new debian/master
Pedro Loami Barbosa dos Santos
4 years ago
0 | ffuf (1.0.2-1) unstable; urgency=medium | |
1 | ||
2 | * Initial release (Closes: 960067) | |
3 | ||
4 | -- Pedro Loami Barbosa dos Santos <[email protected]> Fri, 12 May 2020 18:06:42 -0300 |
0 | Source: ffuf | |
1 | Maintainer: Pedro Loami Barbosa dos Santos <[email protected]> | |
2 | Section: devel | |
3 | Testsuite: autopkgtest-pkg-go | |
4 | Priority: optional | |
5 | Build-Depends: debhelper-compat (= 13), | |
6 | dh-golang, | |
7 | golang-any | |
8 | Standards-Version: 4.5.0 | |
9 | Vcs-Browser: https://salsa.debian.org/go-team/packages/ffuf | |
10 | Vcs-Git: https://salsa.debian.org/go-team/packages/ffuf.git | |
11 | Homepage: https://github.com/ffuf/ffuf | |
12 | Rules-Requires-Root: no | |
13 | XS-Go-Import-Path: github.com/ffuf/ffuf | |
14 | ||
15 | Package: ffuf | |
16 | Architecture: any | |
17 | Depends: ${misc:Depends}, | |
18 | ${shlibs:Depends} | |
19 | Built-Using: ${misc:Built-Using} | |
20 | Description: Fast web fuzzer written in Go (program) | |
21 | ffuf is a fest web fuzzer written in Go that allows typical directory | |
22 | discovery, virtual host discovery (without DNS records) and GET and POST | |
23 | parameter fuzzing. |
0 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ | |
1 | Upstream-Name: ffuf | |
2 | Upstream-Contact: Joona Hoikkala <[email protected]> | |
3 | Source: https://github.com/ffuf/ffuf | |
4 | ||
5 | Files: * | |
6 | Copyright: 2020 Joona Hoikkala | |
7 | License: MIT | |
8 | ||
9 | Files: debian/* | |
10 | Copyright: 2020 Pedro Loami Barbosa dos Santos <[email protected]> | |
11 | License: MIT | |
12 | Comment: Debian packaging is licensed under the same terms as upstream | |
13 | ||
14 | License: MIT | |
15 | Permission is hereby granted, free of charge, to any person obtaining a copy | |
16 | of this software and associated documentation files (the "Software"), to deal | |
17 | in the Software without restriction, including without limitation the rights | |
18 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
19 | copies of the Software, and to permit persons to whom the Software is | |
20 | furnished to do so, subject to the following conditions: | |
21 | . | |
22 | The above copyright notice and this permission notice shall be included in all | |
23 | copies or substantial portions of the Software. | |
24 | . | |
25 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
26 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
27 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
28 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
29 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
30 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
31 | SOFTWARE. |
0 | .\" Text automatically generated by txt2man | |
1 | .TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands" | |
2 | .SH NAME | |
3 | \fBffuf \fP- Fast web fuzzer written in Go | |
4 | \fB | |
5 | .SH SYNOPSIS | |
6 | .nf | |
7 | .fam C | |
8 | \fBffuf\fP [\fBoptions\fP] | |
9 | ||
10 | .fam T | |
11 | .fi | |
12 | .fam T | |
13 | .fi | |
14 | .SH DESCRIPTION | |
15 | \fBffuf\fP is a fest web fuzzer written in Go that allows typical directory | |
16 | discovery, virtual host discovery (without DNS records) and GET and POST | |
17 | parameter fuzzing. | |
18 | .RE | |
19 | .SH OPTIONS | |
20 | .PP | |
21 | HTTP OPTIONS: | |
22 | .RS | |
23 | .TP | |
24 | .B | |
25 | \fB-H\fP | |
26 | Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted. | |
27 | .TP | |
28 | .B | |
29 | \fB-X\fP | |
30 | HTTP method to use (default: GET) | |
31 | .TP | |
32 | .B | |
33 | \fB-b\fP | |
34 | Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality. | |
35 | .TP | |
36 | .B | |
37 | \fB-d\fP | |
38 | POST data | |
39 | .TP | |
40 | .B | |
41 | \fB-r\fP | |
42 | Follow redirects (default: false) | |
43 | .TP | |
44 | .B | |
45 | \fB-recursion\fP | |
46 | Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false) | |
47 | \fB-recursion-depth\fP Maximum recursion depth. (default: 0) | |
48 | .TP | |
49 | .B | |
50 | \fB-replay-proxy\fP | |
51 | Replay matched requests using this proxy. | |
52 | .TP | |
53 | .B | |
54 | \fB-timeout\fP | |
55 | HTTP request timeout in seconds. (default: 10) | |
56 | .TP | |
57 | .B | |
58 | \fB-u\fP | |
59 | Target URL | |
60 | .TP | |
61 | .B | |
62 | \fB-x\fP | |
63 | HTTP Proxy URL | |
64 | .RE | |
65 | .PP | |
66 | GENERAL OPTIONS: | |
67 | .RS | |
68 | .TP | |
69 | .B | |
70 | \fB-V\fP | |
71 | Show version information. (default: false) | |
72 | .TP | |
73 | .B | |
74 | \fB-ac\fP | |
75 | Automatically calibrate filtering options (default: false) | |
76 | .TP | |
77 | .B | |
78 | \fB-acc\fP | |
79 | Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP | |
80 | .TP | |
81 | .B | |
82 | \fB-c\fP | |
83 | Colorize output. (default: false) | |
84 | .TP | |
85 | .B | |
86 | \fB-maxtime\fP | |
87 | Maximum running time in seconds. (default: 0) | |
88 | .TP | |
89 | .B | |
90 | \fB-p\fP | |
91 | Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0" | |
92 | .TP | |
93 | .B | |
94 | \fB-s\fP | |
95 | Do not print additional information (silent mode) (default: false) | |
96 | .TP | |
97 | .B | |
98 | \fB-sa\fP | |
99 | Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false) | |
100 | .TP | |
101 | .B | |
102 | \fB-se\fP | |
103 | Stop on spurious errors (default: false) | |
104 | .TP | |
105 | .B | |
106 | \fB-sf\fP | |
107 | Stop when > 95% of responses return 403 Forbidden (default: false) | |
108 | .TP | |
109 | .B | |
110 | \fB-t\fP | |
111 | Number of concurrent threads. (default: 40) | |
112 | .TP | |
113 | .B | |
114 | \fB-v\fP | |
115 | Verbose output, printing full URL and redirect location (if any) with the results. (default: false) | |
116 | .RE | |
117 | .PP | |
118 | MATCHER OPTIONS: | |
119 | .RS | |
120 | .TP | |
121 | .B | |
122 | \fB-mc\fP | |
123 | Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403) | |
124 | .TP | |
125 | .B | |
126 | \fB-ml\fP | |
127 | Match amount of lines in response | |
128 | .TP | |
129 | .B | |
130 | \fB-mr\fP | |
131 | Match regexp | |
132 | .TP | |
133 | .B | |
134 | \fB-ms\fP | |
135 | Match HTTP response size | |
136 | .TP | |
137 | .B | |
138 | \fB-mw\fP | |
139 | Match amount of words in response | |
140 | .RE | |
141 | .PP | |
142 | FILTER OPTIONS: | |
143 | .RS | |
144 | .TP | |
145 | .B | |
146 | \fB-fc\fP | |
147 | Filter HTTP status codes from response. Comma separated list of codes and ranges | |
148 | .TP | |
149 | .B | |
150 | \fB-fl\fP | |
151 | Filter by amount of lines in response. Comma separated list of line counts and ranges | |
152 | .TP | |
153 | .B | |
154 | \fB-fr\fP | |
155 | Filter regexp | |
156 | .TP | |
157 | .B | |
158 | \fB-fs\fP | |
159 | Filter HTTP response size. Comma separated list of sizes and ranges | |
160 | .TP | |
161 | .B | |
162 | \fB-fw\fP | |
163 | Filter by amount of words in response. Comma separated list of word counts and ranges | |
164 | .RE | |
165 | .PP | |
166 | INPUT OPTIONS: | |
167 | .RS | |
168 | .TP | |
169 | .B | |
170 | \fB-D\fP | |
171 | DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false) | |
172 | .TP | |
173 | .B | |
174 | \fB-e\fP | |
175 | Comma separated list of extensions. Extends FUZZ keyword. | |
176 | .TP | |
177 | .B | |
178 | \fB-ic\fP | |
179 | Ignore wordlist comments (default: false) | |
180 | .TP | |
181 | .B | |
182 | \fB-input-cmd\fP | |
183 | Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP. | |
184 | .TP | |
185 | .B | |
186 | \fB-input-num\fP | |
187 | Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100) | |
188 | .TP | |
189 | .B | |
190 | \fB-mode\fP | |
191 | Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb) | |
192 | .TP | |
193 | .B | |
194 | \fB-request\fP | |
195 | File containing the raw http request | |
196 | .TP | |
197 | .B | |
198 | \fB-request-proto\fP | |
199 | Protocol to use along with raw request (default: https) | |
200 | .TP | |
201 | .B | |
202 | \fB-w\fP | |
203 | Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD' | |
204 | .RE | |
205 | .PP | |
206 | OUTPUT OPTIONS: | |
207 | .RS | |
208 | .TP | |
209 | .B | |
210 | \fB-debug-log\fP | |
211 | Write all of the internal logging to the specified file. | |
212 | .TP | |
213 | .B | |
214 | \fB-o\fP | |
215 | Write output to file | |
216 | .TP | |
217 | .B | |
218 | \fB-od\fP | |
219 | Directory path to store matched results to. | |
220 | .TP | |
221 | .B | |
222 | \fB-of\fP | |
223 | Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) | |
224 | .RE | |
225 | .PP | |
226 | .SH EXAMPLE USAGE: | |
227 | Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. | |
228 | Colored, verbose output. | |
229 | \fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP | |
230 | .RS | |
231 | .PP | |
232 | Fuzz Host-header, match HTTP 200 responses. | |
233 | \fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200 | |
234 | .PP | |
235 | Fuzz POST JSON data. Match all responses not containing text "error". | |
236 | \fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \ | |
237 | \fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error" | |
238 | .PP | |
239 | Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. | |
240 | \fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP | |
241 | .PP | |
242 | More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP |
0 | debian/ffuf.1 |
0 | shlibs:Depends=libc6 (>= 2.4) | |
1 | misc:Built-Using=golang-1.14 (= 1.14.2-1) | |
2 | misc:Depends= | |
3 | misc:Pre-Depends= |
0 | # auto-generated, DO NOT MODIFY. | |
1 | # The authoritative copy of this file lives at: | |
2 | # https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go | |
3 | ||
4 | image: stapelberg/ci2 | |
5 | ||
6 | test_the_archive: | |
7 | artifacts: | |
8 | paths: | |
9 | - before-applying-commit.json | |
10 | - after-applying-commit.json | |
11 | script: | |
12 | # Create an overlay to discard writes to /srv/gopath/src after the build: | |
13 | - "rm -rf /cache/overlay/{upper,work}" | |
14 | - "mkdir -p /cache/overlay/{upper,work}" | |
15 | - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" | |
16 | - "export GOPATH=/srv/gopath" | |
17 | - "export GOCACHE=/cache/go" | |
18 | # Build the world as-is: | |
19 | - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" | |
20 | # Copy this package into the overlay: | |
21 | - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" | |
22 | - "pgt-gopath -dsc /tmp/export/*.dsc" | |
23 | # Rebuild the world: | |
24 | - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" | |
25 | - "ci-diff before-applying-commit.json after-applying-commit.json" |
0 | # Author: Pedro Loami Barbosa dos Santos <[email protected]> | |
1 | # Date: May 11 202 | |
2 | # Description: This patch removes /pkg/filter/lines_test.go | |
3 | Index: ffuf-1.0.2/pkg/filter/lines_test.go | |
4 | =================================================================== | |
5 | --- ffuf-1.0.2.orig/pkg/filter/lines_test.go | |
6 | +++ ffuf-1.0.2/pkg/filter/lines_test.go | |
7 | @@ -1,52 +0,0 @@ | |
8 | -package filter | |
9 | - | |
10 | -import ( | |
11 | - "strings" | |
12 | - "testing" | |
13 | - | |
14 | - "github.com/ffuf/ffuf/pkg/ffuf" | |
15 | -) | |
16 | - | |
17 | -func TestNewLineFilter(t *testing.T) { | |
18 | - f, _ := NewLineFilter("200,301,400-410,500") | |
19 | - linesRepr := f.Repr() | |
20 | - if strings.Index(linesRepr, "200,301,400-410,500") == -1 { | |
21 | - t.Errorf("Word filter was expected to have 4 values") | |
22 | - } | |
23 | -} | |
24 | - | |
25 | -func TestNewLineFilterError(t *testing.T) { | |
26 | - _, err := NewLineFilter("invalid") | |
27 | - if err == nil { | |
28 | - t.Errorf("Was expecting an error from errenous input data") | |
29 | - } | |
30 | -} | |
31 | - | |
32 | -func TestLineFiltering(t *testing.T) { | |
33 | - f, _ := NewLineFilter("200,301,402-450,500") | |
34 | - for i, test := range []struct { | |
35 | - input int64 | |
36 | - output bool | |
37 | - }{ | |
38 | - {200, true}, | |
39 | - {301, true}, | |
40 | - {500, true}, | |
41 | - {4, false}, | |
42 | - {444, true}, | |
43 | - {302, false}, | |
44 | - {401, false}, | |
45 | - {402, true}, | |
46 | - {450, true}, | |
47 | - {451, false}, | |
48 | - } { | |
49 | - var data []string | |
50 | - for i := int64(0); i < test.input; i++ { | |
51 | - data = append(data, "A") | |
52 | - } | |
53 | - resp := ffuf.Response{Data: []byte(strings.Join(data, " "))} | |
54 | - filterReturn, _ := f.Filter(&resp) | |
55 | - if filterReturn != test.output { | |
56 | - t.Errorf("Filter test %d: Was expecing filter return value of %t but got %t", i, test.output, filterReturn) | |
57 | - } | |
58 | - } | |
59 | -} |
0 | # Author: Pedro Loami Barbosa dos Santos <[email protected]> | |
1 | # Date: May 11 202 | |
2 | # Description: This patch removes /pkg/filter/regex_test.go | |
3 | Index: ffuf-1.0.2/pkg/filter/regexp_test.go | |
4 | =================================================================== | |
5 | --- ffuf-1.0.2.orig/pkg/filter/regexp_test.go | |
6 | +++ ffuf-1.0.2/pkg/filter/regexp_test.go | |
7 | @@ -1,44 +0,0 @@ | |
8 | -package filter | |
9 | - | |
10 | -import ( | |
11 | - "strings" | |
12 | - "testing" | |
13 | - | |
14 | - "github.com/ffuf/ffuf/pkg/ffuf" | |
15 | -) | |
16 | - | |
17 | -func TestNewRegexpFilter(t *testing.T) { | |
18 | - f, _ := NewRegexpFilter("s([a-z]+)arch") | |
19 | - statusRepr := f.Repr() | |
20 | - if strings.Index(statusRepr, "s([a-z]+)arch") == -1 { | |
21 | - t.Errorf("Status filter was expected to have a regexp value") | |
22 | - } | |
23 | -} | |
24 | - | |
25 | -func TestNewRegexpFilterError(t *testing.T) { | |
26 | - _, err := NewRegexpFilter("r((") | |
27 | - if err == nil { | |
28 | - t.Errorf("Was expecting an error from errenous input data") | |
29 | - } | |
30 | -} | |
31 | - | |
32 | -func TestRegexpFiltering(t *testing.T) { | |
33 | - f, _ := NewRegexpFilter("s([a-z]+)arch") | |
34 | - for i, test := range []struct { | |
35 | - input string | |
36 | - output bool | |
37 | - }{ | |
38 | - {"search", true}, | |
39 | - {"text and search", true}, | |
40 | - {"sbarch in beginning", true}, | |
41 | - {"midd scarch le", true}, | |
42 | - {"s1arch", false}, | |
43 | - {"invalid", false}, | |
44 | - } { | |
45 | - resp := ffuf.Response{Data: []byte(test.input)} | |
46 | - filterReturn, _ := f.Filter(&resp) | |
47 | - if filterReturn != test.output { | |
48 | - t.Errorf("Filter test %d: Was expecing filter return value of %t but got %t", i, test.output, filterReturn) | |
49 | - } | |
50 | - } | |
51 | -} |
0 | # Author: Pedro Loami Barbosa dos Santos <[email protected]> | |
1 | # Date: May 11 2020 | |
2 | # Description: Fix spelling on /pkg/ffuf/multierror.go | |
3 | Index: ffuf-1.0.2/pkg/ffuf/multierror.go | |
4 | =================================================================== | |
5 | --- ffuf-1.0.2.orig/pkg/ffuf/multierror.go | |
6 | +++ ffuf-1.0.2/pkg/ffuf/multierror.go | |
7 | @@ -20,7 +20,7 @@ func (m *Multierror) Add(err error) { | |
8 | func (m *Multierror) ErrorOrNil() error { | |
9 | var errString string | |
10 | if len(m.errors) > 0 { | |
11 | - errString += fmt.Sprintf("%d errors occured.\n", len(m.errors)) | |
12 | + errString += fmt.Sprintf("%d errors occurred.\n", len(m.errors)) | |
13 | for _, e := range m.errors { | |
14 | errString += fmt.Sprintf("\t* %s\n", e) | |
15 | } |
0 | #!/usr/bin/make -f | |
1 | ||
2 | %: | |
3 | dh $@ --builddirectory=_build --buildsystem=golang --with=golang | |
4 | ||
5 | override_dh_auto_install: | |
6 | dh_auto_install -- --no-source |
0 | --- | |
1 | include: | |
2 | - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml | |
3 | - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml |
0 | 3.0 (quilt) |