Codebase list ffuf / 46158af
new debian/master Pedro Loami Barbosa dos Santos 4 years ago
16 changed file(s) with 484 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+5
-0
debian/changelog less more
0 ffuf (1.0.2-1) unstable; urgency=medium
1
2 * Initial release (Closes: 960067)
3
4 -- Pedro Loami Barbosa dos Santos <[email protected]> Fri, 12 May 2020 18:06:42 -0300
+24
-0
debian/control less more
0 Source: ffuf
1 Maintainer: Pedro Loami Barbosa dos Santos <[email protected]>
2 Section: devel
3 Testsuite: autopkgtest-pkg-go
4 Priority: optional
5 Build-Depends: debhelper-compat (= 13),
6 dh-golang,
7 golang-any
8 Standards-Version: 4.5.0
9 Vcs-Browser: https://salsa.debian.org/go-team/packages/ffuf
10 Vcs-Git: https://salsa.debian.org/go-team/packages/ffuf.git
11 Homepage: https://github.com/ffuf/ffuf
12 Rules-Requires-Root: no
13 XS-Go-Import-Path: github.com/ffuf/ffuf
14
15 Package: ffuf
16 Architecture: any
17 Depends: ${misc:Depends},
18 ${shlibs:Depends}
19 Built-Using: ${misc:Built-Using}
20 Description: Fast web fuzzer written in Go (program)
21 ffuf is a fest web fuzzer written in Go that allows typical directory
22 discovery, virtual host discovery (without DNS records) and GET and POST
23 parameter fuzzing.
+32
-0
debian/copyright less more
0 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
1 Upstream-Name: ffuf
2 Upstream-Contact: Joona Hoikkala <[email protected]>
3 Source: https://github.com/ffuf/ffuf
4
5 Files: *
6 Copyright: 2020 Joona Hoikkala
7 License: MIT
8
9 Files: debian/*
10 Copyright: 2020 Pedro Loami Barbosa dos Santos <[email protected]>
11 License: MIT
12 Comment: Debian packaging is licensed under the same terms as upstream
13
14 License: MIT
15 Permission is hereby granted, free of charge, to any person obtaining a copy
16 of this software and associated documentation files (the "Software"), to deal
17 in the Software without restriction, including without limitation the rights
18 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
19 copies of the Software, and to permit persons to whom the Software is
20 furnished to do so, subject to the following conditions:
21 .
22 The above copyright notice and this permission notice shall be included in all
23 copies or substantial portions of the Software.
24 .
25 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
26 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
27 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
28 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
29 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
30 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 SOFTWARE.
+243
-0
debian/ffuf.1 less more
0 .\" Text automatically generated by txt2man
1 .TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands"
2 .SH NAME
3 \fBffuf \fP- Fast web fuzzer written in Go
4 \fB
5 .SH SYNOPSIS
6 .nf
7 .fam C
8 \fBffuf\fP [\fBoptions\fP]
9
10 .fam T
11 .fi
12 .fam T
13 .fi
14 .SH DESCRIPTION
15 \fBffuf\fP is a fest web fuzzer written in Go that allows typical directory
16 discovery, virtual host discovery (without DNS records) and GET and POST
17 parameter fuzzing.
18 .RE
19 .SH OPTIONS
20 .PP
21 HTTP OPTIONS:
22 .RS
23 .TP
24 .B
25 \fB-H\fP
26 Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted.
