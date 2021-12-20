Home Pentest-Tools.com Logo

NameTypeDescriptionValue
tool_idIntegerThe id of this tool90
targetStringThe URL on the target server that will be fuzzed. You can specify a custom location for the payload using at most one FUZZ marker in the path or in query strings
methodStringHTTP method for the requests performed (optional)- GET (default)
- POST
post_dataStringSpecify POST data to be sent with every request. It is only used with the POST method and can contain the FUZZ marker (optional)
thread_countStringNumber of requests made in parallel (number of threads for the scan), between "1" and "7". Default: "7" (optional)
requests_delayStringOnly works if one thread is selected. It specifies the delay between the requests (in seconds) and can be a float between "0" and "3600". Default: "0" (optional)
req_timeoutStringTimeout for a single HTTP request, measured in seconds. It should be a positive float, no bigger than "43200" (12h). Default: "4.0" (optional)
max_retriesStringMaximum number of retries for a single HTTP request, in case of connection error. It should be an integer between "0" and "10". The delay between retries increases exponentially, see the retry_factor parameter for details. Default: "3" (optional)
retry_factorStringControls the delay between retries. It should be a float between "0" and "120". If it is "1", the first retry is sent immediatelly (after 0s), the second one after 1s, then 2s, 4s and so on. If it is "0.1", the succesive sleeps will be: 0s, 0.1s, 0.2s, 0.4s... Default: "1.0" (optional)
retry_codesStringForce retry on these HTTP codes. They can be integers between 100 and 599, or a range, for example: "429,500-505" (optional)
payload_typeStringSpecify the kind of payload you want to use: one of your wordlists or generate a sequence of numbers. Default: wordlist- wordlist
- sequence
wordlist_idStringThe id of the wordlist that will be used for fuzzing, if the payload_type is wordlist. If not set, the default one will be used
dynamicStringThis is a scan option which extends the default wordlist with words from the HTML page located at the base URL (including existing links). Not applicable to sequence payload type (optional)- on
- off
sequence_fromStringSpecify the starting number for the sequence, used if the payload_type is sequence. Default value: "0"
sequence_toStringSpecify the ending number for the sequence, used if the payload_type is sequence. Default value: "100"
sequence_stepStringSpecify the step for generating the sequence, used if the payload_type is sequence. Default value: "1". This cannot be "0"
no_extStringSearch for files with no extension (plain words) (optional)- on
- off
configsStringSearch for files with the following extensions: conf, cfg, txt, xml, json, ini (optional)- on
- off
sourcesStringSearch for files with the following extensions: bat, c, java, cpp, cs, h (optional)- on
- off
archivesStringSearch for files with the following extensions: zip, tar, tar.gz, tgz, gz, 7z, bzip, rar, jar, apk (optional)- on
- off
databasesStringSearch for files with the following extensions: sql, mdb, db, nsf, csv, dbf (optional)- on
- off
logsStringSearch for files with the following extensions: log, err, journal (optional)- on
- off
backupsStringSearch for files with the following extensions: old, back, bkp, bak, tmp, test, dev, prod (optional)- on
- off
docsStringSearch for files with the following extensions: doc, docx, odt, xls, xlsx, rtf, pdf, ppt, pptx (optional)- on
- off
webStringSearch for files with the following extensions: asp, aspx, php, jsp, shtml, htm, html, dll, pl, py, cgi, cfm, sh (optional)- on
- off
custom_extStringSearch for files with custom extensions (optional). Requires input_ext parameter to be set- on
- off
input_extStringThe custom extensions that you want to search for. You can specify multiple extensions (up to 10 per scan), including double extensions (e.g. .php.old, .jsp.bak, .tgz etc.) (optional). For this option to work custom_ext must be on
mutateStringThis is a scan option which applies various mutations to the identified files in order to find other resources (config.php, config2.php, config_old.php, config-dev.php etc.) (optional)- on
- off
response_filterStringUse the default mechanism of filtering results or specify your own conditions. (optional)
In the auto mode, all responses with the 404 status code are ignored. If the method is GET, we also try to detect soft 404 pages (for example, error pages)
In the manual mode, no response is filtered and you can specify custom conditions (see below) to match or ignore certain HTTP responses		- auto (default)
- manual
match_resp_codesStringIn manual response filtering, only return responses with these HTTP codes. They can be integers between 100 and 599, or ranges, separated by commas (optional)
match_resp_size_opStringIn manual response filtering, only return responses with the size matching this condition. This parameter specifies the operator. Accepted: =, <, >, <=, >=. (optional)
The match_resp_size_limit should also be set.
match_resp_size_limitStringIn manual response filtering, only return responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between 0 and 10240, measured in KB. (optional)
The match_resp_size_op should also be set.
match_resp_contentStringIn manual response filtering, only return responses that contain this string in the content (optional)
ignore_resp_codesStringIn manual response filtering, discard responses with these HTTP codes. They can be integers between 100 and 599, or ranges, separated by commas (optional)
ignore_resp_size_opStringIn manual response filtering, discard responses with the size matching this condition. This parameter specifies the operator. Accepted: =, <, >, <=, >=. (optional)
The ignore_resp_size_limit should also be set.
ignore_resp_size_limitStringIn manual response filtering, discard responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between 0 and 10240, measured in KB. (optional)
The ignore_resp_size_op should also be set.
ignore_resp_contentStringIn manual response filtering, discard responses that contain this string in the content (optional)
follow_redirectsBooleanFollow HTTP redirects and scan the final redirect location. This will create a new target if it does not already exist. The default value of this parameter is false
At most one FUZZ marker can be used. If none is specified, the default location is at the end of the target.
If no parameter is set, no_ext will be used.
The range of integers accepted for sequence_from, sequence_to and sequence_step is [-99999999999999, 99999999999999] and the generated sequence can have a maximum length of 10000 numbers.

Start scan examples

{
  "op": "start_scan",
  "tool_id": 90,
  "target": "http://demo.pentest-tools.com/url_fuzzer/?page=FUZZ",
  "tool_params": {
    "payload_type": "sequence",
    "sequence_to": "1000",
    "sequence_step": "2",
    "no_ext": "on",
    "custom_ext": "on",
    "input_ext": "php, tar.gz",
    "dynamic": "on",
    "thread_count": "4",
    "req_timeout": "1",
    "max_retries": "2",
    "retry_codes": "429,500-505",
    "response_filter": "manual",
    "match_resp_codes": "200-205,301",
    "match_resp_size_op": ">",
    "match_resp_size_limit": "12"
  }
}

{
  "op": "start_scan_by_targetid",
  "tool_id": 90,
  "target_id": 984233,
  "tool_params": {
    "method": "POST",
    "post_data": "username=example&password=FUZZ",
    "wordlist_id": "10",
    "no_ext": "on",
    "custom_ext": "off",
    "dynamic": "on",
    "thread_count": "1",
    "requests_delay": "60",
    "response_filter": "manual",
    "match_resp_codes": "400",
    "match_resp_content": "error",
    "ignore_resp_codes": "200-205",
    "ignore_resp_content": "welcome"
  }
}