Skip to content

Commit

Permalink
rewrite readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@d4rckh
d4rckh committed Apr 18, 2022
1 parent 7449b65 commit a08a44e
Showing 1 changed file with 52 additions and 44 deletions.
96 changes: 52 additions & 44 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,26 @@

# vaf - very advanced (web) fuzzer
![GitHub Repo stars](https://img.shields.io/github/stars/d4rckh/vaf)
[![GitHub issues](https://img.shields.io/github/issues/d4rckh/vaf)](https://github.com/d4rckh/vaf/issues)
[![GitHub forks](https://img.shields.io/github/forks/d4rckh/vaf)](https://github.com/d4rckh/vaf/network)
[![GitHub license](https://img.shields.io/github/license/d4rckh/vaf)](https://github.com/d4rckh/vaf/blob/main/LICENSE)
![GitHub top language](https://img.shields.io/github/languages/top/d4rckh/vaf)

![main](screenshots/main.png)
<div align="center">
<h1>vaf</h1>
<h3>A fast, simple, and feature rich web fuzzer writen in nim</h3>
<img src="https://img.shields.io/github/stars/d4rckh/vaf"></img>
<a href="https://github.com/d4rckh/vaf/issues">
<img src="https://img.shields.io/github/issues/d4rckh/vaf"></img>
</a>
<a href="https://github.com/d4rckh/vaf/network">
<img src="https://img.shields.io/github/forks/d4rckh/vaf"></img>
</a>
<a href="https://github.com/d4rckh/vaf/blob/main/LICENSE">
<img src="https://img.shields.io/github/license/d4rckh/vaf"></img>
</a>
<img src="https://img.shields.io/github/languages/top/d4rckh/vaf"></img>
<br><br>
<img src="screenshots/main.png"></img>
<br><br>
</div>

vaf is a cross-platform web fuzzer with a lot of features. Some of its features include:
- Grepping
- Outputing results to a file
- Status code filtering
- Detect reflexivness (useful for finding xss)
- Add prefixes, suffixes
- Custom wordlists
- Fuzz any part of the url
- Fuzz POST data
- URL encode payload
- [Threading (wip)](https://github.com/d4rckh/vaf/pull/14)
- Fast threading
- HTTP header fuzzing
- Proxying
- [your own feature!](https://github.com/d4rckh/vaf/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=%5Bfeature%5D)
- And more...

Expand All @@ -29,46 +31,52 @@ You can install vaf:
- by downloading the **pre-compiled binaries in the [releases page](https://github.com/d4rckh/vaf/releases/)** and adding them manually to your path
- by running the `install.sh` **bash script** which will __download nim, build vaf from source and then link the binary to /usr/bin__ (make sure to `chmod +x install.sh`)

## Usage
## Options

Using vaf is very simple, here's the current help menu:
```
Usage:
vaf [options]
Options:
-h, --help
-u, --url=URL choose url, replace area to fuzz with
-w, --wordlist=WORDLIST choose the wordlist to use
-sc, --status=STATUS set on which status to print, set this param to 'any' to print on any status (default: 200)
-pr, --prefix=PREFIX prefix, e.g. set this to / for content discovery if your url doesnt have a / at the end (default: )
-sf, --suffix=SUFFIX suffix, e.g. use this for extensions if you are doing content discovery (default: )
-pd, --postdata=POSTDATA only used if '-m post' is set (default: {})
-m, --method=METHOD the method to use PSOT/GET (default: GET)
-g, --grep=GREP greps for a string in the response (default: )
-u, --url=URL Target URL. Replace fuzz area with FUZZ
-w, --wordlist=WORDLIST The path to the wordlist.
-m, --method=METHOD Request method. Supported: POST, GET (default: GET)
-H, --header=HEADER Specify HTTP headers; can be used multiple times. Example: -H 'header1: val1' -H 'header1: val1'
-pf, --prefix=PREFIX The prefixes to append to the word (default: )
-sf, --suffix=SUFFIX The suffixes to append to the word (default: )
-t, --threads=THREADS Number of threads (default: 5)
-sc, --status=STATUS The status to filter; to 'any' to print on any status (default: 200)
-g, --grep=GREP Only log if the response body contains the string (default: )
-ng, --notgrep=NOTGREP Only log if the response body does no contain a string (default: )
-pd, --postdata=POSTDATA Specify POST data; used only if '-m post' is set (default: {})
-x, --proxy=PROXY Specify a proxy (default: )
-ca, --cafile=CAFILE Specify a CA root certificate; useful if you are using Burp/ZAP proxy (default: )
-o, --output=OUTPUT Output the results in a file (default: )
-pif, --printifreflexive print only if the output reflected in the page, useful for finding xss
-ue, --urlencode url encode the payloads
-pu, --printurl prints the url that has been requested
-mr, --maxredirects=MAXREDIRECTS
How many redirects should vaf follow; 0 means none (default: 0)
-v, --version Print version information
-pif, --printifreflexive Print only if the fuzzed word is reflected in the page
-i, --ignoressl Do not verify SSL certificates; useful if you are using Burp/ZAP proxy
-ue, --urlencode URL encode the fuzzed words
-pu, --printurl Print the requested URL
-ph, --printheaders Print response headers
-dbg, --debug Prints debug information
```

## Examples

Fuzz GET URLs
### Fuzz URL path, show only responses which returned 200 OK
```
vaf.exe -w example_wordlists\short.txt -u https://example.org/ -sf .html
nim -u https://example.org/ -w path/to/wordlist.txt -sc OK
```

Fuzz post data:
### Fuzz 'User-Agent' header, show only responses which returned 200 OK
```
vaf.exe -w example_wordlists\short.txt -u https://jsonplaceholder.typicode.com/posts -m post -sc 201 -pd "{\"title\": \"\"}"
nim -u https://example.org/ -w path/to/wordlist.txt -sc OK -H "User-Agent: "
```

## Some tips

- Add a cmoma (`,`) at the end in the suffixes or prefixes argument to try the word without any suffix/prefix like this: `-pf .php,` or `-sf .php`
- Use `-pif` with a bunch of xss payloads as the wordlist to find XSS
- Make an issue if you want to suggest a feature
### Fuzz POST data, show only responses which returned 200 OK
```
nim -u https://example.org/ -w path/to/wordlist.txt -sc OK -m POST -H "Content-Type: application/json" -pd '{"username": ""}'
```

# Contributors

Expand Down

0 comments on commit a08a44e

Please sign in to comment.