Clean up README.md and add CONTRIBUTORS.md (#128)

2019-12-30 13:07:28 +02:00 · 2019-12-30 13:07:28 +02:00 · fef5f0c78f
commit fef5f0c78f
parent 7032f0eb47
4 changed files with 99 additions and 101 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,72 @@
 ## Changelog
 - master
  - New
    - New CLI flag `-od` (output directory) to enable writing requests and responses for matched results to a file for postprocessing or debugging purposes.
    - New CLI flag `-maxtime` to limit the running time of ffuf
  - Changed
    - Limit the use of `-e` (extensions) to a single keyword: FUZZ
    - Regexp matching and filtering (-mr/-fr) allow using keywords in patterns
    - Take 429 responses into account when -sa (stop on all error cases) is used
 - v0.12
  - New
    - Added a new flag to select a multi wordlist operation mode: `--mode`, possible values: `clusterbomb` and `pitchfork`.
    - Added a new output file format eJSON, for always base64 encoding the input data.
    - Redirect location is always shown in the output files (when using `-o`)
    - Full URL is always shown in the output files (when using `-o`)
    - HTML output format got [DataTables](https://datatables.net/) support allowing realtime searches, sorting by column etc.
    - New CLI flag `-v` for verbose output. Including full URL, and redirect location.
    - SIGTERM monitoring, in order to catch keyboard interrupts an such, to be able to write `-o` files before exiting.
  - Changed
    - Fixed a bug in the default multi wordlist mode
    - Fixed JSON output regression, where all the input data was always encoded in base64
    - `--debug-log` no correctly logs connection errors
    - Removed `-l` flag in favor of `-v`
    - More verbose information in banner shown in startup.
 - v0.11
  - New
    - New CLI flag: -l, shows target location of redirect responses
    - New CLI flac: -acc, custom auto-calibration strings
    - New CLI flag: -debug-log, writes the debug logging to the specified file.
    - New CLI flags -ml and -fl, filters/matches line count in response
    - Ability to use multiple wordlists / keywords by defining multiple -w command line flags. The if no keyword is defined, the default is FUZZ to keep backwards compatibility. Example: `-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"`.
  - Changed
    - New CLI flag: -i, dummy flag that does nothing. for compatibility with copy as curl.
    - New CLI flag: -b/--cookie, cookie data for compatibility with copy as curl.
    - New Output format are available: HTML and Markdown table.
    - New CLI flag: -l, shows target location of redirect responses
    - Filtering and matching by status code, response size or word count now allow using ranges in addition to single values
    - The internal logging information to be discarded, and can be written to a file with the new `-debug-log` flag.
 - v0.10
  - New
    - New CLI flag: -ac to autocalibrate response size and word filters based on few preset URLs.
    - New CLI flag: -timeout to specify custom timeouts for all HTTP requests.
    - New CLI flag: --data for compatibility with copy as curl functionality of browsers.
    - New CLI flag: --compressed, dummy flag that does nothing. for compatibility with copy as curl.
    - New CLI flags: --input-cmd, and --input-num to handle input generation using external commands. Mutators for example. Environment variable FFUF_NUM will be updated on every call of the command.
    - When --input-cmd is used, display position instead of the payload in results. The output file (of all formats) will include the payload in addition to the position however.
  - Changed
    - Wordlist can also be read from standard input
    - Defining -d or --data implies POST method if -X doesn't set it to something else than GET
 - v0.9
  - New
    - New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
    - New CLI flag to follow redirects
    - Erroring connections will be retried once
    - Error counter in status bar
    - New CLI flags: -se (stop on spurious errors) and -sa (stop on all errors, implies -se and -sf)
    - New CLI flags: -e to provide a list of extensions to add to wordlist entries, and -D to provide DirSearch wordlist format compatibility.
    - Wildcard option for response status code matcher.
 - v0.8
  - New
    - New CLI flag to write output to a file in JSON format
    - New CLI flag to stop on spurious 403 responses
  - Changed
    - Regex matching / filtering now matches the headers alongside of the response body
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@ -0,0 +1,16 @@
 # Contributors
 * [ccsplit](https://github.com/ccsplit)
 * [delic](https://github.com/delic)
 * [eur0pa](https://github.com/eur0pa)
 * [fang0654](https://github.com/fang0654)
 * [JamTookTheBait](https://github.com/JamTookTheBait)
 * [joohoi](https://github.com/joohoi)
 * [jvesiluoma](https://github.com/jvesiluoma)
 * [lc](https://github.com/lc)
 * [nnwakelam](https://twitter.com/nnwakelam)
 * [oh6hay](https://github.com/oh6hay)
 * [putsi](https://github.com/putsi)
 * [SakiiR](https://github.com/SakiiR)
 * [seblw](https://github.com/seblw)
 * [SolomonSklash](https://github.com/SolomonSklash)
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2018 Joona Hoikkala
+Copyright (c) 2020 Joona Hoikkala
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -11,17 +11,15 @@
 A fast web fuzzer written in Go.
-Heavily inspired by the great projects [gobuster](https://github.com/OJ/gobuster) and [wfuzz](https://github.com/xmendez/wfuzz).
+## Installation
-## Features
+- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
  or
 - If you have go compiler installed: `go get github.com/ffuf/ffuf`
- Fast!
+The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
 - Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
 - Silent mode (`-s`) for clean output that's easy to use in pipes to other processes.
 - Modularized architecture that allows integration with existing toolchains with reasonable effort
 - Easy-to-add filters and matchers (they are interoperable)
-## Example cases
+## Example usage
 ### Typical directory discovery
@ -139,6 +137,8 @@ Usage of ffuf:
  -input-num int
    	Number of inputs to test. Used in conjunction with --input-cmd. (default 100)
  -k	TLS identity verification
  -maxtime int
      Maximum running time in seconds. (default 0 = inf.)
  -mc string
    	Match HTTP status codes from respose, use "all" to match every response code. (default "200,204,301,302,307,401,403")
  -ml string
@ -171,8 +171,6 @@ Usage of ffuf:
    	Number of concurrent threads. (default 40)
  -timeout int
    	HTTP request timeout in seconds. (default 10)
  -maxtime int
      Maximum running time in seconds. (default 0 = inf.)
  -u string
    	Target URL
  -v	Verbose output, printing full URL and redirect location (if any) with the results.
@ -184,95 +182,7 @@ Usage of ffuf:
 eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist`
 ## Installation
- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
+## License
  or
 - If you have go compiler installed: `go get github.com/ffuf/ffuf`
-The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
+ffuf is released under MIT license. See [LICENSE](https://github.com/ffuf/ffuf/blob/master/LICENSE).
 ## Changelog
 - master
  - New
    - New CLI flag `-od` (output directory) to enable writing requests and responses for matched results to a file for postprocessing or debugging purposes.
    - New CLI flag `-maxtime` to limit the running time of ffuf
  - Changed
    - Limit the use of `-e` (extensions) to a single keyword: FUZZ
    - Regexp matching and filtering (-mr/-fr) allow using keywords in patterns
    - Take 429 responses into account when -sa (stop on all error cases) is used
 - v0.12
  - New
    - Added a new flag to select a multi wordlist operation mode: `--mode`, possible values: `clusterbomb` and `pitchfork`.
    - Added a new output file format eJSON, for always base64 encoding the input data.
    - Redirect location is always shown in the output files (when using `-o`)
    - Full URL is always shown in the output files (when using `-o`)
    - HTML output format got [DataTables](https://datatables.net/) support allowing realtime searches, sorting by column etc.
    - New CLI flag `-v` for verbose output. Including full URL, and redirect location.
    - SIGTERM monitoring, in order to catch keyboard interrupts an such, to be able to write `-o` files before exiting.
  - Changed
    - Fixed a bug in the default multi wordlist mode
    - Fixed JSON output regression, where all the input data was always encoded in base64
    - `--debug-log` no correctly logs connection errors
    - Removed `-l` flag in favor of `-v`
    - More verbose information in banner shown in startup.
 - v0.11
  - New
    - New CLI flag: -l, shows target location of redirect responses
    - New CLI flac: -acc, custom auto-calibration strings
    - New CLI flag: -debug-log, writes the debug logging to the specified file.
    - New CLI flags -ml and -fl, filters/matches line count in response
    - Ability to use multiple wordlists / keywords by defining multiple -w command line flags. The if no keyword is defined, the default is FUZZ to keep backwards compatibility. Example: `-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"`.
  - Changed
    - New CLI flag: -i, dummy flag that does nothing. for compatibility with copy as curl.
    - New CLI flag: -b/--cookie, cookie data for compatibility with copy as curl.
    - New Output format are available: HTML and Markdown table.
    - New CLI flag: -l, shows target location of redirect responses
    - Filtering and matching by status code, response size or word count now allow using ranges in addition to single values
    - The internal logging information to be discarded, and can be written to a file with the new `-debug-log` flag.
 - v0.10
  - New
    - New CLI flag: -ac to autocalibrate response size and word filters based on few preset URLs.
    - New CLI flag: -timeout to specify custom timeouts for all HTTP requests.
    - New CLI flag: --data for compatibility with copy as curl functionality of browsers.
    - New CLI flag: --compressed, dummy flag that does nothing. for compatibility with copy as curl.
    - New CLI flags: --input-cmd, and --input-num to handle input generation using external commands. Mutators for example. Environment variable FFUF_NUM will be updated on every call of the command.
    - When --input-cmd is used, display position instead of the payload in results. The output file (of all formats) will include the payload in addition to the position however.
  - Changed
    - Wordlist can also be read from standard input
    - Defining -d or --data implies POST method if -X doesn't set it to something else than GET
 - v0.9
  - New
    - New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
    - New CLI flag to follow redirects
    - Erroring connections will be retried once
    - Error counter in status bar
    - New CLI flags: -se (stop on spurious errors) and -sa (stop on all errors, implies -se and -sf)
    - New CLI flags: -e to provide a list of extensions to add to wordlist entries, and -D to provide DirSearch wordlist format compatibility.
    - Wildcard option for response status code matcher.
 - v0.8
  - New
    - New CLI flag to write output to a file in JSON format
    - New CLI flag to stop on spurious 403 responses
  - Changed
    - Regex matching / filtering now matches the headers alongside of the response body
 ## TODO
 - Tests!
 - Optional scope for redirects
 - Client / server architecture to queue jobs and fetch the results later
 - Fuzzing multiple values at the same time
 - Output module to push the results to an HTTP API