diff --git a/CHANGELOG.md b/CHANGELOG.md index 7eb33be..e5a8016 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ - master - New + - New CLI flag `-ic` to ignore comments from wordlist. - New CLI flags `-request` to specify the raw request file to build the actual request from and `-request-proto` to define the new request format. - New CLI flag `-od` (output directory) to enable writing requests and responses for matched results to a file for postprocessing or debugging purposes. - New CLI flag `-maxtime` to limit the running time of ffuf diff --git a/main.go b/main.go index 3bda293..1bdab5e 100644 --- a/main.go +++ b/main.go @@ -62,6 +62,7 @@ func main() { conf := ffuf.NewConfig(ctx) opts := cliOptions{} var ignored bool + flag.BoolVar(&conf.IgnoreWordlistComments, "ic", false, "Ignore wordlist comments") flag.StringVar(&opts.extensions, "e", "", "Comma separated list of extensions to apply. Each extension provided will extend the wordlist entry once. Only extends a wordlist with (default) FUZZ keyword.") flag.BoolVar(&conf.DirSearchCompat, "D", false, "DirSearch style wordlist compatibility mode. Used in conjunction with -e flag. Replaces %EXT% in wordlist entry with each of the extensions provided by -e.") flag.Var(&opts.headers, "H", "Header `\"Name: Value\"`, separated by colon. Multiple -H flags are accepted.") diff --git a/pkg/ffuf/config.go b/pkg/ffuf/config.go index d816f89..a65337e 100644 --- a/pkg/ffuf/config.go +++ b/pkg/ffuf/config.go @@ -20,6 +20,7 @@ type Config struct { OutputDirectory string `json:"outputdirectory"` OutputFile string `json:"outputfile"` OutputFormat string `json:"outputformat"` + IgnoreWordlistComments bool `json:"ignore_wordlist_comments"` StopOn403 bool `json:"stop_403"` StopOnErrors bool `json:"stop_errors"` StopOnAll bool `json:"stop_all"` @@ -55,6 +56,7 @@ func NewConfig(ctx context.Context) Config { conf.Url = "" conf.Data = "" conf.Quiet = false + conf.IgnoreWordlistComments = false conf.StopOn403 = false conf.StopOnErrors = false conf.StopOnAll = false diff --git a/pkg/input/wordlist.go b/pkg/input/wordlist.go index 73ccd28..96cf2a9 100644 --- a/pkg/input/wordlist.go +++ b/pkg/input/wordlist.go @@ -4,6 +4,7 @@ import ( "bufio" "os" "regexp" + "strings" "github.com/ffuf/ffuf/pkg/ffuf" ) @@ -106,6 +107,7 @@ func (w *WordlistInput) readFile(path string) error { defer file.Close() var data [][]byte + var ok bool reader := bufio.NewScanner(file) re := regexp.MustCompile(`(?i)%ext%`) for reader.Scan() { @@ -117,13 +119,29 @@ func (w *WordlistInput) readFile(path string) error { data = append(data, []byte(contnt)) } } else { - data = append(data, []byte(reader.Text())) + text := reader.Text() + + if w.config.IgnoreWordlistComments { + text, ok = stripComments(text) + if !ok { + continue + } + } + data = append(data, []byte(text)) } } else { - data = append(data, []byte(reader.Text())) + text := reader.Text() + + if w.config.IgnoreWordlistComments { + text, ok = stripComments(text) + if !ok { + continue + } + } + data = append(data, []byte(text)) if w.keyword == "FUZZ" && len(w.config.Extensions) > 0 { for _, ext := range w.config.Extensions { - data = append(data, []byte(reader.Text()+ext)) + data = append(data, []byte(text+ext)) } } } @@ -131,3 +149,20 @@ func (w *WordlistInput) readFile(path string) error { w.data = data return reader.Err() } + +// stripComments removes all kind of comments from the word +func stripComments(text string) (string, bool) { + // If the line starts with a # ignoring any space on the left, + // return blank. + if strings.HasPrefix(strings.TrimLeft(text, " "), "#") { + return "", false + } + + // If the line has # later after a space, that's a comment. + // Only send the word upto space to the routine. + index := strings.Index(text, " #") + if index == -1 { + return text, true + } + return text[:index], true +}