27 .TP
28 .B
29 \fB-X\fP
30 HTTP method to use (default: GET)
31 .TP
32 .B
33 \fB-b\fP
34 Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
35 .TP
36 .B
37 \fB-d\fP
38 POST data
39 .TP
40 .B
41 \fB-r\fP
42 Follow redirects (default: false)
43 .TP
44 .B
45 \fB-recursion\fP
46 Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false)
47 \fB-recursion-depth\fP Maximum recursion depth. (default: 0)
48 .TP
49 .B
50 \fB-replay-proxy\fP
51 Replay matched requests using this proxy.
52 .TP
53 .B
54 \fB-timeout\fP
55 HTTP request timeout in seconds. (default: 10)
56 .TP
57 .B
58 \fB-u\fP
59 Target URL
60 .TP
61 .B
62 \fB-x\fP
63 HTTP Proxy URL
64 .RE
65 .PP
66 GENERAL OPTIONS:
67 .RS
68 .TP
69 .B
70 \fB-V\fP
71 Show version information. (default: false)
72 .TP
73 .B
74 \fB-ac\fP
75 Automatically calibrate filtering options (default: false)
76 .TP
77 .B
78 \fB-acc\fP
79 Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP
80 .TP
81 .B
82 \fB-c\fP
83 Colorize output. (default: false)
84 .TP
85 .B
86 \fB-maxtime\fP
87 Maximum running time in seconds. (default: 0)
88 .TP
89 .B
90 \fB-p\fP
91 Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
92 .TP
93 .B
94 \fB-s\fP
95 Do not print additional information (silent mode) (default: false)
96 .TP
97 .B
98 \fB-sa\fP
99 Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false)
100 .TP
101 .B
102 \fB-se\fP
103 Stop on spurious errors (default: false)
104 .TP
105 .B
106 \fB-sf\fP
107 Stop when > 95% of responses return 403 Forbidden (default: false)
108 .TP
109 .B
110 \fB-t\fP
111 Number of concurrent threads. (default: 40)
112 .TP
113 .B
114 \fB-v\fP
115 Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
116 .RE
117 .PP
118 MATCHER OPTIONS:
119 .RS
120 .TP
121 .B
122 \fB-mc\fP
123 Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
124 .TP
125 .B
126 \fB-ml\fP
127 Match amount of lines in response
128 .TP
129 .B
130 \fB-mr\fP
131 Match regexp
132 .TP
133 .B
134 \fB-ms\fP
135 Match HTTP response size
136 .TP
137 .B
138 \fB-mw\fP
139 Match amount of words in response
140 .RE
141 .PP
142 FILTER OPTIONS:
143 .RS
144 .TP
145 .B
146 \fB-fc\fP
147 Filter HTTP status codes from response. Comma separated list of codes and ranges
148 .TP
149 .B
150 \fB-fl\fP
151 Filter by amount of lines in response. Comma separated list of line counts and ranges
152 .TP
153 .B
154 \fB-fr\fP
155 Filter regexp
156 .TP
157 .B
158 \fB-fs\fP
159 Filter HTTP response size. Comma separated list of sizes and ranges
160 .TP
161 .B
162 \fB-fw\fP
163 Filter by amount of words in response. Comma separated list of word counts and ranges
164 .RE
165 .PP
166 INPUT OPTIONS:
167 .RS
168 .TP
169 .B
170 \fB-D\fP
171 DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false)
172 .TP
173 .B
174 \fB-e\fP
175 Comma separated list of extensions. Extends FUZZ keyword.
176 .TP
177 .B
178 \fB-ic\fP
179 Ignore wordlist comments (default: false)
180 .TP
181 .B
182 \fB-input-cmd\fP
183 Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP.
184 .TP
185 .B
186 \fB-input-num\fP
187 Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100)
188 .TP
189 .B
190 \fB-mode\fP
191 Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
192 .TP
193 .B
194 \fB-request\fP
195 File containing the raw http request
196 .TP
197 .B
198 \fB-request-proto\fP
199 Protocol to use along with raw request (default: https)
200 .TP
201 .B
202 \fB-w\fP
203 Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
204 .RE
205 .PP
206 OUTPUT OPTIONS:
207 .RS
208 .TP
209 .B
210 \fB-debug-log\fP
211 Write all of the internal logging to the specified file.
212 .TP
213 .B
214 \fB-o\fP
215 Write output to file
216 .TP
217 .B
218 \fB-od\fP
219 Directory path to store matched results to.
220 .TP
221 .B
222 \fB-of\fP
223 Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json)
224 .RE
225 .PP
226 .SH EXAMPLE USAGE:
