Description
I noticed that without the --discover-backup flag, I had 800k requests lined up in the progress bar, but with the --discover-backup option, I had ~6 million. Reading the help text, it says that backup files are only enumerated if a file is found. Given that, wouldn't it make sense to display only the 800k requests in the progress bar, and update the amount of requests when files get found?
I'm using Kali's version of gobuster.
└─$ gobuster version
3.1.0
I initially thought the progress bar would maybe jump to 100% when all 800k requests have been completed without a single found file.
However, after playing around with it, it seems the help text is wrong. --discover-backup will search for files even if they haven't been found.
Proof: (look at the time stamps and how long it took to run the scans - 3 seconds vs 20 seconds)
┌──(x90slide㉿kali)-[~/…/jeeves/testing/autorecon/scans]
└─$ gobuster dir -u http://jeeves.htb:80/ -w /tmp/small.txt --discover-backup --no-tls-validation --status-codes "200,204,301,302,307,403,500" | tee "/tmp/tcp_80_http_gobuster_words_combined.txt"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://jeeves.htb:80/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /tmp/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/17 18:25:38 Starting gobuster in directory enumeration mode
===============================================================
===============================================================
2021/06/17 18:25:58 Finished
===============================================================
┌──(x90slide㉿kali)-[~/…/jeeves/testing/autorecon/scans]
└─$ gobuster dir -u http://jeeves.htb:80/ -w /tmp/small.txt --no-tls-validation --status-codes "200,204,301,302,307,403,500" | tee "/tmp/tcp_80_http_gobuster_words_combined.txt"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://jeeves.htb:80/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /tmp/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/17 18:26:12 Starting gobuster in directory enumeration mode
===============================================================
===============================================================
2021/06/17 18:26:15 Finished
===============================================================
The help entry says:
-d, --discover-backup Upon finding a file search for backup files
Given that not a single file was found, I would have expected the directory enumeration to take the same amount of time on both occasions.