Forced browsing aims to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc…
In order to provide different levels of configuration, feroxbuster searches for a config file in the following locations:
/etc/feroxbuster/
CONFIG_DIR/ferxobuster/
The same directory as the feroxbuster executable
The user’s current working directory
CONFIG_DIR is defined as the following:
$XDG_CONFIG_HOME or $HOME/.config i.e. /home/bob/.config
With no way of knowing which config location a user has chosen based on previous installs (all are simultaneously valid and have an order precedence), I’m requesting auto-connect permission for the two narrowly scoped directories /etc/feroxbuster and /home/.config/feroxbuster.
Reading through the Process for aliases, auto-connections and tracks, it looks like the request needs a minimum of two votes to pass. Is that what we’re waiting on at this point?