Ffuf vhost fuzzing

navs_truma · December 23, 2022, 6:31pm

Hi,

I tried to understand the reason why I need to filter for the size when I fuzz for vhosts. Unfortunately the description does not help me to understand the reason.

Why do I need to filter for the size ?
Why would a webserver respond with 200 when the vhost does not exist or does this webserver do a fallback to the “default” page and the shown size is the size of the default page ?

BR truma

r3nt0n · December 24, 2022, 1:04am

From Apache docs:

Having this config file as example:

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here
</VirtualHost>

Due to the fact that the virtual host with ServerName www.example.com is first in the configuration file, it has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first .

As far I understand, the assumption “does this webserver do a fallback to the “default” page and the shown size is the size of the default page ?” would be right in most cases.

navs_truma · December 24, 2022, 8:52am

Hello r3nt0n,

thank you for the detailed description. This was also my assumption. But what makes no sense and brought me to the questio is why I am not able to connect to those websites via browser, because if I receive a 200 via ffuf I should be at least see an empty page but I was not able to see this.

Furthermore why is it necessary to add a /etc/hosts entry ? I know and understood what is the reason for /etc/hosts but if I am not completely wrong it should not be necessary to add the entry.

Maybe you could also help me with this questions.

BR

r3nt0n · December 24, 2022, 12:07pm

I think I understand what is confusing you. What ffuf is doing to get 200 responses is to send the request to the IP and including a Host header with the name of the virtual host he try to access. You can do the same test using curl:

curl -i -H "Host: vhost.example.htb" http://10.10.10.10

The reason you are not being able to access via browser is because you request the domain name, and if the browser is not able to resolve it (either using your /etc/hosts or via DNS) he simply doesnt know to which IP have to send it.