Giter Site home page Giter Site logo

urlfuzz's Introduction

URLFUZZ

DESCRIPTION

Yep, this is another web fuzzer, but using the power of async/non-blocking I/O functions provided by NodeJS allowing you to perform VERY FAST web requests.

Fuzzeable items

  • URL
  • POST data
  • HTTP headers

Filters

You may filter the responses by:

  • Error codes
  • Nº Words
  • Nº Lines
  • Text

Payloads

  • Wordlist
  • Bruteforce
  • Range

INSTALL

Simply, install the dependences with:

$ npm install

USAGE

To get a list of all options and switches use:

Usage: node urlfuzz.js <URL> [OPTIONS]

  -H, --headers=ARG+     set headers
  -h, --head             use HEAD instead of GET
  -d, --data=ARG         POST data (format: foo1=bar1&foo2=bar2)
  -w, --wordlist=ARG     use a wordlist
  -b, --bruteforce=ARG   perform bruteforce (format -> min:max:charset)
  -r, --range=ARG        fuzz with range (format -> start:end[:step])
  -o, --download=ARG     download results that matches (output dir)
  -x, --results=ARG      exports results to file (format: csv)
  -p, --proxy=ARG        use proxy (http://host:port)
  -s, --socks=ARG        use socks (host:port)
      --hc=ARG           filter by error codes (comma separated)
      --hw=ARG           filter by words (comma separated)
      --hl=ARG           filter by lines (comma separated)
      --ht=ARG           hide responses that matches str
      --st=ARG           show responses that matches str
      --max-sockets=ARG  max sockets (default: 150)
      --timeout=ARG      timeout (default: X ms)
      --debug            debug mode
  -h, --help             display this help

Fuzzezable items: [url, headers, post_data]
Fuzz tag: #FUZZ#

EXAMPLES

Fuzz using a wordlist:

$ node urlfuzz.js http://localhost/#FUZZ# -w big.txt

Fuzz POST data using wordlist and filter by text:

$ node urlfuzz.js http://localhost/login.php -d "user=admin&pass=#FUZZ#" -w big.txt --ht denied

Fuzz 'User-agent' header and filter by lines:

$ node urlfuzz.js http://localhost/exploit_kit.php -H "User-agent: #FUZZ#" -w user_agents.txt --hl 4

Download matching files with error code 200:

$ node urlfuzz.js http://localhost/file-#FUZZ#.exe -b 1:3:0123456789 --hc 200 -d samples/

Fuzz a user-id with range option:

$ node urlfuzz.js http://localhost/user.php?id=#FUZZ# -r 1:1000 --hc 200 --st Admin

Export results to a CSV file:

$ node urlfuzz.js http://localhost/#FUZZ# -w big.txt -x log

THANKS

Thanks to mandingo & cgvwzq for the ideas during the development of the tool.

AUTHOR

Daniel García <@danigargu>

urlfuzz's People

Contributors

danigargu avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.