mirror of
https://github.com/ffuf/ffuf
synced 2024-11-10 06:04:17 +00:00
Clean up README.md and add CONTRIBUTORS.md (#128)
This commit is contained in:
Joona Hoikkala
GitHub
parent
7032f0eb47
commit
fef5f0c78f
4 changed files with 99 additions and 101 deletions
72
CHANGELOG.md
Normal file
72
CHANGELOG.md
Normal file
|
|
@ -0,0 +1,72 @@
|
|||
## Changelog
|
||||
|
||||
- master
|
||||
- New
|
||||
- New CLI flag `-od` (output directory) to enable writing requests and responses for matched results to a file for postprocessing or debugging purposes.
|
||||
- New CLI flag `-maxtime` to limit the running time of ffuf
|
||||
- Changed
|
||||
- Limit the use of `-e` (extensions) to a single keyword: FUZZ
|
||||
- Regexp matching and filtering (-mr/-fr) allow using keywords in patterns
|
||||
- Take 429 responses into account when -sa (stop on all error cases) is used
|
||||
|
||||
- v0.12
|
||||
- New
|
||||
- Added a new flag to select a multi wordlist operation mode: `--mode`, possible values: `clusterbomb` and `pitchfork`.
|
||||
- Added a new output file format eJSON, for always base64 encoding the input data.
|
||||
- Redirect location is always shown in the output files (when using `-o`)
|
||||
- Full URL is always shown in the output files (when using `-o`)
|
||||
- HTML output format got [DataTables](https://datatables.net/) support allowing realtime searches, sorting by column etc.
|
||||
- New CLI flag `-v` for verbose output. Including full URL, and redirect location.
|
||||
- SIGTERM monitoring, in order to catch keyboard interrupts an such, to be able to write `-o` files before exiting.
|
||||
- Changed
|
||||
- Fixed a bug in the default multi wordlist mode
|
||||
- Fixed JSON output regression, where all the input data was always encoded in base64
|
||||
- `--debug-log` no correctly logs connection errors
|
||||
- Removed `-l` flag in favor of `-v`
|
||||
- More verbose information in banner shown in startup.
|
||||
|
||||
- v0.11
|
||||
- New
|
||||
|
||||
- New CLI flag: -l, shows target location of redirect responses
|
||||
- New CLI flac: -acc, custom auto-calibration strings
|
||||
- New CLI flag: -debug-log, writes the debug logging to the specified file.
|
||||
- New CLI flags -ml and -fl, filters/matches line count in response
|
||||
- Ability to use multiple wordlists / keywords by defining multiple -w command line flags. The if no keyword is defined, the default is FUZZ to keep backwards compatibility. Example: `-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"`.
|
||||
|
||||
- Changed
|
||||
- New CLI flag: -i, dummy flag that does nothing. for compatibility with copy as curl.
|
||||
- New CLI flag: -b/--cookie, cookie data for compatibility with copy as curl.
|
||||
- New Output format are available: HTML and Markdown table.
|
||||
- New CLI flag: -l, shows target location of redirect responses
|
||||
- Filtering and matching by status code, response size or word count now allow using ranges in addition to single values
|
||||
- The internal logging information to be discarded, and can be written to a file with the new `-debug-log` flag.
|
||||
|
||||
- v0.10
|
||||
- New
|
||||
- New CLI flag: -ac to autocalibrate response size and word filters based on few preset URLs.
|
||||
- New CLI flag: -timeout to specify custom timeouts for all HTTP requests.
|
||||
- New CLI flag: --data for compatibility with copy as curl functionality of browsers.
|
||||
- New CLI flag: --compressed, dummy flag that does nothing. for compatibility with copy as curl.
|
||||
- New CLI flags: --input-cmd, and --input-num to handle input generation using external commands. Mutators for example. Environment variable FFUF_NUM will be updated on every call of the command.
|
||||
- When --input-cmd is used, display position instead of the payload in results. The output file (of all formats) will include the payload in addition to the position however.
|
||||
|
||||
- Changed
|
||||
- Wordlist can also be read from standard input
|
||||
- Defining -d or --data implies POST method if -X doesn't set it to something else than GET
|
||||
|
||||
- v0.9
|
||||
- New
|
||||
- New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
|
||||
- New CLI flag to follow redirects
|
||||
- Erroring connections will be retried once
|
||||
- Error counter in status bar
|
||||
- New CLI flags: -se (stop on spurious errors) and -sa (stop on all errors, implies -se and -sf)
|
||||
- New CLI flags: -e to provide a list of extensions to add to wordlist entries, and -D to provide DirSearch wordlist format compatibility.
