vaf v2.0 releases: advanced web fuzzer

vaf

very advanced web fuzzer

Feature

• Grepping
• Outputting results to a file
• Status code filtering
• Detect reflexiveness (useful for finding xss)
• Add prefixes, suffixes
• Custom wordlists
• Fuzz any part of the url
• Fuzz POST data
• URL encode payload
• Threading (wip)
• your own feature!
• And more…

Changelog v2.0

• Implemented a thread system (-t argument can be used to specify the amount of threads, default is 5)
• Added a sick progress bar which tells you how much vaf has been running for and the progress
• Added --maxredirects argument which is 0 by default, so no redirects will be followed
• Added header fuzzing -H param can be used to specify headers
• Added --printheaders flag which will print the response headers
• Improved logging on Windows
• Made the output cleaner
• Changed fuzz placeholder area to FUZZ
• Added proxy support -x
• Added -i flag which will ignore SSL checks
• Added -ca argument which can be used to supply a custom CA root certificate file
• Much more

Install

1. Install nim from nim-lang.org
2. Clone the repo git clone https://github.com/d4rckh/vaf.git
3. Run nimble build

Use

Usage:
vaf – very advanced fuzzer [options]

Options:
-h, –help
-u, –url=URL choose url, replace area to fuzz with []
-w, –wordlist=WORDLIST choose the wordlist to use
-sc, –status=STATUS set on which status to print, set this param to ‘any’ to print on any status (default: 200)
-pr, –prefix=PREFIX prefix, e.g. set this to / for content discovery if your url doesnt have a / at the end (default: )
-sf, –suffix=SUFFIX suffix, e.g. use this for extensions if you are doing content discovery (default: )
-pif, –printifreflexive print only if the output reflected in the page, useful for finding xss
-ue, –urlencode url encode the payloads
-pu, –printurl prints the url that has been requested

tips

• Add a trailing , in the suffixes or prefixes argument to try the word without any suffix/prefix like this: -pf .php, or -sf .php,
• Use -pif with a bunch of xss payloads as the wordlist to find XSS
• Make an issue if you want to suggest a feature

Copyright (c) 2021 d4rckh

Source: https://github.com/d4rckh/