Skip to content

Add exclude-hostname-length flag to dynamically adjust exclude-length #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 6, 2025

Conversation

0xyy66
Copy link

@0xyy66 0xyy66 commented Oct 3, 2024

This PR introduces the --exclude-hostname-length flag for the vhost option to Gobuster, allowing users to dynamically adjust the exclude-length value based on the length of the hostname (fuzzing word) in the response. This feature is useful for cases where webservers return the subdomain or hostname in the response, causing the response length to vary.

Key Changes:

  • New vhost flag --exclude-hostname-length
  • Simple change in exclude length control logic: if (found && !v.options.ExcludeLengthParsed.Contains(int(size)-wordLength)) (subtracts the hostname length from the returned size, always matching the static size entered by the user)

PoC

In the following screenshot, the response size is variable because of the subdomain included in the response. The problem could be bypassed by submitting a range but it would be less precise.

gobuster_no_hostname_exclude

By submitting the static size to --exclude-length (283 in this case) and the --exclude-hostname-length flag, Gobuster skips all the previous false positives.

gobuster_hostname_exclude

@firefart
Copy link
Collaborator

firefart commented Jul 1, 2025

@0xyy66 could you please rebase the pr? thanks!

@firefart firefart changed the base branch from master to dev July 1, 2025 22:11
@0xyy66
Copy link
Author

0xyy66 commented Jul 2, 2025

@firefart Absolutely! I'll handle it in the next few days. Thanks!

@0xyy66
Copy link
Author

0xyy66 commented Jul 6, 2025

@firefart should be all set now. Let me know if I missed anything!

@firefart firefart merged commit ba0a2f7 into OJ:dev Jul 6, 2025
4 of 5 checks passed
@firefart
Copy link
Collaborator

firefart commented Jul 6, 2025

Thanks! Will be included in the next release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants