v2.13.0

What's Changed

• add --scope option by @epi052 in #1271
• add STATE_FILENAME environment variable to control feroxbuster state file name/location by @epi052 in #1271

Special thanks to @lidorelias3 and @0x7274 for their ideas, bug reporting, and documentation contributions 🥳

Full Changelog: v2.12.0...v2.13.0

v2.12.0

Feroxbuster v2.12.0 Release Summary

🚀 New Features

Response Size Limiting (--response-size-limit)

• Issue #1260: Added new --response-size-limit flag to limit the size of response bodies read during scanning
• Helps prevent memory exhaustion when scanning applications with very large responses
• Default limit set to 4MB, configurable via command line and config file
• Responses that exceed the limit are marked as truncated but still processed for status codes and headers

Unique Response Filtering (--unique)

• Issue #1240/635: Added new --unique flag to filter out duplicate responses using SimHash with Hamming distance analysis
• Helps reduce noise by showing only unique content, especially useful when scanning large applications with similar pages
• Uses advanced similarity detection to identify duplicate responses even when they're not identical

Auto Content-Type Headers (--data-json and --data-urlencoded)

• PR #1234: Added new convenience flags for automatically setting Content-Type headers and POST method by @zar3bski
• --data-json: Automatically sets Content-Type: application/json, configures data payload, and sets method to POST
• --data-urlencoded: Automatically sets Content-Type: application/x-www-form-urlencoded, URL-encodes the payload, and sets method to POST
• Both flags support reading data from files using @filename syntax (e.g., --data-json @payload.json)
• Simplifies common POST request scenarios by eliminating need to manually set headers and methods

Dynamic Scan Limit Management

• Issue #817: Enhanced scan management menu with ability to view and modify scan limits in real-time
• Issue #1254: Added capability to increase scan limits through the interactive scan management menu
• Added "Waiting" status visibility for scans that are queued due to limits

🛠️ Improvements

Shell Completion Updates

• PR #1229: Fixed Fish shell completion generation in build script by @zer0x64
• Corrected duplicate Zsh completion generation that was preventing Fish completions from being properly generated

Enhanced SSL Error Messaging

• Issue #1258: Improved SSL error messages to provide more helpful debugging information
• Better error context and clearer explanations when SSL/TLS issues occur

Updated Link Discovery

• Issue #1077: Fixed bug in link extractor functionality related to force recursion handling
• Updated LinkFinder regex patterns to latest version from upstream project

🔧 Technical Changes

Dependencies

• Updated various dependencies to their latest versions for security and performance improvements

Code Quality

• PR #1247: Fixed clippy linting warnings to enable compilation with --deny warnings by @karanabe

Configuration

• Added unique option to configuration file example
• Added response_size_limit option to configuration file example
• Enhanced banner display to show unique filtering and response size limit status when enabled

New Contributors

• @zer0x64 made their first contribution in #1229
• @zar3bski made their first contribution in #1234
• @karanabe made their first contribution in #1245

---

Full Changelog: v2.11.0...v2.12.0

v2.11.0

What's Changed

• add --scan-dir-listings by @epi052 in #1192
• add --request-file by @epi052 in #1192
• add --protocol by @epi052 in #1192
• add --limit-bars by @epi052 in #1192

Brief descriptions

• --request-file and --protocol - read in a raw http request file, from burp or similar
• --scan-dir-listings - force recursion into folders where directory listing is enabled
• --limit-bars - cap the number of progress bars displayed

Documentation

• --request-file and --protocol
• --scan-dir-listings
• --limit-bars

Special thanks to @Raymond-JV, @Tib3rius, @libklein, and @L1-0 for their suggestions and support 🎉

Full Changelog: v2.10.4...v2.11.0

v2.10.4

What's Changed

• --filter-regex now looks at headers in addition to response body by @epi052 in #1142
• clarified wording for headers in ferox-config.toml by @JulianGR in #1152
• added winget releaser workflow by @sitiom in #1155
• scan management menu now shows the estimated time left to scan by @epi052 in #1142
• made --cookies parsing more robust by @epi052 in #1142
• added ARM build for mac (aarch64-macos) to releases by @epi052 in #1142
• fixed an issue where estimated time to complete would show 0s before the scan was finished by @epi052 in #1142

New Contributors

• @JulianGR made their first contribution in #1152
• @sitiom made their first contribution in #1155

Special thanks 🙏

The following folks submitted bugs, PRs, and feature requests (in no particular order). They're the real MVPs.

• @JulianGR
• @L1-0
• @sitiom
• @wikamp-collaborator
• @sa7mon
• @swordfish0x0

Full Changelog: v2.10.3...v2.10.4

v2.10.3

What's Changed

• 1105 - improve json logs for post processing by @epi052 in #1114
• 1097 - included configuration field in state file by @epi052 in #1114
• 1118 - using --data implies POST HTTP verb by @epi052 in #1114
• 1122 - fixed mishandling of whitespace for supplied request headers by @epi052 in #1114

Full Changelog: v2.10.2...v2.10.3

v2.10.2

What's Changed

• removed scan target headers from feroxbuster-update check by @epi052 in #1033
• --collect-backups accepts custom backup extension list by @epi052 in #1035
• fixed issue where --silent included too much info on found dir by @epi052 in #1067
• --parallel time limit enforced on individual directories instead of main thread by @epi052 in #1072
• query fontconfig to determine if Noto Color Emoji is installed by @tritoke in #1083
• updated upstream library that was causing tokio-runtime-worker panics; they're correctly reported as Err from the library now
• re-added .deb install method to releases
• fixed issue where early redirect loop would cause ferox to hang indefinitely

New Contributors

• @tritoke made their first contribution in #1083

Full Changelog: v2.10.1...v2.10.2

v2.10.1

What's Changed

• fixed scan menu range issue by @epi052 in #936
• enable reading extensions from file by @andreademurtas in #976
• fixed collect backups filtering by @epi052 in #1016
• added http/2 support by @epi052 in #1020
• allowed --json in conjunction with --silent by @epi052 in #1022

New Contributors

• @andreademurtas made their first contribution in #976

Full Changelog: v2.10.0...v2.10.1

v2.10.0

What's Changed

• Adds server and client certificate management; enables mTLS by @lavafroth in #892
  • --server-certs
  • --client-cert
  • --client-key

New Contributors

• @lavafroth made their first contribution in #892 🎉

Full Changelog: v2.9.5...v2.10.0

v2.9.5

What's Changed

• 878 support raw urls by @epi052 in #884

special thanks to @aroly for reporting the issue, @lavafroth for the workaround, and @aancw for furthering the discussion! 🎉

Full Changelog: v2.9.4...v2.9.5

v2.9.4

• reduced memory usage overall
• improved speed during link extraction
• updated dependencies. most significantly, indicatif, which hasn't been updated for well over a year (purposely postponed)
• added optional install path to install-nix.sh

What's Changed

• random improvements by @epi052 in #877
• docs: add DrorDvash as a contributor for bug by @allcontributors in #879

Full Changelog: v2.9.3...v2.9.4