PSFuzz - ProvieSec Fuzz Scanner is a web path and file discovery tool designed to scan web directories, files, and other endpoints efficiently. It allows security professionals to explore potential vulnerabilities through fuzzing by sending a wide range of requests to various URLs, using both predefined and dynamically generated payloads.
The tool supports custom configurations, such as recursive directory scanning, status code filtering, payload generation, request throttling, and more. PSFuzz is built with high concurrency to handle multiple requests in parallel while also allowing rate limiting.
It includes several bypass techniques for common restrictions, and it is flexible enough to detect possible false positives, such as 404-like responses. The tool outputs findings to a file or directly to the console for further analysis.
⭐ Star us on GitHub — it motivates a lot! ⭐
Web path discovery
Discover with ProSecFuzz hidden files and directories on a web server.
Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.
go get https://github.com/Proviesec/PSFuzz
go install github.com/Proviesec/PSFuzz@latest
Summary:
- the Wordlist is a text file, each line is a path.
- Here you get suitable lists: https://github.com/Proviesec/directory-payload-list
Required
-u/-urlExample:-u https://www.google.com
Optional
-o/-outputExample:-o google_outputDefault: output.txt-d/-dirlistExample:-d list.txtDefault is https://raw.githubusercontent.com/Proviesec/directory-payload-list/main/directory-full-list.txt-s/-statusExample:-s trueDefault:false only Status Code 200-c/-concurrencyExample:-c 5-fscn/-filterStatusCodeNotExample:-fscn 404Don't show response status code 404-fsc/-filterStatusCodeExample:-fsc 200,301Show only response status code 200 and 301-fl/-filterLengthExample:-fl 122,1234,1235,1236or-fl 122,1234-1236Show only the response with this length (or length range)-fln/-filterLengthNotExample:-fln 122,1234,1235,1236or-fln 122,1234-1236Show not this response with this length (or length range)-fm/-filterMatchWordExample:-fm admin-rah/-requestAddHeaderExample:-rah Host:127.0.0.1-tr/-throttleRateExample:-tr 10-> max requests per second-b/-bypassExample:-b true-> bypass status code: 401,402,403-g/-generate_payloadExample:-g 100-> generate a,aa,ab,abc,aaa,abb,bbc-od/-onlydomainsExample:-od trueShow only domains in the outputfile (no status code)- checkBackslash Example -checkBackslash true
-t/-filterTestLengthExample:-t truemake a test request and check if any other request has the same length, if yes, then skip the result for this requestfws/filterWrongStatus200Example:-fws true- Don´t show: in title: "Access Gateway", "Not Found", "Error"/"ERROR", "403", "Bad Request" ,"Forbidden", "500", "Internal Server Error" and body length <= 1
go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o testest -s true -fscn 404,301,302
go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o googletest -s true -fl 122,1565-1569 -fln 1566-1568
- Multi requests
- Optional param output
- check https or http
- Logo and Version output
- Marketing
- Tryhackme room - Link:
- Youtube Video
- help mode (-h)
- check backslah
- optional config file
- load config
- save config
- json file
- config for "dont show" in title/body
- Proxy
- throttle
- detect "too many requests"
- Output
- TXT
- CSV
- Json
- HTML
- Send Mail?
- Progress bar
- list of sites
- Parameter
- random payload generator
- choice of dirlist from proviesec github repo
- subdomain list from proviesec github repo
- Port List
- Length
- Length range show and not show
- Response Status List show
- Response Status Range show
- Response Status List not show
- Response Status Range not show
- Filter content type
- Words match list title/page
- Set Optional Header
- scan subdirs with depth (list: admin/public/static)
- exclude subdirs (list: js/img)
- add default-extensions (yml,php,aspx,jsp,html,js)
- lowercase
- uppercase
- Min response-size
- Max response-size
- Set request Timeout
- Add Cookies
- quite Mode
- random user-agent
- show only the urls
- add user agent
- username /password basic Auth
- make GET requests
- make put request
- make POST requests
- try PUT/DELETE/PATCH
- Wordlist txt parameter
- Wildcard parameter
- List of URLs
- depth by dir
- Word list
- Automatic Word list for any file html,txt, php..
- payload generator, include, start or end with specific word and max length
- file ending as parameter list
- get list from any url
- get list from proviesec github account default
- multiple word lists
- Automatic Word list for any file html,txt, php..
- Crlf scan
- open redirect scan
- fuzzing parameter (from a-z)
- fuzzing http verbs
- Wordlist formats, upper lower
- show response status
- count words
- show response time
- show lines
- dump the response in files
- analyse the response with AI
- Fingerprint Software (Wordpress/php/java/Apache/nginx etc.)
- CORS analyse
- bypass
- 403 Bypass, config
- Status bypass
- Words match list title/page/header
- output the match line
- Show positiv false: status 200, but title 404
- Show possible block response, after x requests "403 or too many request"
- Show possible false 200, same length of a random site
- Show confident value, if the folder/file not in the response
- Intilligence
- Automatically detect false 200 (really 404)
- too many rediretcs and then restart again, with the exclusion of
- Show the most unique target
- Show titel of Page
- Show Response Body Length
- filter possibile 404
- show content type
- Fingerprint check
- fuzz Parameter check (normal Response vs. with paramter)
- show reflected cookie
- show reflected params
- show reflected base64 params
- search for interesting strings
- compare two scans
- save scan
- load scan
- Redirect handler - 301... -> Can be activated via parameter
- Show Redirect URL
- Skip Status filter if redirect true (via parameter)
go run main.go -url https://www.google.com -d list.txt -s true -c 2
