feroxbuster

Normally, a word from the given wordlist is joined using reqwest::Url::join. When that function is called using a fully formed url as the 'word', it actually overwrites the base url.

Example:

Url("http://localhost").join("http:yunyunyun.net")
=> Url("http:yunyunyun.net")

Added logic that issues a warning if a url is found in the wordlist, and then stops processing that word before anything actually happens.

Special thanks to @Greenwolf for bringing the issue to my attention!

• Added --replay-proxy and --replay-codes options as a way to only send a select few responses to a proxy. This is in stark contrast to --proxy which proxies EVERY request.

Special thanks to @aringo and @hellor00t for the request!

• fixed a bug where errors occurring very early in program execution would not have their log messages displayed properly

Thanks to @Decap1tator for pointing out the issue (honorable mention to @Flangyver for letting me know about the same problem a day after the first report 😆)

• added ability to pause|resume scans by pressing the ENTER key

Thanks to @Flangyver for the feature request!

• overhauled the filtering system, which will allow for a wide array of filters to be added with minimal effort in the future
• added a Status Code Filter using the new system described above; exposed to the user through --filter-status
• renamed user-facing long option names
  • --norecursion -> --no-recursion
  • --addslash -> --add-slash
  • --dontfilter -> --dont-filter
  • --sizefilter -> --filter-size
  • --useragent -> --user-agent

Special thanks to @LMAY75 for filing the issue that led to this feature!

• Users can now limit the number of scans permitted to run at any given time. Recursion will still identify new directories, but newly discovered directories can only begin scanning when the total number of active scans drops below the value passed to --scan-limit.

Special thanks to @Raywando for filing the issue that led to this feature!

./feroxbuster -u http://127.1 --scan-limit 2

• reduced binary size by incorporating strip into the CD pipeline
• fixed bug where the progress bar was being incremented too infrequently

The progress bar was only being incremented once per call to scanner::make_requests, however, make_requests makes a request for each url sent to it plus one for each extension specified with -x. For example, a scan that uses a wordlist with 1000 items and specifies 1 extension makes 2000 requests (one for each word, and one for each word + extension). Each progress bar only got incremented by the number of items in the wordlist.

• Adds a version check when the binary is executed.

When the user's version is out of sync with the latest release, an additional line is added to the banner (shown below).

 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────

• Added ability to extract links from response bodies

Extract Links Feature Description

Search through the body of valid responses (html, javascript, etc...) for additional endpoints to scan. This turns
feroxbuster into a hybrid that looks for both linked and unlinked content.

Example request/response with --extract-links enabled:

• Make request to http://example.com/index.html
• Receive, and read in, the body of the response
• Search the body for absolute and relative links (i.e. homepage/assets/img/icons/handshake.svg)
• Add the following directories for recursive scanning:
  • http://example.com/homepage
  • http://example.com/homepage/assets
  • http://example.com/homepage/assets/img
  • http://example.com/homepage/assets/img/icons
• Make a single request to http://example.com/homepage/assets/img/icons/handshake.svg

./feroxbuster -u http://127.1 --extract-links

• Fixed issue where wordlists with comments / empty lines were still being processed as words.

Thanks to Hack The Box user @sparkla for the feedback! Original discussion is here

While helping github user @Flangyver troubleshoot the bug that was fixed in v1.0.3, we realized that log records couldn't actually be redirected to a file (this is due to the progress bar library's expected behavior). This version addresses that shortcoming.

• -v enabled logging can be saved to a file by also using -o
  • -v logging can NOT be redirected using >, |, etc...

Example:

./feroxbuster -u http://example.com -o trace.log -vvvv

• fixed instances of duplicate scans during recursion
  • in certain situations a scan against http://example.com and http://example.com/ could both be running at the same time (the same goes for any sub-directory found during recursion

Special thanks to github user @Flangyver for notifying me about the bug ❤️

• altered request timeouts to be logged as warnings instead of errors
  • timeouts can still be viewed with 1 or more -v's as part of the command
  • all other errors encountered during a request remain errors

• fixed an issue that could present itself when join was called more than once
  • instead of relying on directory depth to determine whether to call .join or not, an AtomicUsize is checked instead

Thanks to twitter user @BoDresha for reaching out and letting me know about the bug!

🥳 First major release 🥳

• added /etc/feroxbuster as a valid config location
• updated .deb to install the example config at /etc/feroxbuster
• updated .deb to respect /etc/feroxbuster/ferox-config.toml as a conffile

• config file is now searched for in multiple locations
  • ~/.config/feroxbuster
  • same dir as feroxbuster
  • cwd
• added some better error messaging
• updated docs/readme to reflect changes to config management
• updated .deb to respect a config file found at ~/.config/feroxbuster

As mentioned in the README, i'm releasing this earlier than normal. Loading up the most current build for anyone that lands here before 1.0.0.