pathbuster 0.3.5

A path-normalization pentesting tool.
pathbuster-0.3.5 is not a library.
Visit the last successful build: pathbuster-0.5.6

Todos

  • Implement --filter-status which will filter the status codes.
  • Implement --filter-body-size which will filter the response sizes.
  • Implement --drop-after-fail which will ignore requests with the same response code multiple times in a row.

Installation

Install rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install pathbuster

cargo install pathbuster

Usage

pathbuster -h

This command will show the tool's help information and present a list of all the switches that are available.

USAGE:
    pathbuster [OPTIONS] --urls <urls> --payloads <payloads> --wordlist <wordlist>

OPTIONS:
    -c, --concurrency <concurrency>
            The amount of concurrent requests [default: 1000]

        --drop-after-fail <drop-after-fail>
            ignore requests with the same response code multiple times in a row [default: 302,301]

        --filter-body-size <filter-body-size>
            [default: 0]

        --filter-status <filter-status>
            [default: 403]

    -h, --help
            Print help information

        --match-status <match-status>
            [default: 400]

    -o, --out <out>
            The output file

        --payloads <payloads>
            the file containing the traversal payloads [default: ./payloads/traversals.txt]

    -r, --rate <rate>
            Maximum in-flight requests per second [default: 1000]

        --timeout <timeout>
            The delay between each request [default: 10]

    -u, --urls <urls>
            the url you would like to test

    -V, --version
            Print version information

    -w, --workers <workers>
            The amount of workers [default: 1]

        --wordlist <wordlist>
            the file containing the wordlist used for directory bruteforcing [default:
            ./wordlists/wordlist.txt]

Flags

Flag Description
--urls the file containing the urls to test make sure it contains a path
--payloads file containing the payloads to test
--match-status status code used to match internal responses
--filter-body-size used to filter the response body like ffuf
--filter-status used to filter the response status code like ffuf
--drop-after-fail specify a status code to ignore if it reoccurs more than 5 times in a row
--rate used set the maximum in-flight requests per second
--workers number of workers to process the jobs
--timeout the delay between each request
--concurrency number of threads to be used for processing
--wordlist the wordlist used for directory bruteforcing
--out save output to a file
--help prints help information
--version prints version information

Examples

Usage:

$ pathbuster --urls crawls.txt --payloads traversals.txt -o output.txt

Screenshot

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

License

Pathbuster is distributed under MIT License