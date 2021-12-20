URL Fuzzer
Parameters
|Name
|Type
|Description
|Value
tool_id
|Integer
|The id of this tool
90
target
|String
|The URL on the target server that will be fuzzed. You can specify a custom location for the payload using at most one FUZZ marker in the path or in query strings
method
|String
|HTTP method for the requests performed (optional)
|-
GET (default)
-
POST
post_data
|String
|Specify POST data to be sent with every request. It is only used with the POST method and can contain the FUZZ marker (optional)
thread_count
|String
|Number of requests made in parallel (number of threads for the scan), between
"1" and
"7". Default:
"7" (optional)
requests_delay
|String
|Only works if one thread is selected. It specifies the delay between the requests (in seconds) and can be a float between
"0" and
"3600". Default:
"0" (optional)
req_timeout
|String
|Timeout for a single HTTP request, measured in seconds. It should be a positive float, no bigger than
"43200" (12h). Default:
"4.0" (optional)
max_retries
|String
|Maximum number of retries for a single HTTP request, in case of connection error. It should be an integer between
"0" and
"10". The delay between retries increases exponentially, see the
retry_factor parameter for details. Default:
"3" (optional)
retry_factor
|String
|Controls the delay between retries. It should be a float between
"0" and
"120". If it is
"1", the first retry is sent immediatelly (after 0s), the second one after 1s, then 2s, 4s and so on. If it is
"0.1", the succesive sleeps will be: 0s, 0.1s, 0.2s, 0.4s... Default:
"1.0" (optional)
retry_codes
|String
|Force retry on these HTTP codes. They can be integers between 100 and 599, or a range, for example:
"429,500-505" (optional)
payload_type
|String
|Specify the kind of payload you want to use: one of your wordlists or generate a sequence of numbers. Default:
wordlist
|-
wordlist
-
sequence
wordlist_id
|String
|The id of the wordlist that will be used for fuzzing, if the
payload_type is
wordlist. If not set, the default one will be used
dynamic
|String
|This is a scan option which extends the default wordlist with words from the HTML page located at the base URL (including existing links). Not applicable to
sequence payload type (optional)
|-
on
-
off
sequence_from
|String
|Specify the starting number for the sequence, used if the
payload_type is
sequence. Default value: "0"
sequence_to
|String
|Specify the ending number for the sequence, used if the
payload_type is
sequence. Default value: "100"
sequence_step
|String
|Specify the step for generating the sequence, used if the
payload_type is
sequence. Default value: "1". This cannot be "0"
no_ext
|String
|Search for files with no extension (plain words) (optional)
|-
on
-
off
configs
|String
|Search for files with the following extensions:
conf,
cfg,
txt,
xml,
json,
ini (optional)
|-
on
-
off
sources
|String
|Search for files with the following extensions:
bat,
c,
java,
cpp,
cs,
h (optional)
|-
on
-
off
archives
|String
|Search for files with the following extensions:
zip,
tar,
tar.gz,
tgz,
gz,
7z,
bzip,
rar,
jar,
apk (optional)
|-
on
-
off
databases
|String
|Search for files with the following extensions:
sql,
mdb,
db,
nsf,
csv,
dbf (optional)
|-
on
-
off
logs
|String
|Search for files with the following extensions:
log,
err,
journal (optional)
|-
on
-
off
backups
|String
|Search for files with the following extensions:
old,
back,
bkp,
bak,
tmp,
test,
dev,
prod (optional)
|-
on
-
off
docs
|String
|Search for files with the following extensions:
doc,
docx,
odt,
xls,
xlsx,
rtf,
pdf,
ppt,
pptx (optional)
|-
on
-
off
web
|String
|Search for files with the following extensions:
asp,
aspx,
php,
jsp,
shtml,
htm,
html,
dll,
pl,
py,
cgi,
cfm,
sh (optional)
|-
on
-
off
custom_ext
|String
|Search for files with custom extensions (optional). Requires
input_ext parameter to be set
|-
on
-
off
input_ext
|String
|The custom extensions that you want to search for. You can specify multiple extensions (up to 10 per scan), including double extensions (e.g.
.php.old,
.jsp.bak,
.tgz etc.) (optional). For this option to work
custom_ext must be on
mutate
|String
|This is a scan option which applies various mutations to the identified files in order to find other resources (
config.php,
config2.php,
config_old.php,
config-dev.php etc.) (optional)
|-
on
-
off
response_filter
|String
|Use the default mechanism of filtering results or specify your own conditions. (optional)
In the
auto mode, all responses with the 404 status code are ignored. If the method is
GET, we also try to detect soft 404 pages (for example, error pages)
In the
manual mode, no response is filtered and you can specify custom conditions (see below) to match or ignore certain HTTP responses
|-
auto (default)
-
manual
match_resp_codes
|String
|In
manual response filtering, only return responses with these HTTP codes. They can be integers between 100 and 599, or ranges, separated by commas (optional)
match_resp_size_op
|String
|In
manual response filtering, only return responses with the size matching this condition. This parameter specifies the operator. Accepted:
=,
<,
>,
<=,
>=. (optional)
The
match_resp_size_limit should also be set.
match_resp_size_limit
|String
|In
manual response filtering, only return responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between 0 and 10240, measured in KB. (optional)
The
match_resp_size_op should also be set.
match_resp_content
|String
|In
manual response filtering, only return responses that contain this string in the content (optional)
ignore_resp_codes
|String
|In
manual response filtering, discard responses with these HTTP codes. They can be integers between 100 and 599, or ranges, separated by commas (optional)
ignore_resp_size_op
|String
|In
manual response filtering, discard responses with the size matching this condition. This parameter specifies the operator. Accepted:
=,
<,
>,
<=,
>=. (optional)
The
ignore_resp_size_limit should also be set.
ignore_resp_size_limit
|String
|In
manual response filtering, discard responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between 0 and 10240, measured in KB. (optional)
The
ignore_resp_size_op should also be set.
ignore_resp_content
|String
|In
manual response filtering, discard responses that contain this string in the content (optional)
follow_redirects
|Boolean
|Follow HTTP redirects and scan the final redirect location. This will create a new target if it does not already exist. The default value of this parameter is
false
no_ext will be used.
sequence_from,
sequence_to and
sequence_step is [-99999999999999, 99999999999999] and the generated sequence can have a maximum length of 10000 numbers.
Start scan examples
{
"op": "start_scan",
"tool_id": 90,
"target": "http://demo.pentest-tools.com/url_fuzzer/?page=FUZZ",
"tool_params": {
"payload_type": "sequence",
"sequence_to": "1000",
"sequence_step": "2",
"no_ext": "on",
"custom_ext": "on",
"input_ext": "php, tar.gz",
"dynamic": "on",
"thread_count": "4",
"req_timeout": "1",
"max_retries": "2",
"retry_codes": "429,500-505",
"response_filter": "manual",
"match_resp_codes": "200-205,301",
"match_resp_size_op": ">",
"match_resp_size_limit": "12"
}
}
{
"op": "start_scan_by_targetid",
"tool_id": 90,
"target_id": 984233,
"tool_params": {
"method": "POST",
"post_data": "username=example&password=FUZZ",
"wordlist_id": "10",
"no_ext": "on",
"custom_ext": "off",
"dynamic": "on",
"thread_count": "1",
"requests_delay": "60",
"response_filter": "manual",
"match_resp_codes": "400",
"match_resp_content": "error",
"ignore_resp_codes": "200-205",
"ignore_resp_content": "welcome"
}
}