URL Fuzzer

The HTTP method for the requests performed. The value can be "GET" or "POST".

Specify POST data to be sent with every request. It is only used with the POST method and can contain the FUZZ marker.

Number of requests made in parallel (number of threads for the scan), between "1" and "10".

Only works if one thread is selected. It specifies the delay between the requests (in seconds) and can be a float between "0" and "3600".

Timeout for a single HTTP request, measured in seconds. It should be a positive float, no bigger than "43200" (12h).

Maximum number of retries for a single HTTP request, in case of connection error. It should be an integer between "0" and "10". The delay between retries increases exponentially, see the retry_factor parameter for details.

Controls the delay between retries. It should be a float between "0" and "120". If it is "1", the first retry is sent immediatelly (after 0s), the second one after 1s, then 2s, 4s and so on. If it is 0.1, the succesive sleeps will be: 0s, 0.1s, 0.2s, 0.4s...

Force retry on these HTTP codes. They can be integers between "100" and "599", or a range, for example: "429,500-505"

Specify the kind of payload you want to use: one of your wordlists or generate a sequence of numbers. The value can be "wordlist" or "sequence".

The ID of the wordlist that will be used for fuzzing, if the payload_type is "wordlist". If not set, the default one will be used.

This is a scan option which extends the default wordlist with words from the HTML page located at the base URL (including existing links). Not applicable to "sequence" payload type. The value can be "on" or "off".

Specify the starting number for the sequence, used if the payload_type is "sequence".

Specify the ending number for the sequence, used if the payload_type is "sequence".

Specify the step for generating the sequence, used if the payload_type is "sequence". This value cannot be "0".

Search for files with no extension (plain words). The value can be "on" or "off".

Search for files with the following extensions: "conf", "cfg", "txt", "xml", "json", "ini". The value can be "on" or "off".

Search for files with the following extensions: "bat", "c", "java", "cpp", "cs", "h". The value can be "on" or "off".

Search for files with the following extensions: "zip", "tar", "tar.gz", "tgz", "gz", "7z", "bzip", "rar", "jar", "apk". The value can be "on" or "off".

Search for files with the following extensions: "sql", "mdb", "db", "nsf", "csv", "dbf". The value can be "on" or "off".

Search for files with the following extensions: "log", "err", "journal". The value can be "on" or "off".

Search for files with the following extensions: "old", "back", "bkp", "bak", "tmp", "test", "dev", "prod". The value can be "on" or "off".

Search for files with the following extensions: "doc", "docx", "odt", "xls", "xlsx", "rtf", "pdf", "ppt", "pptx". The value can be "on" or "off".

Search for files with the following extensions: "asp", "aspx", "php", "jsp", "shtml", "htm", "html", "dll", "pl", "py", "cgi", "cfm", "sh". The value can be "on" or "off".

Search for files with custom extensions. Requires input_ext parameter to be set. The value can be "on" or "off".

The custom extensions that you want to search for. You can specify multiple extensions (up to 10 per scan), including double extensions (e.g. ".php.old", ".jsp.bak", ".tgz" etc.). For this option to work, custom_ext must be "on".

This is a scan option which applies various mutations to the identified files in order to find other resources ("config.php", config2.php, config_old".php", "config-dev.php" etc.). The value can be "on" or "off".

Use the default mechanism of filtering results or specify your own conditions. In the "auto" mode, all responses with the 404 status code are ignored. If the method is "GET", we also try to detect soft 404 pages (for example, error pages). In the "manual" mode, no response is filtered and you can specify custom conditions (see below) to match or ignore certain HTTP responses. The value can be "auto" or "manual".

In "manual" response filtering, only return responses with these HTTP codes. They can be integers between "100" and "599", or ranges, separated by commas.

In manual response filtering, only return responses with the size matching this condition. This parameter specifies the operator. Accepted: "=", "<", ">", "<=", ">=". The match_resp_size_limit should also be set.

In "manual" response filtering, only return responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between "0" and "10240", measured in KB. The match_resp_size_op should also be set.

In "manual" response filtering, only return responses that contain this string in the content.

In "manual" response filtering, discard responses with these HTTP codes. They can be integers between "100" and "599", or ranges, separated by commas.

In "manual" response filtering, discard responses with the size matching this condition. This parameter specifies the operator. Accepted: "=", "<", ">", "<=", ">=". The ignore_resp_size_limit should also be set.

In "manual" response filtering, discard responses with the size matching this condition. This parameter specifies the limit used for comparison and should be an integer between "0" and "10240", measured in KB. The ignore_resp_size_op should also be set.

In "manual" response filtering, discard responses that contain this string in the content.

Follow HTTP redirects and scan the final redirect location. This will create a new target if it does not already exist.