PSFuzz - ProvieSec Fuzz Scanner - Web path/file discovery

Table of Contents

• Introduction
• Installation
• Wordlists
• Options
• How to use
• Todos
• Tips
• License

Introduction

⭐ Star us on GitHub — it motivates a lot! ⭐

Web path discovery

Discover with ProSecFuzz hidden files and directories on a web server.

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.

Installation & Usage

go get https://github.com/Proviesec/PSFuzz go install github.com/Proviesec/PSFuzz@latest

Wordlists

Summary:

• the Wordlist is a text file, each line is a path.
• Here you get suitable lists: https://github.com/Proviesec/directory-payload-list

Options

Required

• -u/-url Example: -u https://www.google.com

Optional

• -o/-output Example: -o google_output Default: output.txt
• -d/-dirlist Example: -d list.txt Default is https://raw.githubusercontent.com/Proviesec/directory-payload-list/main/directory-full-list.txt
• -s/-status Example: -s true Default:false only Status Code 200
• -c/-concurrency Example: -c 5
• -fscn/-filterStatusCodeNot Example: -fscn 404 Don't show response status code 404
• -fsc/-filterStatusCode Example: -fsc 200,301 Show only response status code 200 and 301
• -fl/-filterLength Example: -fl 122,1234,1235,1236 or -fl 122,1234-1236 Show only the response with this length (or length range)
• -fln/-filterLengthNot Example: -fln 122,1234,1235,1236 or -fln 122,1234-1236 Show not this response with this length (or length range)
• -fm/-filterMatchWord Example: -fm admin
• -rah/-requestAddHeader Example: -rah Host:127.0.0.1
• -b/-bypass Example: -b true -> bypass status code: 401,402,403
• -g/-generate_payload Example: -g 100 -> generate a,aa,ab,abc,aaa,abb,bbc
• -od /-onlydomains Example: -od true Show only domains in the outputfile (no status code)
• -t /-filterTestLength Example: -t true make a test request and check if any other request has the same length, if yes, then skip the result for this request
• fws / filterWrongStatus200 Example: -fws true - Don´t show: in title: "Access Gateway", "Not Found", "Error"/"ERROR", "403", "Bad Request" ,"Forbidden", "500", "Internal Server Error" and body length <= 1

Attack Configuration / Patterns

Response Analysis

Example

go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o testest -s true -fscn 404,301,302

go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o googletest -s true -fl 122,1565-1569 -fln 1566-1568

Todos

General

• Multi requests
• Optional param output
• check https or http
• Logo and Version output
• Tryhackme room
• help mode (-h)
• check backslah
• optional config file
  • load config
  • save config
  • json file
  • config for "dont show" in title/body
• Proxy
• throttle
• detect "too many requests"
• Output
  • TXT
  • CSV
  • Json
  • HTML
• Progress bar
• list of sites
• Parameter
  • random payload generator
  • choice of dirlist from proviesec github repo
  • subdomain list from proviesec github repo
  • Port List
  • Length
  • Length range show and not show
  • Response Status List show
  • Response Status Range show
  • Response Status List not show
  • Response Status Range not show
  • Filter content type
  • Words match list title/page
  • Set Optional Header
  • scan subdirs with depth (list: admin/public/static)
  • exclude subdirs (list: js/img)
  • add default-extensions (yml,php,aspx,jsp,html,js)
  • lowercase
  • uppercase
  • Min response-size
  • Max response-size
  • Set request Timeout
  • Add Cookies
  • quite Mode
  • random user-agent
  • show only the urls
  • add user agent
  • username /password basic Auth

Attack

• make GET requests
• make put request
• make POST requests
• try PUT/DELETE/PATCH
• Wordlist txt parameter
• Wildcard parameter
• List of URLs
• depth by dir
• Word list
  • Automatic Word list for any file html,txt, php..
    • payload generator, include, start or end with specific word and max length
    • file ending as parameter list
  • get list from any url
  • get list from proviesec github account default
  • multiple word lists
• Crlf scan
• open redirect scan
• fuzzing parameter (from a-z)
• fuzzing http verbs
• Wordlist formats, upper lower

Response Analysis

• show response status
• count words
• show response time
• show lines
• dump the response in files
• Fingerprint Software (Wordpress/php/java/Apache/nginx etc.)
• CORS analyse
• bypass
  • 403 Bypass, config
  • Status bypass
• Words match list title/page/header
  • output the match line
• Show positiv false: status 200, but title 404
• Show possible block response, after x requests "403 or too many request"
• Show possible false 200, same length of a random site
• Show confident value, if the folder/file not in the response
• Intilligence
  • Automatically detect false 200 (really 404)
  • too many rediretcs and then restart again, with the exclusion of
  • Show the most unique target
• Show titel of Page
• Show Response Body Length
• filter possibile 404
• show content type
• Fingerprint check
• fuzz Parameter check (normal Response vs. with paramter)
• show reflected cookie
• show reflected params
• show reflected base64 params
• search for interesting strings
• compare two scans
  • save scan
  • load scan
• Redirect handler - 301... -> Can be activated via parameter
  • Show Redirect URL
  • Skip Status filter if redirect true (via parameter)

Example

go run main.go -url https://www.google.com -d list.txt -s true -c 2