[FEATURE REQUEST] Add support for multiple wordlists with an optional variable name

[0dayCTF]

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Please add a fuzzing option

Describe the solution you'd like A clear and concise description of what you want to happen. To bruteforce subdomains, and various other requests. e.g feroxbuster -u http://FUZZ.example.com -w /usr/share/wordlists/subdomains.txt

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. Currently I'm using ffuf and gobuster, but I'd really like to stick to one tool!

[epi052]

Good morning, and thanks for suggesting this feature!

I'm going to outline some of my thoughts on this and see what you think.

Much like you, prior to writing feroxbuster, I used gobuster in conjunction with ffuf. Though, currently, I use feroxbuster and ffuf. I do initial scanning with feroxbuster and then targeted fuzzing with ffuf. In my opinion, both have different strengths/features that complement each other. ffuf is incredibly flexible and does a lot of stuff that goes way beyond simple directory busting (which it does with the FUZZ keyword, which you obviously know).

I've never viewed ferox as a replacement for ffuf, but instead a companion. If anything, I see it as a spiritual successor to gobuster. I've always thought of ferox as a scanner and ffuf a fuzzer (not sure the distinction makes sense to others, lol). ffuf and ferox get compared a lot (hell, i do it in the readme) because there's overlap in capability, but I think each one shines at two different things.

I feel like adding a FUZZ keyword isn't in line with ferox being a scanner. I'd prefer to let ffuf handle fuzzing, as that's its main strength. To put it another way, if I implemented fuzzing, the different fuzzing methods (pitchfork, clusterbomb, etc), integrated radamsa, and so on, then it probably would have made more sense to just submit PR's to ffuf for its scanning side of things. I think I'd prefer to concentrate efforts on making ferox the best it can be at discovering content instead of branching out into a whole new area of capability.

I'm currently enrolled in offsec's new course, so don't plan on working anything significant for ferox until that's complete, just as a heads up.

Sorry for the wall of text. I'm very interested in hearing your thoughts on this, and thank you for checking out the project :pray:

[epi052]

Just had a conversation with someone else that suggested the use of multiple wordlists to allow for crafting things like HOST/some/api/path/WORD when scanning multiple hosts. This makes sense to allow for, but is effectively a variation on the FUZZ keyword. Kinda torn... lol.

[0dayCTF]

Interesting, I totally understand where you're coming from. I don't think that FeroxBuster needs to have all of the methods "pitchfork, clusterbomb, etc", but it would most definitely be nice to have a "FUZZ" option to scan subdomains, vhosts, and use multiple wordlists. This could also be achieved with a mode eg. "feroxbuster sub -u example.com -w /sub-top-100.txt" or "feroxbuster -u https://FUZZ.example.com -w /fuzz-top-100.txt" Either way, I love the project and will continue using it. If I come up with any unique ideas, I'll be sure to let you know :) Thank you for the detailed response.

[epi052]

ok, so, after mulling this over, i think the plan is to support multiple wordlists with an optional variable name that can be placed in different areas of the request (url and header come to mind).

This effectively supports your request and the other I received via other channels.

[0dayCTF]

Amazing, can't wait. Thank you :)

[uBadRequest]

ok, so, after mulling this over, i think the plan is to support multiple wordlists with an optional variable name that can be placed in different areas of the request (url and header come to mind).

This effectively supports your request and the other I received via other channels.

Do you think it would be possible to support the ability to have auto-filtering/auto-calibration when scanning different hosts? I assume you would need to have a parameter to exclude a certain wordlist from being used in the initial calibration. The way I would imagine this working, would be associating each entry in the excluded wordlist with the values of the calibration.

[epi052]

I believe autofilter/tune already handle multiple hosts already. Those features work on a per-directory basis, do shouldn't need any additional work to keep that behavior.

[uBadRequest]

I believe autofilter/tune already handle multiple hosts already. Those features work on a per-directory basis, do shouldn't need any additional work to keep that behavior.

Ah okay your saying by design, it supports multiple hosts!

[epi052]

Pretty sure, call me on my bs if I'm wrong 😁

[SecT0uch]

This feature definitely is a must. Coming from ffuf and using it on URL params a lot.

[thomasbad]

I hope this function request is not being forgot, because I have totally fall in love with this tool, and this function is the only one function I am looking forward with which can then replace the use of ffuf afterall

[epi052]

@thomasbad glad you like the tool! this feature is not forgotten. However, it requires such a drastic overhaul of ferox's internals that it's a pretty daunting undertaking. I'm currently working on a closely related project :shushing_face: that will get integrated into feroxbuster once it's ready. That other project will pave the way for this kind of feature.

[b4d7r1p]

Just wanted to let epi052 know that I'm also dying to see this feature implemented. At the moment I'm also combining Ferox and FFuF for different needs, but I would love to just be able to rely on one tool. Thanks for all the work you do.

[epi052]

For all concerned here, the related project is released and can be found here: feroxfuzz.

feroxbuster still doesn't have this functionality, however, the library linked above allows you to write whatever fuzzer you need, using feroxbuster speed/internals.

If you end up using it for anything, I'd love to hear about it!