Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Info disclosure scanner
# Before the first run, read the comments and change the script for your company
# Before anything, install ffuf with `go install`
# Change the WEBROOT variable below to the location of the webroot
# This changes to the webroot directory
# This makes a directory for storing the files used for this script. Change it to be whatever path you want.
mkdir -p $PROJPATH
# This finds all the files and writes their paths to the file
find . -name "*" -print | cut -d/ -f2- > $PROJPATH/all_files.txt
# Change to projpath director
# This fuzzes for all the files and matches 200 response code and saves output in the file. You can use ffuf's other nice outputs if desired but it will break the rest of the script.
ffuf -c -u -w all_files.txt -mc 200 -ac -o output.csv
# The first run of this will put all exposed paths into the file. After that, only newly exposed files will be output.
cat output.csv | cut -d, -f2 | anew all_exposed_paths.txt
# You can now review all_exposed_pathss.txt or output.csv or to make sure nothing is exposed that shouldn't be.
# Alternatively (what I recommend) is to pipe the output of the previous command into a slack or discord hook. If you do that, comment out the last line and use this one. Here's my tool I use to send messages to slack (it's 3 lines of code):
cat output.csv | cut -d, -f2 | anew all_exposed_paths.txt | to_slack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment