/ -w <(echo "Henlo :3") -H "Authorization: Basic SuperSecretPassword\!" --proxy 127.0.0.1:8080 -k
2. Check the request made to : api.github.com/repos/epi052/feroxbuster/releases/latest and look for headers

Expected behavior
Please, is it possible to remove the custom headers in all requests that are not in scope/

Environment (please complete the following information):

• feroxbuster version: 2.10.0
• OS : Arch linux 6.9.6-arch1-1

Bug Proof

PS : Luv your tool <3

[epi052]

thanks for this!

I thought we had removed headers from the version check already 😞

ill take a look

[epi052]

ok, i'm not crazy, lol. This was fixed in 2.10.2. If you grab 2.10.4 (or any release >= 2.10.2), you shouldn't see this issue.

closing for now. if the updated version doesn't fix it, please reopen

[ArthurMuraro]

Woops ! My bad !
Next time I'll check for the latest version 😉 .