Feature178 (#186)

* feature 178

* sync

* sync

* sync

* sync

Co-authored-by: bjhulst <bjhulst>

CHANGELOG.md

@@ -4,6 +4,8 @@
   - New
     - New CLI flag `-maxtime-job` to set max. execution time per job.
     - Changed behaviour of `-maxtime`, can now be used for entire process.
+    - A new flag `-ignore-body` so ffuf does not fetch the response content. Default value=false.
+
   - Changed
     - Added tls renegotiation flag to fix #193 in http.Client
 

main.go

@@ -39,6 +39,7 @@ type cliOptions struct {
 	requestProto           string
 	URL                    string
 	outputFormat           string
+	ignoreBody             bool
 	wordlists              multiStringFlag
 	inputcommands          multiStringFlag
 	headers                multiStringFlag
@@ -102,6 +103,7 @@ func main() {
 	flag.StringVar(&conf.OutputFile, "o", "", "Write output to file")
 	flag.StringVar(&opts.outputFormat, "of", "json", "Output file format. Available formats: json, ejson, html, md, csv, ecsv")
 	flag.StringVar(&conf.OutputDirectory, "od", "", "Directory path to store matched results to.")
+	flag.BoolVar(&conf.IgnoreBody, "ignore-body", false, "Do not fetch the response content.")
 	flag.BoolVar(&conf.Quiet, "s", false, "Do not print additional information (silent mode)")
 	flag.BoolVar(&conf.StopOn403, "sf", false, "Stop when > 95% of responses return 403 Forbidden")
 	flag.BoolVar(&conf.StopOnErrors, "se", false, "Stop on spurious errors")
@@ -197,21 +199,25 @@ func prepareFilters(parseOpts *cliOptions, conf *ffuf.Config) error {
 	// If any other matcher is set, ignore -mc default value
 	matcherSet := false
 	statusSet := false
+	warningIgnoreBody := false
 	flag.Visit(func(f *flag.Flag) {
 		if f.Name == "mc" {
 			statusSet = true
 		}
 		if f.Name == "ms" {
 			matcherSet = true
+			warningIgnoreBody = true
 		}
 		if f.Name == "ml" {
 			matcherSet = true
+			warningIgnoreBody = true
 		}
 		if f.Name == "mr" {
 			matcherSet = true
 		}
 		if f.Name == "mw" {
 			matcherSet = true
+			warningIgnoreBody = true
 		}
 	})
 	if statusSet || !matcherSet {
@@ -226,6 +232,7 @@ func prepareFilters(parseOpts *cliOptions, conf *ffuf.Config) error {
 		}
 	}
 	if parseOpts.filterSize != "" {
+		warningIgnoreBody = true
 		if err := filter.AddFilter(conf, "size", parseOpts.filterSize); err != nil {
 			errs.Add(err)
 		}
@@ -236,11 +243,13 @@ func prepareFilters(parseOpts *cliOptions, conf *ffuf.Config) error {
 		}
 	}
 	if parseOpts.filterWords != "" {
+		warningIgnoreBody = true
 		if err := filter.AddFilter(conf, "word", parseOpts.filterWords); err != nil {
 			errs.Add(err)
 		}
 	}
 	if parseOpts.filterLines != "" {
+		warningIgnoreBody = true
 		if err := filter.AddFilter(conf, "line", parseOpts.filterLines); err != nil {
 			errs.Add(err)
 		}
@@ -265,6 +274,9 @@ func prepareFilters(parseOpts *cliOptions, conf *ffuf.Config) error {
 			errs.Add(err)
 		}
 	}
+	if conf.IgnoreBody && warningIgnoreBody {
+		fmt.Printf("*** Warning: possible undesired combination of -ignore-body and the response options: fl,fs,fw,ml,ms and mw.\n")
+	}
 	return errs.ErrorOrNil()
 }
 

pkg/ffuf/config.go

@@ -20,6 +20,7 @@ type Config struct {
 	OutputDirectory        string                    `json:"outputdirectory"`
 	OutputFile             string                    `json:"outputfile"`
 	OutputFormat           string                    `json:"outputformat"`
+	IgnoreBody             bool                      `json:"ignorebody"`
 	IgnoreWordlistComments bool                      `json:"ignore_wordlist_comments"`
 	StopOn403              bool                      `json:"stop_403"`
 	StopOnErrors           bool                      `json:"stop_errors"`

pkg/runner/simple.go

@@ -127,7 +127,7 @@ func (r *SimpleRunner) Execute(req *ffuf.Request) (ffuf.Response, error) {
 	size, err := strconv.Atoi(httpresp.Header.Get("Content-Length"))
 	if err == nil {
 		resp.ContentLength = int64(size)
-		if size > MAX_DOWNLOAD_SIZE {
+		if (r.config.IgnoreBody) || (size > MAX_DOWNLOAD_SIZE) {
 			resp.Cancelled = true
 			return resp, nil
 		}