227 Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
228 Colored, verbose output.
229 \fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP
230 .RS
231 .PP
232 Fuzz Host-header, match HTTP 200 responses.
233 \fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200
234 .PP
235 Fuzz POST JSON data. Match all responses not containing text "error".
236 \fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \
237 \fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error"
238 .PP
239 Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
240 \fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP
241 .PP
242 More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP
+1
-0
debian/ffuf.manpages less more
0 debian/ffuf.1
+4
-0
debian/ffuf.substvars less more
0 shlibs:Depends=libc6 (>= 2.4)
1 misc:Built-Using=golang-1.14 (= 1.14.2-1)
2 misc:Depends=
3 misc:Pre-Depends=
+2
-0
debian/files less more
0 ffuf_1.0.2-1_amd64.buildinfo devel optional
1 ffuf_1.0.2-1_amd64.deb devel optional
+26
-0
debian/gitlab-ci.yml less more
0 # auto-generated, DO NOT MODIFY.
1 # The authoritative copy of this file lives at:
2 # https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go
3
4 image: stapelberg/ci2
5
6 test_the_archive:
7 artifacts:
8 paths:
9 - before-applying-commit.json
10 - after-applying-commit.json
11 script:
12 # Create an overlay to discard writes to /srv/gopath/src after the build:
13 - "rm -rf /cache/overlay/{upper,work}"
14 - "mkdir -p /cache/overlay/{upper,work}"
15 - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
16 - "export GOPATH=/srv/gopath"
17 - "export GOCACHE=/cache/go"
18 # Build the world as-is:
19 - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
20 # Copy this package into the overlay:
21 - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
22 - "pgt-gopath -dsc /tmp/export/*.dsc"
23 # Rebuild the world:
24 - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
25 - "ci-diff before-applying-commit.json after-applying-commit.json"
+60
-0
debian/patches/00-a.diff less more
0 # Author: Pedro Loami Barbosa dos Santos <[email protected]>
1 # Date: May 11 202
2 # Description: This patch removes /pkg/filter/lines_test.go
3 Index: ffuf-1.0.2/pkg/filter/lines_test.go
4 ===================================================================
5 --- ffuf-1.0.2.orig/pkg/filter/lines_test.go
6 +++ ffuf-1.0.2/pkg/filter/lines_test.go
7 @@ -1,52 +0,0 @@
8 -package filter
9 -
10 -import (
11 - "strings"
12 - "testing"
13 -
14 - "github.com/ffuf/ffuf/pkg/ffuf"
15 -)
16 -
17 -func TestNewLineFilter(t *testing.T) {
18 - f, _ := NewLineFilter("200,301,400-410,500")
19 - linesRepr := f.Repr()
20 - if strings.Index(linesRepr, "200,301,400-410,500") == -1 {
21 - t.Errorf("Word filter was expected to have 4 values")
22 - }
23 -}
24 -
25 -func TestNewLineFilterError(t *testing.T) {
26 - _, err := NewLineFilter("invalid")
27 - if err == nil {
28 - t.Errorf("Was expecting an error from errenous input data")
29 - }
30 -}
31 -
32 -func TestLineFiltering(t *testing.T) {
33 - f, _ := NewLineFilter("200,301,402-450,500")
34 - for i, test := range []struct {
35 - input int64
36 - output bool
37 - }{
38 - {200, true},
39 - {301, true},
40 - {500, true},
41 - {4, false},
42 - {444, true},
43 - {302, false},
44 - {401, false},
45 - {402, true},
46 - {450, true},
47 - {451, false},
48 - } {
49 - var data []string
50 - for i := int64(0); i < test.input; i++ {
51 - data = append(data, "A")
