v2.3.1

Closes #301

feroxbuster now complies with kali's auto package tests

v2.3.0

• updated dependencies
• added --dont-scan option that prevents sub-files/folders from being requested (not a filter, applied before the request)
• drastically improved performance when --extract-links is used; should be at or near normal scan performance now

🌮 special thanks to @mzpqnxow and @black-A for their feature requests! 🌮

v2.2.5

• bumped multiple dependency versions
• added -o plusdirs to bash completion script as part of the formal build process
• installs that use cargo will now have a config file dropped in ~/.config/feroxbuster (or w/e is OS appropriate) if one doesn't already exist
• --help and -h always result in the long-form help message being printed, even if an erroneous flag/option is placed before it

Thank you to 0xdf, @secure-77, and @hunter0x8 for their suggestions 🎉

v2.2.4

• updated scan cancel menu's input to support comma and range delimited values
• updated scan cancel menu's input to support a -f option that will skip asking the user for confirmation

Another superb request from @mzpqnxow 🥳

v2.2.3

• fixed [de]serialization of atomics on arm hosts
• added official builds of armv7 and aarch64

Thanks to @tienna-0051 for reporting the build failure!

v2.2.2

• bumped serde_json to version 1.0.64
• bumped rlimit to version 0.5.4
• bumped ctrlc to version 3.1.8
• added command completion script install to .deb build
• wordlist order is now preserved after being stored (#233 & #226)
  • previous implementation used a hashset for auto-dedup, with the side effect having an unordered wordlist. Now using a Vec to store the wordlist, which preserves insertion order

thanks to @secure-77 and @Kiblyn11 for bringing wordlist ordering to my attention 🙏

v2.2.1

• fixed regression in banner that reintroduced an emoji that threw off alignment (originally fixed in 1.12.3)
• bumped reqwest version to 0.11.1

v2.2.0

• added --parallel option
• bumped tokio to version 1.2.0
• bumped serde_json to version 1.0.62

special thanks to Nicolas Krassas (@Dinosn) for the suggestion 🎉

---

Version 2.2.0 introduces the --parallel option. If you're one of those people who use feroxbuster to scan 100s of hosts at a time, this is the option for you! --parallel spawns a child process per target passed in over stdin (recursive directories are still async within each child).

The number of parallel scans is limited to whatever you pass to --parallel. When one child finishes its scan, the next child will be spawned.

Unfortunately, using --parallel limits terminal output such that only discovered URLs are shown. No amount of -v's will help you here. I imagine this isn't too big of a deal, as folks that need --parallel probably aren't sitting there watching the output... 🙃

Example Command:

cat large-target-list | ./feroxbuster --stdin --parallel 10 --extract-links --auto-bail

Resuling Process List (illustrative):

\_ target/debug/feroxbuster --stdin --parallel 10
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-one
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-two
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-three
    \_ ...
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-ten

v2.1.0

• added --auto-tune
• added --auto-bail
• bumped env_logger to version 0.8.3

Thanks to @mzpqnxow and @N0ur5 for their requests/suggestions! 🥳

---

Version 2.1.0 introduces the --auto-tune and --auto-bail flags. You can think of these flags as Policies. Both actions (tuning and bailing) are triggered by the same criteria (below). Policies are only enforced after at least 50 requests have been made (or # of threads, if that's > 50).

Policy Enforcement Criteria:

number of general errors (timeouts, etc) is higher than half the number of threads (or at least 25 if threads are lower) (per directory scanned)
90% of responses are 403|Forbidden (per directory scanned)
30% of requests are 429|Too Many Requests (per directory scanned)
both demo gifs below use --timeout to overload a single-threaded python web server and elicit timeouts

--auto-tune:
The AutoTune policy enforces a rate limit on individual directory scans when one of the criteria above is met. The rate limit self-adjusts every (timeout / 2) seconds. If the number of errors have increased during that time, the allowed rate of requests is lowered. On the other hand, if the number of errors hasn't moved, the allowed rate of requests is increased. If no additional errors are found after a certain number of checks, the rate limit will be removed completely.

--auto-bail:
The AutoBail policy aborts individual directory scans when one of the criteria above is met. They just stop getting scanned, no muss, no fuss.

v2.0.2

• added clarity to error messages resulting from attempting to connect to HTTPS servers w/o a valid certificate

🎉 thanks to @bpsizemore for the issue and PR!