Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When performing -mode clusterbomb getting Context canceled errors (-debug-log option) #783

Open
CustosClarus opened this issue May 9, 2024 · 5 comments
Open

When performing -mode clusterbomb getting Context canceled errors (-debug-log option) #783

CustosClarus opened this issue May 9, 2024 · 5 comments

Comments

@CustosClarus
Copy link

CustosClarus commented May 9, 2024
edited

I'm on Kali 6.6.9-1kali1
and using ffuf Fuzz Faster U Fool - v2.1.0-dev

My command

ffuf -request pasta.txt -request-proto https -mode clusterbomb -w 10k-most-common.txt -w finalnames.txt:FUZZUSER -fc 401 -debug-log errors6.txt

output of error.log

2024/05/10 00:49:16 Post "https://1.2.3.4/mail/?_task=login": context canceled
2024/05/10 00:49:16 Post "https://1.2.3.4/mail/?_task=login": context canceled
....

Is this due to some rate-limiting , as I tried on other sites but I'm getting same error. On main site If I browse manually and enter wrong passwords 4 times in a row, I get error of 'invalid attempts exceeded'. I don't know if this is what the error rate shows here, its hard to tell, please guide me.
@MasoudAbdaal
Copy link

I have the same issue
OS: Windows 10
ffuf: v2.1.0

 ffuf.exe -X GET -request-proto http -u "http://grandresort.challs.open.ecsc2024.it/W1" -w "D:\Dev\SecLists\Discovery\Web-Content\common.txt:W1"

2024/05/15 00:01:20 Get "http://grandresort.challs.open.ecsc2024.it/credentials": context canceled
2024/05/15 00:01:20 Get "http://grandresort.challs.open.ecsc2024.it/counters": context canceled

@CustosClarus
Copy link
Author

This is an error something that can be ignored, this is rate limiting thing that is applied, if you want more information just privately message I can troubleshoot with you.

@MasoudAbdaal
Copy link

This is an error something that can be ignored, this is rate limiting thing that is applied, if you want more information just privately message I can troubleshoot with you.

Thank you so much, Custos
Finally, I captured traffic and find-out requests sent to target, but I did not catch its result on my logs/result;
The reason was the default match/filter which ffuf apply to its request.
after using -mc all I could see all my requests.

Thank you

@CustosClarus
Copy link
Author

This is strange, without any filter the default behavior should be that it returns all matches...

@joohoi
Copy link
Member

joohoi commented May 20, 2024

This is strange, without any filter the default behavior should be that it returns all matches...

Default setting for ffuf is to match "commonly interesting" responses based on HTTP spec, as it's the most common use case for the tool. You can modify this value in your ffuf configuration file if you want to match all as default behavior instead.

Ffuf will tell you the default values in help text (ffuf -h) as well as the active values in the banner that gets printed when you start a run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joohoi @CustosClarus @MasoudAbdaal