The URL on the target server that will be fuzzed. You can specify a custom location for the payload using at most one FUZZ marker in the path or in query strings.
Maximum number of retries for a single HTTP request, in case of connection error. It should be an integer between "0" and "10". The delay between retries increases exponentially, see the retry_factor parameter for details.
Controls the delay between retries. It should be a float between "0" and "120". If it is "1", the first retry is sent immediatelly (after 0s), the second one after 1s, then 2s, 4s and so on. If it is 0.1, the succesive sleeps will be: 0s, 0.1s, 0.2s, 0.4s...
This is a scan option which extends the default wordlist with words from the HTML page located at the base URL (including existing links). Not applicable to "sequence" payload type. The value can be "on" or "off".
Search for files with the following extensions: "zip", "tar", "tar.gz", "tgz", "gz", "7z", "bzip", "rar", "jar", "apk". The value can be "on" or "off".
Search for files with the following extensions: "asp", "aspx", "php", "jsp", "shtml", "htm", "html", "dll", "pl", "py", "cgi", "cfm", "sh". The value can be "on" or "off".
The custom extensions that you want to search for. You can specify multiple extensions (up to 10 per scan), including double extensions (e.g. ".php.old", ".jsp.bak", ".tgz" etc.). For this option to work, custom_ext must be "on".
This is a scan option which applies various mutations to the identified files in order to find other resources ("config.php", config2.php, config_old".php", "config-dev.php" etc.). The value can be "on" or "off".
Use the default mechanism of filtering results or specify your own conditions.
In the "auto" mode, all responses with the 404 status code are ignored. If the method is "GET", we also try to detect soft 404 pages (for example, error pages).
In the "manual" mode, no response is filtered and you can specify custom conditions (see below) to match or ignore certain HTTP responses.
The value can be "auto" or "manual".
In "manual" response filtering, only return responses with these HTTP codes. They can be integers between "100" and "599", or ranges, separated by commas.
In manual response filtering, only return responses with the size matching this condition. This parameter specifies the operator. Accepted: "=", "<", ">", "<=", ">=". The match_resp_size_limit should also be set.
In "manual" response filtering, only return responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between "0" and "10240", measured in KB. The match_resp_size_op should also be set.
In "manual" response filtering, discard responses with the size matching this condition. This parameter specifies the operator. Accepted: "=", "<", ">", "<=", ">=". The ignore_resp_size_limit should also be set.
In "manual" response filtering, discard responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between "0" and "10240", measured in KB. The ignore_resp_size_op should also be set.