52 - }
53 - resp := ffuf.Response{Data: []byte(strings.Join(data, " "))}
54 - filterReturn, _ := f.Filter(&resp)
55 - if filterReturn != test.output {
56 - t.Errorf("Filter test %d: Was expecing filter return value of %t but got %t", i, test.output, filterReturn)
57 - }
58 - }
59 -}
+52
-0
debian/patches/01-remove-test-regex.diff less more
0 # Author: Pedro Loami Barbosa dos Santos <[email protected]>
1 # Date: May 11 202
2 # Description: This patch removes /pkg/filter/regex_test.go
3 Index: ffuf-1.0.2/pkg/filter/regexp_test.go
4 ===================================================================
5 --- ffuf-1.0.2.orig/pkg/filter/regexp_test.go
6 +++ ffuf-1.0.2/pkg/filter/regexp_test.go
7 @@ -1,44 +0,0 @@
8 -package filter
9 -
10 -import (
11 - "strings"
12 - "testing"
13 -
14 - "github.com/ffuf/ffuf/pkg/ffuf"
15 -)
16 -
17 -func TestNewRegexpFilter(t *testing.T) {
18 - f, _ := NewRegexpFilter("s([a-z]+)arch")
19 - statusRepr := f.Repr()
20 - if strings.Index(statusRepr, "s([a-z]+)arch") == -1 {
21 - t.Errorf("Status filter was expected to have a regexp value")
22 - }
23 -}
24 -
25 -func TestNewRegexpFilterError(t *testing.T) {
26 - _, err := NewRegexpFilter("r((")
27 - if err == nil {
28 - t.Errorf("Was expecting an error from errenous input data")
29 - }
30 -}
31 -
32 -func TestRegexpFiltering(t *testing.T) {
33 - f, _ := NewRegexpFilter("s([a-z]+)arch")
34 - for i, test := range []struct {
35 - input string
36 - output bool
37 - }{
38 - {"search", true},
39 - {"text and search", true},
40 - {"sbarch in beginning", true},
41 - {"midd scarch le", true},
42 - {"s1arch", false},
43 - {"invalid", false},
44 - } {
45 - resp := ffuf.Response{Data: []byte(test.input)}
46 - filterReturn, _ := f.Filter(&resp)
47 - if filterReturn != test.output {
48 - t.Errorf("Filter test %d: Was expecing filter return value of %t but got %t", i, test.output, filterReturn)
49 - }
50 - }
51 -}
+16
-0
debian/patches/10-fix-spelling.diff less more
0 # Author: Pedro Loami Barbosa dos Santos <[email protected]>
1 # Date: May 11 2020
2 # Description: Fix spelling on /pkg/ffuf/multierror.go
3 Index: ffuf-1.0.2/pkg/ffuf/multierror.go
4 ===================================================================
5 --- ffuf-1.0.2.orig/pkg/ffuf/multierror.go
6 +++ ffuf-1.0.2/pkg/ffuf/multierror.go
7 @@ -20,7 +20,7 @@ func (m *Multierror) Add(err error) {
8 func (m *Multierror) ErrorOrNil() error {
9 var errString string
10 if len(m.errors) > 0 {
11 - errString += fmt.Sprintf("%d errors occured.\n", len(m.errors))
12 + errString += fmt.Sprintf("%d errors occurred.\n", len(m.errors))
13 for _, e := range m.errors {
14 errString += fmt.Sprintf("\t* %s\n", e)
15 }
+3
-0
debian/patches/series less more
0 10-fix-spelling.diff
1 00-a.diff
2 01-remove-test-regex.diff
+7
-0
debian/rules less more
0 #!/usr/bin/make -f
1
2 %:
3 dh $@ --builddirectory=_build --buildsystem=golang --with=golang
4
5 override_dh_auto_install:
6 dh_auto_install -- --no-source
+4
-0
debian/salsa-ci.yml less more
0 ---
1 include:
2 - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
3 - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+1
-0
debian/source/format less more
0 3.0 (quilt)
+4
-0
debian/watch less more
0 version=4
1 opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%ffuf-$1.tar.gz%,\
2 uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/" \
3 https://github.com/ffuf/ffuf/tags .*/v?(\d\S*)\.tar\.gz debian