Add fast and extensive scanning options.

[EdOverflow]

I like the sound of increasing the wordlist and adding flags to pick between a fast scan and a more extensive scan that includes the entire wordlist. This would allow you to increase your current tests to include megplus' list (Please note, some of these tests are already performed by snallygaster):

/.AppleDB
/.aws.yml
/.aws/.credentials.swp
/.aws/credentials
/.babelrc
/.bash_history
/.bash_profile
/.bashrc
/.bowerrc
/.bzr/repository/format
/.cvsignore
/.dockerignore
/.DS_Store
/.editorconfig
/.env
/.git/config
/.git/HEAD
/.gitconfig
/.gitignore
/.gitlab-ci.yml
/.hg
/.hg/branch
/.hgignore
/.htaccess
/.htpasswd
/.idea
/.idea/.rakeTasks
/.idea/dataSources
/.idea/dataSources.local.xml
/.idea/dataSources.xml
/.idea/modules.xml
/.idea/vcs.xml
/.idea/workspace.xml
/.jestrc
/.jshintrc
/.keys.yml
/.keys.yml.swp
/.muttrc
/.mysql_history
/.nbproject
/.netrc
/.npmignore
/.npmrc
/.pgpass
/.profile
/.psql_history
/.s3.yml
/.sh_history
/.ssh
/.ssh/authorized_keys
/.ssh/id_dsa
/.ssh/id_dsa.pub
/.ssh/id_rsa
/.ssh/id_rsa.pub
/.ssh/known_hosts
/.svn/all-wcprops
/.svn/entries
/.svn/format
/.svn/wc.db
/.svnignore
/.swp
/.terraform.tfstate.swp
/.terraform.tfvars.swp
/.travis.composer.config.json
/.travis.yml
/.travis.yml.swp
/.wp-config.php
/.wp-config.php.swp
/.zsh_history
/.zsh_profile
/.zshrc
/_admin/operations.aspx
/_vti_bin/admin.asmx
/admin
/autoconfig
/aws.yml
/backup
/backup.asp
/backup.aspx
/backup.do
/backup.html
/backup.jsp
/backup.php
/backup.txt
/backup/
/beans
/bower.json
/build.xml
/cgi-bin/printenv.pl
/cgi-bin/status.pl
/cgi-bin/test-cgi.pl
/circle.yml
/composer.json
/composer.lock
/config
/config.gypi
/config.json
/configprops
/CVS/Entries
/CVS/Root
/cvsroot/CVSROOT
/cvsroot/CVSROOT/val-tags
/debug
/debug.asp
/debug.aspx
/debug.do
/debug.html
/debug.jsp
/debug.php
/debug.txt
/debug/
/Dockerfile
/dump
/e2e-tests
/env
/examples/jsp/error/error.html
/examples/jsp/num/numguess.jsp
/examples/servlet/HelloWorldExample
/features
/flex
/Gemfile
/Gemfile.lock
/gruntfile.coffee
/Gruntfile.coffee
/gruntfile.js
/Gruntfile.js
/Gulpfile
/Gulpfile.js
/gulpfile.js
/index.asp
/index.aspx
/index.jsp
/index.php
/index.txt
/info
/info.asp
/info.aspx
/info.do
/info.html
/info.jsp
/info.php
/info.txt
/info/
/invoker/EJBInvokerServlet
/invoker/JMXInvokerServlet
/Jenkinsfile
/jmx-console/HtmlAdaptor
/karma.conf.js
/keys.yml
/license
/LICENSE
/license.md
/LICENSE.md
/LICENSE.txt
/license.txt
/Makefile
/metrics
/mkdocs.yml
/nginx_status
/npm-debug.log
/npm-shrinkwrap.json
/package.json
/pagespeed_admin
/php.php
/phpinfo.php
/phptest.php
/phpunit.xml
/readme
/README
/readme.html
/README.html
/readme.md
/README.md
/readme.mkd
/README.mkd
/README.txt
/readme.txt
/robots.txt
/routes
/s3.yml
/s3.yml.swp
/server-info
/server-status
/serverinfo
/tags
/terraform.tfstate
/terraform.tfstate.backup
/terraform.tfvars
/terraform.tfvars.json
/test
/test.asp
/test.aspx
/test.do
/test.html
/test.jsp
/test.php
/test.txt
/test/
/tests
/Thumbs.db
/tmp
/tmp.asp
/tmp.aspx
/tmp.do
/tmp.html
/tmp.jsp
/tmp.php
/tmp.txt
/tmp/
/tomcat-docs/appdev/sample/web/hello.jsp
/trace
/travis.yml
/tsconfig.json
/unit-tests
/Vagrantfile
/web-console/AOPBinding.jsp
/web-console/applet.jsp
/web-console/Invoker
/web-console/listMonitors.jsp
/web-console/ServerInfo.jsp
/web-console/status
/web-console/SysProperties.jsp
/web-console/WebModule.jsp
/WEB-INF/struts-config.xml
/WEB-INF/web.xml
/web.config
/web.xml
/webpack.config.js
/wp-config.php
/yarn-debug.log
/yarn-error.log
/yarn.lock
/zephyr

[hannob]

I'm wondering if this fits into the same tool.

If you look at the snallygaster tests they all not only check if any file comes, but also do some checks if it's what is expected. This is due to many servers not serving 404 errors and some of them also chaotically sending errors or not depending on the file extension or other unpredictable reasons.

I don't want to shut down your request, but I wonder if a "brute force many different filenames" approach should maybe be an extra tool with a different strategy: First checking if we get a robust 404 behavior with random filenames of different type and then checking a large list of filenames. We could then also consider porting the more interesting ones into proper checks for snallygaster. What do you think?

[EdOverflow]

I was actually just referencing "New Tests" [1] and thought it might be a good idea to have a fast scan for the "prevalence-based" test cases and a more extensive option for "impact-based" cases. That would allow users to scan targets quickly say on a competitive vulnerability disclosure program and for people that want to look more thoroughly, they can do an impact-based scan with more test cases.

My list above is merely there to pick out some further cases that might only fall under one of the categories and be more suited for a new scanning option. So for example, snallygaster does not currently check for phpinfo() pages [2] and I would suggest adding that check to a more extensive scan.

[hannob]

Closing this as I don't see a specific request right now, so not sure how it's actionable.