Regular brute scan with user wordlist still sends POST/PUT requests?
kinguardo opened this issue · comments
After going through the docs and using the tool for a little over a month here is the way i understood it:
kr scan
is meant to uncover API endpoints and it specifically sends requests with additional headers (api keys and etc) as well as with a POST/PUT method depending on the path. This information whether to send POST/PUT or GET request as well as which headers to use per path is defined inside of routes-small
and routes-large
files exclusively, whether in .json
format or .kite
format
But to my surprise kr brute
which is labeled as "Bruteforce like normal" for some reason also sends POST/PUT requests, even if the wordlist is provided by user and has no relation to routes-small
or routes-large
whatsoever.
Could anyone clarify this?