Feature Improvement: Recursion

[Sanduuz]

When fuzzing with the -recursion flag FFuF automatically starts fuzzing content under the found directories after iterating through the wordlist. FFuF does not automatically start fuzzing another host if the redirect is to another external host. This is a good feature so that one does not accidentally fuzz other targets without permissions.

However, this comes a bit problematic when trying to discover contents from a VHOST.

An example:
Let's say I need to recursively fuzz all content from a VHOST http://subdomain.example.com. Since it's a VHOST, the subdomain.example.com DNS name does not resolve to any IP addresses, but the example.com part does.

I would start by running FFuF like this: ffuf -recursion -u http://example.com/FUZZ -w wordlist.txt -H "Host: subdomain.example.com"

Let's keep it simple and say that this scan succeeds and finds 1 directory: 'a'. Now what one would imagine is that FFuF would start fuzzing content under the 'a' directory. This does not happen, since the 'a' directory redirects to http://subdomain.example.com/a/, which is not directly under the example.com domain that was given as the target parameter. One could modify the target parameter to be subdomain.example.com, but as mentioned earlier, this would not resolve to any IP addresses, hence the scan would fail.

The recursion feature could be improved for example with the following steps:

1. Check that if a custom host header is given as parameter (with the -H flag)
2. Check if the redirect returned by the host matches either the target host parameter domain, or the domain supplied with the -H flag.
3. If domain matches, continue fuzzing. Else do nothing.

Unfortunately I most likely don't have enough free time to implement this improvement, but feel free to ask questions or more details in case you are interested in implementing it :)