allow to exclude status codes

Author: firefart

README.md

@@ -35,6 +35,7 @@ All funds that are donated to this project will be donated to charity. A full lo
 - the version command now also shows some build variables for more info
 - switched to another pkcs12 library to support p12s generated with openssl3 that use SHA256 HMAC
 - comments in wordlists (strings starting with #) are no longer ignored
+- allow to exclude status code in vhost mode
 
 ## 3.6
 

cli/vhost/vhost.go

@@ -25,7 +25,8 @@ func getFlags() []cli.Flag {
 	flags = append(flags, internalcli.GlobalOptions()...)
 	flags = append(flags, []cli.Flag{
 		&cli.BoolFlag{Name: "append-domain", Aliases: []string{"ad"}, Value: false, Usage: "Append main domain from URL to words from wordlist. Otherwise the fully qualified domains need to be specified in the wordlist."},
-		&cli.StringFlag{Name: "exclude-length", Aliases: []string{"xl"}, Usage: "exclude the following content lengths (completely ignores the status). You can separate multiple lengths by comma and it also supports ranges like 203-206"},
+		&cli.StringFlag{Name: "exclude-length", Aliases: []string{"xl"}, Usage: "exclude the following content lengths. You can separate multiple lengths by comma and it also supports ranges like 203-206"},
+		&cli.StringFlag{Name: "exclude-status", Aliases: []string{"xs"}, Usage: "exclude the following status codes. Can also handle ranges like 200,300-400,404.", Value: ""},
 		&cli.StringFlag{Name: "domain", Aliases: []string{"do"}, Usage: "the domain to append when using an IP address as URL. If left empty and you specify a domain based URL the hostname from the URL is extracted"},
 	}...)
 
@@ -49,6 +50,13 @@ func run(c *cli.Context) error {
 	}
 	pluginOpts.ExcludeLengthParsed = ret
 
+	pluginOpts.ExcludeStatus = c.String("exclude-status")
+	ret2, err := libgobuster.ParseCommaSeparatedInt(pluginOpts.ExcludeStatus)
+	if err != nil {
+		return fmt.Errorf("invalid value for exclude-status: %w", err)
+	}
+	pluginOpts.ExcludeStatusParsed = ret2
+
 	pluginOpts.Domain = c.String("domain")
 
 	globalOpts, err := internalcli.ParseGlobalOptions(c)

gobustervhost/gobustervhost.go

@@ -183,7 +183,7 @@ func (v *GobusterVhost) ProcessWord(ctx context.Context, word string, progress *
 	// subdomain must not match default vhost and non existent vhost
 	// or verbose mode is enabled
 	found := body != nil && !bytes.Equal(body, v.normalBody) && !bytes.Equal(body, v.abnormalBody)
-	if found && !v.options.ExcludeLengthParsed.Contains(int(size)) {
+	if found && !v.options.ExcludeLengthParsed.Contains(int(size)) && !v.options.ExcludeStatusParsed.Contains(statusCode) {
 		progress.ResultChan <- Result{
 			Vhost:      subdomain,
 			StatusCode: statusCode,

gobustervhost/options.go

@@ -10,12 +10,15 @@ type OptionsVhost struct {
 	AppendDomain        bool
 	ExcludeLength       string
 	ExcludeLengthParsed libgobuster.Set[int]
+	ExcludeStatus       string
+	ExcludeStatusParsed libgobuster.Set[int]
 	Domain              string
 }
 
 // NewOptions returns a new initialized OptionsVhost
 func NewOptions() *OptionsVhost {
 	return &OptionsVhost{
 		ExcludeLengthParsed: libgobuster.NewSet[int](),
+		ExcludeStatusParsed: libgobuster.NewSet[int](),
 	}
 }