v2.9.4

• reduced memory usage overall
• improved speed during link extraction
• updated dependencies. most significantly, indicatif, which hasn't been updated for well over a year (purposely postponed)
• added optional install path to install-nix.sh

What's Changed

• random improvements by @epi052 in #877
• docs: add DrorDvash as a contributor for bug by @allcontributors in #879

Full Changelog: v2.9.3...v2.9.4

v2.9.3

What's Changed

• added extensions and status codes into auto filtering decision calculus by @epi052 in #869

Special thanks to @0xdf223 for letting me know about the shortcoming 🥳

Full Changelog: v2.9.2...v2.9.3

v2.9.2

What's Changed

• changed default value for --extract-links to true => added --dont-extract-links to turn off the new default behavior by @epi052 in #834
• can load a wordlist from its url over http/https by @epi052 in #834
• updated README with alternative installation methods for brew and chocolatey by @aancw in #824
• fixed divide by zero error by @epi052 in #834
• added check for forced recursion when directory listing detected by @epi052 in #834

Special thanks to @aancw for the code, @acut3 for the bug report, and @xaeroborg for the nice quality of life idea 🎉

Full Changelog: v2.9.1...v2.9.2

v2.9.1

What's Changed

• Implement auto update feature by @aancw in #813
• scan management can now canx scans started with -u | --stdin | the menu itself by @epi052 in #821
• feroxbuster can be installed via chocolatey by @aancw in #807
• fix resume with offset when --methods | --extensions are used by @epi052 in #823

Full Changelog: v2.9.0...v2.9.1

v2.9.0

What's Changed

• banner is shown again after exiting scan management menu by @aancw in #804
• improved auto-filtering accuracy
• Fixed issue where a wildcard redirect caused every request to recurse into that directory by @epi052 in #808; id'd by @0xdf223
• fixed bug where --auto-tune and --rate-limit could be set in the same scan via --smart/--thorough composite settings; id'd by @GenericUser123

New Contributors

• @aancw made their first contribution in #804 🥳

Full Changelog: v2.8.0...v2.9.0

v2.8.0

What's Changed

• Fixes #761 | Updated Dockerfile and CONTRIBUTING docs by @aidanhall34 in #762
• fixed bug in extractor that wasn't correctly comparing extracted domains
• fixed bug in Makefile
• fixed auto-bail icon; wasn't displaying properly on some terminals
• added visual cues for auto-tune's rate adjustments
• added visual cue when auto-bail is triggered
• when Content-Length header is missing or 0, now check the body length as well in case that differs
• fixed issue where auto-tune wasn't adjusting upward as often as it should have been
• added new methods for auto-detecting 404-like responses
• swapped ssdeep for simhash when creating similarity filters
• changed default allowed statuses to 'All Status Codes', new 404 detection should filter out what's unimportant and allow more responses through (i.e. apis)
• resume scan starts from offset in wordlist when a directory scan was partially complete
• docs: add aidanhall34 as a contributor for code, and infra by @allcontributors in #764
• docs: add hakdogpinas as a contributor for ideas by @allcontributors in #752
• docs: add duokebei as a contributor for ideas by @allcontributors in #753
• docs: add joaociocca as a contributor for bug, and ideas by @allcontributors in #790
• docs: add f3rn0s as a contributor for bug by @allcontributors in #793
• docs: add pich4ya as a contributor for ideas by @allcontributors in #799
• docs: add xaeroborg as a contributor for ideas by @allcontributors in #800
• docs: add Luoooio as a contributor for ideas by @allcontributors in #801

New Contributors

• @aidanhall34 made their first contribution in #762

Full Changelog: v2.7.3...v2.8.0

v2.7.3

What's Changed

• FIX 732 ensure --no-state is respected even through --time-limit by @kmanc in #733
• Fix incorrect username in Contributors by @n0kovo in #749
• fixed #716; wordlist entries with leading slash are trimmed by @epi052 in #750
• fixed #743; redirects always show full url as Location by @epi052 in #750
• fixed #748; cancelled scans persist across ctrl+c by @epi052 in #750

New Contributors

• @kmanc made their first contribution in #733
• @n0kovo made their first contribution in #749

Full Changelog: v2.7.2...v2.7.3

v2.7.2

What's Changed

• removed superfluous if statement by @herrcykel in #580
• upgraded leaky-bucket to 0.12.1 by @udoprog in #604
• updated dependencies by @epi052 in #670
• upgraded clap from 3.x to 4.x by @epi052 in #671
• 661 fix double dir scan by @epi052 in #672
• fixed invalid uri exception during extraction by @epi052 in #706

New Contributors

• @herrcykel made their first contribution in #580
• @udoprog made their first contribution in #604

Full Changelog: 2.7.1...v2.7.2

2.7.1

What's Changed

• fixed bug in auto-tune
• extensions now accept values with leading period, i.e. -x .php and -x php behave identically (leading period gets stripped)
• if no url scheme is given, https is prepended to the target (-u hackerone.com becomes https://hackerone.com)
• support for secondary default wordlist location added (/usr/local/share/seclists...)

🎉 Special thanks to @jhaddix, @IppSec, @postmodern, and @DonatoReis for their reports / ideas 🎉

Full Changelog: 2.7.0...2.7.1

2.7.0

What's Changed

• 535 status code filter overhaul by @epi052 in #536

For a more in-depth explanation of how status code filtering has changed, please see the docs. Here are the cliff notes:

• --filter-status and --status-codes are now mutually exclusive options
• --status-codes works the same way it always has: by providing an allow-list for status codes. Any status code not included in --status-codes will be filtered out
• If a value is given to --filter-status, that status code will be filtered out, while all other status codes are allowed to proceed

Additionally, there is a new flag, --force-recursion. This flag tells feroxbuster to ignore its typical recursion logic in favor of recursing into any ‘found’ asset. A ‘found’ asset is an endpoint that was not filtered out by other scan settings (i.e. –filter-status or similar). More info available here.

Finally, the default path to the wordlist on windows has been updated to look in the current directory: .\SecLists\Discovery\Web-Content\raft-medium-directories.txt

🎉 Special thanks to @0xdf223 and @ThisLimn0 🎉

Full Changelog: v2.6.4...2.7.0