|
||||
- Wildcard option for response status code matcher.
|
||||
- v0.8
|
||||
- New
|
||||
- New CLI flag to write output to a file in JSON format
|
||||
- New CLI flag to stop on spurious 403 responses
|
||||
- Changed
|
||||
- Regex matching / filtering now matches the headers alongside of the response body
|
||||
16
CONTRIBUTORS.md
Normal file
16
CONTRIBUTORS.md
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# Contributors
|
||||
|
||||
* [ccsplit](https://github.com/ccsplit)
|
||||
* [delic](https://github.com/delic)
|
||||
* [eur0pa](https://github.com/eur0pa)
|
||||
* [fang0654](https://github.com/fang0654)
|
||||
* [JamTookTheBait](https://github.com/JamTookTheBait)
|
||||
* [joohoi](https://github.com/joohoi)
|
||||
* [jvesiluoma](https://github.com/jvesiluoma)
|
||||
* [lc](https://github.com/lc)
|
||||
* [nnwakelam](https://twitter.com/nnwakelam)
|
||||
* [oh6hay](https://github.com/oh6hay)
|
||||
* [putsi](https://github.com/putsi)
|
||||
* [SakiiR](https://github.com/SakiiR)
|
||||
* [seblw](https://github.com/seblw)
|
||||
* [SolomonSklash](https://github.com/SolomonSklash)
|
||||
2
LICENSE
2
LICENSE
|
|
@ -1,6 +1,6 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2018 Joona Hoikkala
|
||||
Copyright (c) 2020 Joona Hoikkala
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
|
|
|||
110
README.md
110
README.md
|
|
@ -11,17 +11,15 @@
|
|||
|
||||
A fast web fuzzer written in Go.
|
||||
|
||||
Heavily inspired by the great projects [gobuster](https://github.com/OJ/gobuster) and [wfuzz](https://github.com/xmendez/wfuzz).
|
||||
## Installation
|
||||
|
||||
## Features
|
||||
- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
|
||||
or
|
||||
- If you have go compiler installed: `go get github.com/ffuf/ffuf`
|
||||
|
||||
- Fast!
|
||||
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
|
||||
- Silent mode (`-s`) for clean output that's easy to use in pipes to other processes.
|
||||
- Modularized architecture that allows integration with existing toolchains with reasonable effort
|
||||
- Easy-to-add filters and matchers (they are interoperable)
|
||||
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
|
||||
|
||||
## Example cases
|
||||
## Example usage
|
||||
|
||||
### Typical directory discovery
|
||||
|
||||
|
|
@ -139,6 +137,8 @@ Usage of ffuf:
|
|||
-input-num int
|
||||
Number of inputs to test. Used in conjunction with --input-cmd. (default 100)
|
||||
-k TLS identity verification
|
||||
-maxtime int
|
||||
Maximum running time in seconds. (default 0 = inf.)
|
||||
-mc string
|
||||
Match HTTP status codes from respose, use "all" to match every response code. (default "200,204,301,302,307,401,403")
|
||||
-ml string
|
||||
|
|
@ -171,8 +171,6 @@ Usage of ffuf:
|
|||
Number of concurrent threads. (default 40)
|
||||
-timeout int
|
||||
HTTP request timeout in seconds. (default 10)
|
||||
-maxtime int
|
||||
Maximum running time in seconds. (default 0 = inf.)
|
||||
-u string
|
||||
Target URL
|
||||
-v Verbose output, printing full URL and redirect location (if any) with the results.
|
||||
|
|
@ -184,95 +182,7 @@ Usage of ffuf:
|
|||
|
||||
eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist`
|
||||
|
||||
## Installation
|
||||
|
||||
- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
|
||||
or
|
||||
- If you have go compiler installed: `go get github.com/ffuf/ffuf`
|
||||
## License
|
||||
|
||||
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
|
||||
|
||||
## Changelog
|
||||
|
||||
- master
|
||||
- New
|
||||
- New CLI flag `-od` (output directory) to enable writing requests and responses for matched results to a file for postprocessing or debugging purposes.
|
||||
- New CLI flag `-maxtime` to limit the running time of ffuf
|
||||
- Changed
|
||||
- Limit the use of `-e` (extensions) to a single keyword: FUZZ
|
||||
- Regexp matching and filtering (-mr/-fr) allow using keywords in patterns
|
||||
- Take 429 responses into account when -sa (stop on all error cases) is used
|
||||
|
||||
- v0.12
|
||||
- New
|
||||
- Added a new flag to select a multi wordlist operation mode: `--mode`, possible values: `clusterbomb` and `pitchfork`.
|
||||
- Added a new output file format eJSON, for always base64 encoding the input data.
|
||||
- Redirect location is always shown in the output files (when using `-o`)
|
||||
- Full URL is always shown in the output files (when using `-o`)
|
||||
- HTML output format got [DataTables](https://datatables.net/) support allowing realtime searches, sorting by column etc.
|
||||
- New CLI flag `-v` for verbose output. Including full URL, and redirect location.
|
||||
- SIGTERM monitoring, in order to catch keyboard interrupts an such, to be able to write `-o` files before exiting.
|
||||
- Changed
|
||||
- Fixed a bug in the default multi wordlist mode
|
||||
- Fixed JSON output regression, where all the input data was always encoded in base64
|
||||
- `--debug-log` no correctly logs connection errors
|
||||
- Removed `-l` flag in favor of `-v`
|
||||
- More verbose information in banner shown in startup.
|
||||
|
||||
- v0.11
|
||||
|
||||
- New
|
||||
|
||||
- New CLI flag: -l, shows target location of redirect responses
|
||||
- New CLI flac: -acc, custom auto-calibration strings
|
||||
- New CLI flag: -debug-log, writes the debug logging to the specified file.
|
||||
- New CLI flags -ml and -fl, filters/matches line count in response
|
||||
- Ability to use multiple wordlists / keywords by defining multiple -w command line flags. The if no keyword is defined, the default is FUZZ to keep backwards compatibility. Example: `-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"`.
|
||||
|
||||
- Changed
|
||||
|
||||
- New CLI flag: -i, dummy flag that does nothing. for compatibility with copy as curl.
|
||||
- New CLI flag: -b/--cookie, cookie data for compatibility with copy as curl.
|
||||
- New Output format are available: HTML and Markdown table.
|
||||
- New CLI flag: -l, shows target location of redirect responses
|
||||
- Filtering and matching by status code, response size or word count now allow using ranges in addition to single values
|
||||
- The internal logging information to be discarded, and can be written to a file with the new `-debug-log` flag.
|
||||
|
||||
- v0.10
|
||||
|
||||
- New
|
||||
|
||||
- New CLI flag: -ac to autocalibrate response size and word filters based on few preset URLs.
|
||||
- New CLI flag: -timeout to specify custom timeouts for all HTTP requests.
|
||||
- New CLI flag: --data for compatibility with copy as curl functionality of browsers.
|
||||
- New CLI flag: --compressed, dummy flag that does nothing. for compatibility with copy as curl.
|
||||
- New CLI flags: --input-cmd, and --input-num to handle input generation using external commands. Mutators for example. Environment variable FFUF_NUM will be updated on every call of the command.
|
||||
- When --input-cmd is used, display position instead of the payload in results. The output file (of all formats) will include the payload in addition to the position however.
|
||||
|
||||
- Changed
|
||||
- Wordlist can also be read from standard input
|
||||
- Defining -d or --data implies POST method if -X doesn't set it to something else than GET
|
||||
|
||||
- v0.9
|
||||
- New
|
||||
- New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
|
||||
- New CLI flag to follow redirects
|
||||
- Erroring connections will be retried once
|
||||
- Error counter in status bar
|
||||
- New CLI flags: -se (stop on spurious errors) and -sa (stop on all errors, implies -se and -sf)
|
||||
- New CLI flags: -e to provide a list of extensions to add to wordlist entries, and -D to provide DirSearch wordlist format compatibility.
|
||||
- Wildcard option for response status code matcher.
|
||||
- v0.8
|
||||
- New
|
||||
- New CLI flag to write output to a file in JSON format
|
||||
- New CLI flag to stop on spurious 403 responses
|
||||
- Changed
|
||||
- Regex matching / filtering now matches the headers alongside of the response body
|
||||
|
||||
## TODO
|
||||
|
||||
- Tests!
|
||||
- Optional scope for redirects
|
||||
- Client / server architecture to queue jobs and fetch the results later
|
||||
- Fuzzing multiple values at the same time
|
||||
- Output module to push the results to an HTTP API
|
||||
ffuf is released under MIT license. See [LICENSE](https://github.com/ffuf/ffuf/blob/master/LICENSE).
|
||||
|
|
|
|||
Loading…
Reference in a new issue