kr scan receives status code 200, however, replaying the request returns 404 #46
Comments
|
Hi @TheCodeAddiction - this could be a bug. We'll try and reproduce this on our side and see what's going on. Thanks for reporting it. |
|
does somebody would be nice enough to explin to me how to install it on kali , i try to install it by git clone and the code but it didnt install it on my kali machine |
This is still an issue, any update on the status for a fix? It makes the tool useless as the report is 100% wrong... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was playing a CTF (https://tryhackme.com/room/nahamstore) and was scanning a subdomain http://marketing.nahamstore.thm/ with the following command using the routes-large.kite file from the kiterunner github page:
kr scan http://nahamstore.thm/ -w ../../kiterunner/routes-large.kite 2>&1 | tee marketingLargeKiteScan.log
The scan returned a some endpoints with status code 200. However, when I replayed the attack and send it to burp, I received a 404.
I used this command to replay the attack:
kr kb replay -q --proxy=http://localhost:8080 -w ../../kiterunner/routes-large.kite "POST 200 [ 910, 125, 25] http://marketing.nahamstore.thm/09c2afcff60bb4dd3af7c5c5d74a482f/user/v1/add 0cf68b5253ddd70baf080aebf5430edb9f642f60"
Interestingly enough, in the CLI output it did talk about "response after redirects", however, burp doesn't seem to be redirected when I do the request and neither does my browser. Ontop of that, shouldn't kiterunner follow the redirect by default and return the correct status code?
I tried blacklisting redirects from the domain http://marketing.nahamstore.thm, however, this did not help.
Is this a bug or am I using the tool wrong?
The text was updated successfully, but these errors were encountered: