updated dependencies

* docs: update README.md [skip ci]

* docs: update .all-contributorsrc [skip ci]

---------

Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com>

.all-contributorsrc

@@ -0,0 +1,704 @@
+{
+  "files": [
+    "README.md"
+  ],
+  "imageSize": 100,
+  "commit": false,
+  "contributors": [
+    {
+      "login": "joohoi",
+      "name": "Joona Hoikkala",
+      "avatar_url": "https://avatars.githubusercontent.com/u/5235109?v=4",
+      "profile": "https://io.fi",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "jsav0",
+      "name": "J Savage",
+      "avatar_url": "https://avatars.githubusercontent.com/u/20546041?v=4",
+      "profile": "https://github.com/jsav0",
+      "contributions": [
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "TGotwig",
+      "name": "Thomas Gotwig",
+      "avatar_url": "https://avatars.githubusercontent.com/u/30773779?v=4",
+      "profile": "http://www.tgotwig.dev",
+      "contributions": [
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "spikecodes",
+      "name": "Spike",
+      "avatar_url": "https://avatars.githubusercontent.com/u/19519553?v=4",
+      "profile": "https://github.com/spikecodes",
+      "contributions": [
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "evanrichter",
+      "name": "Evan Richter",
+      "avatar_url": "https://avatars.githubusercontent.com/u/330292?v=4",
+      "profile": "https://github.com/evanrichter",
+      "contributions": [
+        "code",
+        "doc"
+      ]
+    },
+    {
+      "login": "mzpqnxow",
+      "name": "AG",
+      "avatar_url": "https://avatars.githubusercontent.com/u/8016228?v=4",
+      "profile": "https://github.com/mzpqnxow",
+      "contributions": [
+        "ideas",
+        "doc"
+      ]
+    },
+    {
+      "login": "n-thumann",
+      "name": "Nicolas Thumann",
+      "avatar_url": "https://avatars.githubusercontent.com/u/46975855?v=4",
+      "profile": "https://n-thumann.de/",
+      "contributions": [
+        "code",
+        "doc"
+      ]
+    },
+    {
+      "login": "tomtastic",
+      "name": "Tom Matthews",
+      "avatar_url": "https://avatars.githubusercontent.com/u/302127?v=4",
+      "profile": "https://github.com/tomtastic",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "bsysop",
+      "name": "bsysop",
+      "avatar_url": "https://avatars.githubusercontent.com/u/9998303?v=4",
+      "profile": "https://github.com/bsysop",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "bpsizemore",
+      "name": "Brian Sizemore",
+      "avatar_url": "https://avatars.githubusercontent.com/u/11645898?v=4",
+      "profile": "http://bpsizemore.me",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "noraj",
+      "name": "Alexandre ZANNI",
+      "avatar_url": "https://avatars.githubusercontent.com/u/16578570?v=4",
+      "profile": "https://pwn.by/noraj",
+      "contributions": [
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "craig",
+      "name": "Craig",
+      "avatar_url": "https://avatars.githubusercontent.com/u/99729?v=4",
+      "profile": "https://github.com/craig",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "EONRaider",
+      "name": "EONRaider",
+      "avatar_url": "https://avatars.githubusercontent.com/u/15611424?v=4",
+      "profile": "https://www.reddit.com/u/EONRaider",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "wtwver",
+      "name": "wtwver",
+      "avatar_url": "https://avatars.githubusercontent.com/u/53866088?v=4",
+      "profile": "https://github.com/wtwver",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "Tib3rius",
+      "name": "Tib3rius",
+      "avatar_url": "https://avatars.githubusercontent.com/u/48113936?v=4",
+      "profile": "https://tib3rius.com",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "0xdf",
+      "name": "0xdf",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1489045?v=4",
+      "profile": "https://github.com/0xdf",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "secure-77",
+      "name": "secure-77",
+      "avatar_url": "https://avatars.githubusercontent.com/u/31564517?v=4",
+      "profile": "http://secure77.de",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "sbrun",
+      "name": "Sophie Brun",
+      "avatar_url": "https://avatars.githubusercontent.com/u/7712154?v=4",
+      "profile": "https://github.com/sbrun",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "black-A",
+      "name": "black-A",
+      "avatar_url": "https://avatars.githubusercontent.com/u/30686803?v=4",
+      "profile": "https://github.com/black-A",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "dinosn",
+      "name": "Nicolas Krassas",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3851678?v=4",
+      "profile": "https://github.com/dinosn",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "N0ur5",
+      "name": "N0ur5",
+      "avatar_url": "https://avatars.githubusercontent.com/u/24260009?v=4",
+      "profile": "https://github.com/N0ur5",
+      "contributions": [
+        "ideas",
+        "bug"
+      ]
+    },
+    {
+      "login": "moscowchill",
+      "name": "mchill",
+      "avatar_url": "https://avatars.githubusercontent.com/u/72578879?v=4",
+      "profile": "https://github.com/moscowchill",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "BitThr3at",
+      "name": "Naman",
+      "avatar_url": "https://avatars.githubusercontent.com/u/45028933?v=4",
+      "profile": "http://BitThr3at.github.io",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "sicks3c",
+      "name": "Ayoub Elaich",
+      "avatar_url": "https://avatars.githubusercontent.com/u/32225186?v=4",
+      "profile": "https://github.com/Sicks3c",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "HenryHoggard",
+      "name": "Henry",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1208121?v=4",
+      "profile": "https://github.com/HenryHoggard",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "SleepiPanda",
+      "name": "SleepiPanda",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6428561?v=4",
+      "profile": "https://github.com/SleepiPanda",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "uBadRequest",
+      "name": "Bad Requests",
+      "avatar_url": "https://avatars.githubusercontent.com/u/47282747?v=4",
+      "profile": "https://github.com/uBadRequest",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "dnaka91",
+      "name": "Dominik Nakamura",
+      "avatar_url": "https://avatars.githubusercontent.com/u/36804488?v=4",
+      "profile": "https://home.dnaka91.rocks",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "hunter0x8",
+      "name": "Muhammad Ahsan",
+      "avatar_url": "https://avatars.githubusercontent.com/u/46222314?v=4",
+      "profile": "https://github.com/hunter0x8",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "cortantief",
+      "name": "cortantief",
+      "avatar_url": "https://avatars.githubusercontent.com/u/34527333?v=4",
+      "profile": "https://github.com/cortantief",
+      "contributions": [
+        "bug",
+        "code"
+      ]
+    },
+    {
+      "login": "dsaxton",
+      "name": "Daniel Saxton",
+      "avatar_url": "https://avatars.githubusercontent.com/u/2658661?v=4",
+      "profile": "https://github.com/dsaxton",
+      "contributions": [
+        "ideas",
+        "code"
+      ]
+    },
+    {
+      "login": "n0kovo",
+      "name": "n0kovo",
+      "avatar_url": "https://avatars.githubusercontent.com/u/16690056?v=4",
+      "profile": "https://github.com/n0kovo",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "justinsteven",
+      "name": "Justin Steven",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1893909?v=4",
+      "profile": "https://ring0.lol",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "7047payloads",
+      "name": "7047payloads",
+      "avatar_url": "https://avatars.githubusercontent.com/u/95562424?v=4",
+      "profile": "https://github.com/7047payloads",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "unkn0wnsyst3m",
+      "name": "unkn0wnsyst3m",
+      "avatar_url": "https://avatars.githubusercontent.com/u/21272239?v=4",
+      "profile": "https://github.com/unkn0wnsyst3m",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "its0x08",
+      "name": "0x08",
+      "avatar_url": "https://avatars.githubusercontent.com/u/15280042?v=4",
+      "profile": "https://ironwort.me/",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "MD-Levitan",
+      "name": "kusok",
+      "avatar_url": "https://avatars.githubusercontent.com/u/12116508?v=4",
+      "profile": "https://github.com/MD-Levitan",
+      "contributions": [
+        "ideas",
+        "code"
+      ]
+    },
+    {
+      "login": "godylockz",
+      "name": "godylockz",
+      "avatar_url": "https://avatars.githubusercontent.com/u/81207744?v=4",
+      "profile": "https://github.com/godylockz",
+      "contributions": [
+        "ideas",
+        "code"
+      ]
+    },
+    {
+      "login": "0dayCTF",
+      "name": "Ryan Montgomery",
+      "avatar_url": "https://avatars.githubusercontent.com/u/44453666?v=4",
+      "profile": "http://ryanmontgomery.me",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "ippsec",
+      "name": "ippsec",
+      "avatar_url": "https://avatars.githubusercontent.com/u/24677271?v=4",
+      "profile": "https://github.com/IppSec",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "gtjamesa",
+      "name": "James",
+      "avatar_url": "https://avatars.githubusercontent.com/u/2078364?v=4",
+      "profile": "https://github.com/gtjamesa",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "jhaddix",
+      "name": "Jason Haddix",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3488554?v=4",
+      "profile": "https://twitter.com/Jhaddix",
+      "contributions": [
+        "ideas",
+        "bug"
+      ]
+    },
+    {
+      "login": "ThisLimn0",
+      "name": "Limn0",
+      "avatar_url": "https://avatars.githubusercontent.com/u/67125885?v=4",
+      "profile": "https://github.com/ThisLimn0",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "0xdf223",
+      "name": "0xdf",
+      "avatar_url": "https://avatars.githubusercontent.com/u/76954092?v=4",
+      "profile": "https://github.com/0xdf223",
+      "contributions": [
+        "bug",
+        "ideas"
+      ]
+    },
+    {
+      "login": "Flangyver",
+      "name": "Flangyver",
+      "avatar_url": "https://avatars.githubusercontent.com/u/59575870?v=4",
+      "profile": "https://github.com/Flangyver",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "DonatoReis",
+      "name": "PeakyBlinder",
+      "avatar_url": "https://avatars.githubusercontent.com/u/93531354?v=4",
+      "profile": "https://github.com/DonatoReis",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "postmodern",
+      "name": "Postmodern",
+      "avatar_url": "https://avatars.githubusercontent.com/u/12671?v=4",
+      "profile": "https://postmodern.github.io/",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "herrcykel",
+      "name": "O",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1936757?v=4",
+      "profile": "https://github.com/herrcykel",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "udoprog",
+      "name": "John-John Tedro",
+      "avatar_url": "https://avatars.githubusercontent.com/u/111092?v=4",
+      "profile": "http://udoprog.github.io/",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "kmanc",
+      "name": "kmanc",
+      "avatar_url": "https://avatars.githubusercontent.com/u/14863147?v=4",
+      "profile": "https://github.com/kmanc",
+      "contributions": [
+        "bug",
+        "code"
+      ]
+    },
+    {
+      "login": "hakdogpinas",
+      "name": "hakdogpinas",
+      "avatar_url": "https://avatars.githubusercontent.com/u/71529469?v=4",
+      "profile": "https://github.com/hakdogpinas",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "duokebei",
+      "name": "多可悲",
+      "avatar_url": "https://avatars.githubusercontent.com/u/75022552?v=4",
+      "profile": "https://github.com/duokebei",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "aidanhall34",
+      "name": "Aidan Hall",
+      "avatar_url": "https://avatars.githubusercontent.com/u/58670593?v=4",
+      "profile": "https://blog.ah34.net/",
+      "contributions": [
+        "code",
+        "infra"
+      ]
+    },
+    {
+      "login": "joaociocca",
+      "name": "João Ciocca",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6473725?v=4",
+      "profile": "https://hachyderm.io/@JohnnyCiocca",
+      "contributions": [
+        "bug",
+        "ideas"
+      ]
+    },
+    {
+      "login": "f3rn0s",
+      "name": "f3rn0s",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1351279?v=4",
+      "profile": "https://github.com/f3rn0s",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "pich4ya",
+      "name": "LongCat",
+      "avatar_url": "https://avatars.githubusercontent.com/u/2099767?v=4",
+      "profile": "https://sth.sh",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "xaeroborg",
+      "name": "xaeroborg",
+      "avatar_url": "https://avatars.githubusercontent.com/u/33274680?v=4",
+      "profile": "https://github.com/xaeroborg",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "Luoooio",
+      "name": "Luoooio",
+      "avatar_url": "https://avatars.githubusercontent.com/u/26653157?v=4",
+      "profile": "https://github.com/Luoooio",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "aancw",
+      "name": "Aan",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6284204?v=4",
+      "profile": "https://petruknisme.com",
+      "contributions": [
+        "code",
+        "infra",
+        "ideas"
+      ]
+    },
+    {
+      "login": "imBigo",
+      "name": "Simon",
+      "avatar_url": "https://avatars.githubusercontent.com/u/54672433?v=4",
+      "profile": "https://github.com/imBigo",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "acut3",
+      "name": "Nicolas Christin",
+      "avatar_url": "https://avatars.githubusercontent.com/u/17295243?v=4",
+      "profile": "https://acut3.github.io/",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "DrorDvash",
+      "name": "DrDv",
+      "avatar_url": "https://avatars.githubusercontent.com/u/8413651?v=4",
+      "profile": "https://github.com/DrorDvash",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "aroly",
+      "name": "Antoine Roly",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1257705?v=4",
+      "profile": "https://github.com/aroly",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "lavafroth",
+      "name": "Himadri Bhattacharjee",
+      "avatar_url": "https://avatars.githubusercontent.com/u/107522312?v=4",
+      "profile": "http://lavafroth.is-a.dev",
+      "contributions": [
+        "code",
+        "ideas"
+      ]
+    },
+    {
+      "login": "AkechiShiro",
+      "name": "Samy Lahfa",
+      "avatar_url": "https://avatars.githubusercontent.com/u/14914796?v=4",
+      "profile": "https://github.com/AkechiShiro",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "sectroyer",
+      "name": "sectroyer",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6706818?v=4",
+      "profile": "https://github.com/sectroyer",
+      "contributions": [
+        "bug",
+        "ideas"
+      ]
+    },
+    {
+      "login": "ktecv2000",
+      "name": "ktecv2000",
+      "avatar_url": "https://avatars.githubusercontent.com/u/19836003?v=4",
+      "profile": "https://medium.com/@b3rm1nG",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "andreademurtas",
+      "name": "Andrea De Murtas",
+      "avatar_url": "https://avatars.githubusercontent.com/u/56048157?v=4",
+      "profile": "http://untrue.me",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "sawmj",
+      "name": "sawmj",
+      "avatar_url": "https://avatars.githubusercontent.com/u/30024085?v=4",
+      "profile": "https://github.com/sawmj",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "devx00",
+      "name": "Zach Hanson",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6897405?v=4",
+      "profile": "https://github.com/devx00",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "ocervell",
+      "name": "Olivier Cervello",
+      "avatar_url": "https://avatars.githubusercontent.com/u/9629314?v=4",
+      "profile": "https://github.com/ocervell",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "RavySena",
+      "name": "RavySena",
+      "avatar_url": "https://avatars.githubusercontent.com/u/67729597?v=4",
+      "profile": "https://github.com/RavySena",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "stuhlmann",
+      "name": "Florian Stuhlmann",
+      "avatar_url": "https://avatars.githubusercontent.com/u/11061864?v=4",
+      "profile": "https://github.com/stuhlmann",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "Mister7F",
+      "name": "Mister7F",
+      "avatar_url": "https://avatars.githubusercontent.com/u/35213773?v=4",
+      "profile": "https://github.com/Mister7F",
+      "contributions": [
+        "ideas"
+      ]
+    }
+  ],
+  "contributorsPerLine": 7,
+  "projectName": "feroxbuster",
+  "projectOwner": "epi052",
+  "repoType": "github",
+  "repoHost": "https://github.com",
+  "skipCi": true,
+  "commitConvention": "angular",
+  "commitType": "docs"
+}

.cargo/config

@@ -0,0 +1,5 @@
+[target.armv7-unknown-linux-gnueabihf]
+linker = "arm-linux-gnueabihf-gcc"
+
+[target.aarch64-unknown-linux-gnu]
+linker = "aarch64-linux-gnu-gcc"

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: [epi052]
+ko_fi: epi052

.github/pull_request_template.md

@@ -11,12 +11,16 @@ Long form explanations of most of the items below can be found in the [CONTRIBUT
 
 ## Static analysis checks
 - [ ] All rust files are formatted using `cargo fmt`
-- [ ] All `clippy` checks pass when running `cargo clippy --all-targets --all-features -- -D warnings -A clippy::deref_addrof -A clippy::mutex-atomic`
+- [ ] All `clippy` checks pass when running `cargo clippy --all-targets --all-features -- -D warnings -A clippy::mutex-atomic`
 - [ ] All existing tests pass
 
 ## Documentation
 - [ ] New code is documented using [doc comments](https://doc.rust-lang.org/stable/rust-by-example/meta/doc.html)
-- [ ] Documentation about your PR is included in the README, as needed
+- [ ] Documentation about your PR is included in the `docs`, as needed. The docs live in a [separate repository](https://epi052.github.io/feroxbuster-docs/docs/). Update the appropriate pages at the links below.
+  - [ ] update [example config file section](https://epi052.github.io/feroxbuster-docs/docs/configuration/ferox-config-toml/)
+  - [ ] update [help output section](https://epi052.github.io/feroxbuster-docs/docs/configuration/command-line/)
+  - [ ] add an [example](https://epi052.github.io/feroxbuster-docs/docs/examples/)
+  - [ ] update [comparison table](https://epi052.github.io/feroxbuster-docs/docs/compare/)
 
 ## Additional Tests
 - [ ] New code is unit tested

.github/stale.yml

@@ -6,6 +6,7 @@ daysUntilClose: 7
 exemptLabels:
   - pinned
   - security
+  - confirmed
 # Label to use when marking an issue as stale
 staleLabel: stale
 # Comment to post when marking an issue as stale. Set to `false` to disable

.github/workflows/build.yml

@@ -4,11 +4,13 @@ on: [push]
 
 jobs:
   build-nix:
+    env:
+      IN_PIPELINE: true
     runs-on: ${{ matrix.os }}
     if: github.ref == 'refs/heads/main'
     strategy:
       matrix:
-        type: [ubuntu-x64, ubuntu-x86]
+        type: [ubuntu-x64, ubuntu-x86, armv7, aarch64]
         include:
           - type: ubuntu-x64
             os: ubuntu-latest
@@ -22,12 +24,25 @@ jobs:
             name: x86-linux-feroxbuster
             path: target/i686-unknown-linux-musl/release/feroxbuster
             pkg_config_path: /usr/lib/i686-linux-gnu/pkgconfig
+          - type: armv7
+            os: ubuntu-latest
+            target: armv7-unknown-linux-gnueabihf
+            name: armv7-linux-feroxbuster
+            path: target/armv7-unknown-linux-gnueabihf/release/feroxbuster
+            pkg_config_path: /usr/lib/x86_64-linux-gnu/pkgconfig
+          - type: aarch64
+            os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            name: aarch64-linux-feroxbuster
+            path: target/aarch64-unknown-linux-gnu/release/feroxbuster
+            pkg_config_path: /usr/lib/x86_64-linux-gnu/pkgconfig
     steps:
       - uses: actions/checkout@v2
       - name: Install System Dependencies
         run: |
+          env
           sudo apt-get update
-          sudo apt-get install -y --no-install-recommends libssl-dev pkg-config
+          sudo apt-get install -y --no-install-recommends libssl-dev pkg-config gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -43,7 +58,7 @@ jobs:
           args: --release --target=${{ matrix.target }}
       - name: Strip symbols from binary
         run: |
-          strip -s ${{ matrix.path }}
+          strip -s ${{ matrix.path }} || arm-linux-gnueabihf-strip -s ${{ matrix.path }} || aarch64-linux-gnu-strip -s ${{ matrix.path }}
       - name: Build tar.gz for homebrew installs
         if: matrix.type == 'ubuntu-x64'
         run: |
@@ -58,20 +73,55 @@ jobs:
           name: ${{ matrix.name }}.tar.gz
           path: ${{ matrix.name }}.tar.gz
 
-  build-deb:
-    needs: [build-nix]
+  build-debug:
+    env:
+      IN_PIPELINE: true
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
-      - name: Deb Build
-        uses: ebbflow-io/cargo-deb-amd64-ubuntu@1.0
-      - name: Upload Deb Artifact
-        uses: actions/upload-artifact@v2
+      - uses: actions/checkout@v2
+      - name: Install System Dependencies
+        run: |
+          env
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends libssl-dev pkg-config
+      - uses: actions-rs/toolchain@v1
         with:
-          name: feroxbuster_amd64.deb
-          path: ./target/x86_64-unknown-linux-musl/debian/*
+          toolchain: stable
+          target: x86_64-unknown-linux-musl
+          override: true
+      - uses: actions-rs/cargo@v1
+        env:
+          PKG_CONFIG_PATH: /usr/lib/x86_64-linux-gnu/pkgconfig
+          OPENSSL_DIR: /usr/lib/ssl
+        with:
+          use-cross: true
+          command: build
+          args: --target=x86_64-unknown-linux-musl
+      - uses: actions/upload-artifact@v2
+        with:
+          name: x86_64-linux-debug-feroxbuster
+          path: target/x86_64-unknown-linux-musl/debug/feroxbuster
+
+  # build-deb:
+  #   needs: [build-nix]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@master
+  #     - name: Install cargo-deb
+  #       run: cargo install -f cargo-deb
+  #     - name: Install musl toolchain
+  #       run: rustup target add x86_64-unknown-linux-musl
+  #     - name: Deb Build
+  #       run: cargo deb --target=x86_64-unknown-linux-musl
+  #     - name: Upload Deb Artifact
+  #       uses: actions/upload-artifact@v2
+  #       with:
+  #         name: feroxbuster_amd64.deb
+  #         path: ./target/x86_64-unknown-linux-musl/debian/*
 
   build-macos:
+    env:
+      IN_PIPELINE: true
     runs-on: macos-latest
     if: github.ref == 'refs/heads/main'
     steps:
@@ -102,6 +152,8 @@ jobs:
           path: x86_64-macos-feroxbuster.tar.gz
 
   build-windows:
+    env:
+      IN_PIPELINE: true
     runs-on: ${{ matrix.os }}
     if: github.ref == 'refs/heads/main'
     strategy:
@@ -134,4 +186,3 @@ jobs:
         with:
           name: ${{ matrix.name }}
           path: ${{ matrix.path }}
-

.github/workflows/check.yml

@@ -8,11 +8,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
       - uses: actions-rs/cargo@v1
         with:
           command: check
@@ -22,26 +17,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - name: Install latest nextest release
+        uses: taiki-e/install-action@nextest
+      - name: Test with latest nextest release
+        uses: actions-rs/cargo@v1
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: test
+          command: nextest
+          args: run --all-features --all-targets --retries 10
 
   fmt:
     name: Rust fmt
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add rustfmt
       - uses: actions-rs/cargo@v1
         with:
           command: fmt
@@ -52,13 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add clippy
       - uses: actions-rs/cargo@v1
         with:
           command: clippy
-          args: --all-targets --all-features -- -D warnings -A clippy::deref_addrof -A clippy::mutex-atomic
+          args: --all-targets --all-features -- -D warnings

.github/workflows/cicd-to-dockerhub.yml

@@ -0,0 +1,34 @@
+name: ci-to-dockerhub
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: ./Dockerfile
+          push: true
+          tags: ${{ secrets.DOCKER_HUB_USERNAME }}/feroxbuster:latest
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}

.github/workflows/coverage.yml

@@ -3,42 +3,22 @@ on: [push]
 name: Code Coverage Pipeline
 
 jobs:
-  upload-coverage:
+  coverage:
+    name: LLVM Coverage
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v3
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: nightly
-          override: true
-      - uses: actions-rs/cargo@v1
+          components: llvm-tools-preview
+      - name: Install cargo-llvm-cov and cargo-nextest
+        uses: taiki-e/install-action@v2
         with:
-          command: clean
-      - uses: actions-rs/cargo@v1
+          tool: cargo-nextest,cargo-llvm-cov
+      - name: Generate code coverage
+        run: cargo llvm-cov nextest --all-features --no-fail-fast --lcov --output-path lcov.info
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
         with:
-          command: test
-          args: --all-features --no-fail-fast
-        env:
-          CARGO_INCREMENTAL: '0'
-          RUSTFLAGS: '-Zprofile -Ccodegen-units=1 -Copt-level=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests -Cpanic=abort'
-          RUSTDOCFLAGS: '-Cpanic=abort'
-      - uses: actions-rs/grcov@v0.1
-      - uses: actions/upload-artifact@v2
-        with:
-          name: lcov.info
-          path: lcov.info
-      - name: Convert lcov to xml
-        run: |
-          curl -O https://raw.githubusercontent.com/epi052/lcov-to-cobertura-xml/master/lcov_cobertura/lcov_cobertura.py
-          chmod +x lcov_cobertura.py
-          ./lcov_cobertura.py ./lcov.info
-      - uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.xml
-          name: codecov-umbrella
+          files: lcov.info
           fail_ci_if_error: true
-      - uses: actions/upload-artifact@v2
-        with:
-          name: coverage.xml
-          path: ./coverage.xml

.gitignore

@@ -9,6 +9,9 @@ target/
 # jetbrains metadata folder
 .idea/
 
+# vscode metadata folder
+.vscode/
+
 # personal feroxbuster config for testing
 ferox-config.toml
 
@@ -23,7 +26,10 @@ lcov_cobertura.py
 .dockerignore
 
 # state file created during tests
-ferox-http*
+ferox-*.state
 
 # python stuff cuz reasons
 Pipfile*
+
+# ignore choco_package generated nupkg
+/choco_package/*.nupkg

CONTRIBUTING.md

@@ -76,35 +76,35 @@ Now that you have a copy of your fork, there is work you will need to do to keep
 
 Do this prior to every time you create a branch for a PR:
 
-1. Make sure you are on the `master` branch
+1. Make sure you are on the `main` branch
 
   > ```sh
   > $ git status
-  > On branch master
-  > Your branch is up-to-date with 'origin/master'.
+  > On branch main
+  > Your branch is up-to-date with 'origin/main'.
   > ```
 
-  > If your aren't on `master`, resolve outstanding files and commits and checkout the `master` branch
+  > If your aren't on `main`, resolve outstanding files and commits and checkout the `main` branch
 
   > ```sh
-  > $ git checkout master
+  > $ git checkout main
   > ```
 
 2. Do a pull with rebase against `upstream`
 
   > ```sh
-  > $ git pull --rebase upstream master
+  > $ git pull --rebase upstream main
   > ```
 
-  > This will pull down all of the changes to the official master branch, without making an additional commit in your local repo.
+  > This will pull down all of the changes to the official main branch, without making an additional commit in your local repo.
 
-3. (_Optional_) Force push your updated master branch to your GitHub fork
+3. (_Optional_) Force push your updated main branch to your GitHub fork
 
   > ```sh
-  > $ git push origin master --force
+  > $ git push origin main --force
   > ```
 
-  > This will overwrite the master branch of your fork.
+  > This will overwrite the main branch of your fork.
 
 ### Creating a branch
 
@@ -166,7 +166,7 @@ primarily related to continuous integration and release deployment.
 
 feroxbuster uses the [`clippy`](https://rust-lang.github.io/rust-clippy/) code linter.
 
-The command that will ultimately be used in the CI pipeline for linting is `cargo clippy --all-targets --all-features -- -D warnings -A clippy::unnecessary_unwrap`.  
+The command that will ultimately be used in the CI pipeline for linting is `cargo clippy --all-targets --all-features -- -D warnings -A clippy::mutex-atomic`.
 
 Before submitting a Pull Request, the above command should be run. Please do not ignore any linting errors in code you write or modify, as they are meant to **help** by ensuring a clean and simple code base.
 
@@ -214,20 +214,20 @@ GitHub has a good guide on how to contribute to open source [here](https://opens
 
 ##### Editing via your local fork
 
-1.  Perform the maintenance step of rebasing `master`
-2.  Ensure you're on the `master` branch using `git status`:
+1.  Perform the maintenance step of rebasing `main`
+2.  Ensure you're on the `main` branch using `git status`:
 
 ```sh
 $ git status
-On branch master
-Your branch is up-to-date with 'origin/master'.
+On branch main
+Your branch is up-to-date with 'origin/main'.
 
 nothing to commit, working directory clean
 ```
 
-1.  If you're not on master or your working directory is not clean, resolve
-    any outstanding files/commits and checkout master `git checkout master`
-2.  Create a branch off of `master` with git: `git checkout -B
+1.  If you're not on main or your working directory is not clean, resolve
+    any outstanding files/commits and checkout main `git checkout main`
+2.  Create a branch off of `main` with git: `git checkout -B
     branch/name-here`
 3.  Edit your file(s) locally with the editor of your choice
 4.  Check your `git status` to see unstaged files
@@ -239,8 +239,8 @@ nothing to commit, working directory clean
 8.  Push your commits to your GitHub Fork: `git push -u origin branch/name-here`
 9.  Once the edits have been committed, you will be prompted to create a pull
     request on your fork's GitHub page
-10.  By default, all pull requests should be against the `master` branch
-11.  Submit a pull request from your branch to feroxbuster's `master` branch
+10.  By default, all pull requests should be against the `main` branch
+11.  Submit a pull request from your branch to feroxbuster's `main` branch
 12.  The title (also called the subject) of your PR should be descriptive of your
     changes and succinctly indicate what is being fixed
     -   Examples: `Add test cases for Unicode support`; `Correct typo in overview documentation`

Cargo.toml

@@ -1,14 +1,20 @@
 [package]
 name = "feroxbuster"
-version = "2.2.1"
-authors = ["Ben 'epi' Risher <epibar052@gmail.com>"]
+version = "2.10.2"
+authors = ["Ben 'epi' Risher (@epi052)"]
 license = "MIT"
-edition = "2018"
+edition = "2021"
 homepage = "https://github.com/epi052/feroxbuster"
 repository = "https://github.com/epi052/feroxbuster"
 description = "A fast, simple, recursive content discovery tool."
 categories = ["command-line-utilities"]
-keywords = ["pentest", "enumeration", "url-bruteforce", "content-discovery", "web"]
+keywords = [
+    "pentest",
+    "enumeration",
+    "url-bruteforce",
+    "content-discovery",
+    "web",
+]
 exclude = [".github/*", "img/*", "check-coverage.sh"]
 build = "build.rs"
 
@@ -16,40 +22,57 @@ build = "build.rs"
 maintenance = { status = "actively-developed" }
 
 [build-dependencies]
-clap = "2.33"
-regex = "1"
+clap = { version = "4.4", features = ["wrap_help", "cargo"] }
+clap_complete = "4.4"
+regex = "1.10"
 lazy_static = "1.4"
+dirs = "5.0"
 
 [dependencies]
-futures = { version = "0.3"}
-tokio = { version = "1.2.0", features = ["full"] }
-tokio-util = {version = "0.6.3", features = ["codec"]}
+scraper = "0.18"
+futures = "0.3"
+tokio = { version = "1.35", features = ["full"] }
+tokio-util = { version = "0.7", features = ["codec"] }
 log = "0.4"
-env_logger = "0.8.3"
-reqwest = { version = "0.11.1", features = ["socks"] }
-clap = "2.33"
+env_logger = "0.10"
+reqwest = { version = "0.11", features = ["socks", "native-tls-alpn"] }
+# uses feature unification to add 'serde' to reqwest::Url
+url = { version = "2.5", features = ["serde"] }
+serde_regex = "1.1"
+clap = { version = "4.4", features = ["wrap_help", "cargo"] }
 lazy_static = "1.4"
-toml = "0.5"
+toml = "0.8"
 serde = { version = "1.0", features = ["derive", "rc"] }
-serde_json = "1.0.62"
-uuid = { version = "0.8", features = ["v4"] }
-indicatif = "0.15"
-console = "0.14"
+serde_json = "1.0"
+uuid = { version = "1.6", features = ["v4"] }
+# last known working version of indicatif; 0.17.5 has a bug that causes the 
+# scan menu to fail spectacularly 
+indicatif = { version = "0.17.3" }
+console = "0.15"
 openssl = { version = "0.10", features = ["vendored"] }
-dirs = "3.0"
-regex = "1"
-crossterm = "0.19"
-rlimit = "0.5"
-ctrlc = "3.1"
-fuzzyhash = "0.2.1"
+dirs = "5.0"
+regex = "1.10"
+crossterm = "0.27"
+rlimit = "0.10"
+ctrlc = "3.4"
 anyhow = "1.0"
-leaky-bucket = "0.10.0"
+leaky-bucket = "1.0"
+gaoya = "0.2"
+# 0.37+ relies on the broken version of indicatif and forces
+# the broken version to be used regardless of the version
+# specified above 
+self_update = { version = "0.36", features = [
+    "archive-tar",
+    "compression-flate2",
+    "archive-zip",
+    "compression-zip-deflate",
+] }
 
 [dev-dependencies]
-tempfile = "3.1"
-httpmock = "0.5.2"
-assert_cmd = "1.0.3"
-predicates = "1.0.7"
+tempfile = "3.9"
+httpmock = "0.6"
+assert_cmd = "2.0"
+predicates = "3.1"
 
 [profile.release]
 lto = true
@@ -61,6 +84,29 @@ section = "utility"
 license-file = ["LICENSE", "4"]
 conf-files = ["/etc/feroxbuster/ferox-config.toml"]
 assets = [
-    ["target/release/feroxbuster", "/usr/bin/", "755"],
-    ["ferox-config.toml.example", "/etc/feroxbuster/ferox-config.toml", "644"],
+    [
+        "target/release/feroxbuster",
+        "/usr/bin/",
+        "755",
+    ],
+    [
+        "ferox-config.toml.example",
+        "/etc/feroxbuster/ferox-config.toml",
+        "644",
+    ],
+    [
+        "shell_completions/feroxbuster.bash",
+        "/usr/share/bash-completion/completions/feroxbuster.bash",
+        "644",
+    ],
+    [
+        "shell_completions/feroxbuster.fish",
+        "/usr/share/fish/completions/feroxbuster.fish",
+        "644",
+    ],
+    [
+        "shell_completions/_feroxbuster",
+        "/usr/share/zsh/vendor-completions/_feroxbuster",
+        "644",
+    ],
 ]

Dockerfile

@@ -1,14 +1,23 @@
-FROM alpine:latest
+FROM alpine:3.17.1 as build
 LABEL maintainer="wfnintr@null.net"
 
-RUN sed -i -e 's/v[[:digit:]]\..*\//edge\//g' /etc/apk/repositories && apk upgrade --update-cache --available
+RUN apk upgrade --update-cache --available && apk add --update openssl
 
-# download default wordlists 
-RUN apk add --no-cache --virtual .depends subversion font-noto-emoji && \
-	svn export https://github.com/danielmiessler/SecLists/trunk/Discovery/Web-Content /usr/share/seclists/Discovery/Web-Content && \
-	apk del .depends
+# Download latest release
+RUN wget https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-linux-feroxbuster.zip -qO feroxbuster.zip \
+    && unzip -d /tmp/ feroxbuster.zip feroxbuster \
+    && chmod +x /tmp/feroxbuster \
+    && wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-medium-directories.txt -O /tmp/raft-medium-directories.txt
 
-# install latest release
-RUN wget https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-linux-feroxbuster.zip -qO feroxbuster.zip && unzip -d /usr/local/bin/ feroxbuster.zip feroxbuster && rm feroxbuster.zip && chmod +x /usr/local/bin/feroxbuster
+from alpine:3.17.1 as release
+COPY --from=build /tmp/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
+COPY --from=build /tmp/feroxbuster /usr/local/bin/feroxbuster
+
+RUN adduser \
+    --gecos "" \
+    --disabled-password \
+    feroxbuster
+
+USER feroxbuster
 
 ENTRYPOINT ["feroxbuster"]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 epi
+Copyright (c) 2020-2023 epi
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -6,12 +6,16 @@ datarootdir = $(prefix)/share
 datadir = $(datarootdir)
 example_config = ferox-config.toml.example
 config_file = ferox-config.toml
+completion_dir = shell_completions
+completion_prefix = $(completion_dir)/$(BIN)
 
+BIN=feroxbuster
 SHR_SOURCES = $(shell find src -type f -wholename '*src/*.rs') Cargo.toml Cargo.lock
 
 RELEASE = debug
 DEBUG ?= 0
-ifeq (0,$(DEBUG))
+
+ifeq (0, $(DEBUG))
 	ARGS = --release
 	RELEASE = release
 endif
@@ -23,54 +27,53 @@ endif
 
 TARGET = target/$(RELEASE)
 
-.PHONY: all clean distclean install uninstall update
-
-BIN=feroxbuster
-DESKTOP=$(APPID).desktop
+.PHONY: all clean install uninstall test update
 
 all: cli
-
 cli: $(TARGET)/$(BIN) $(TARGET)/$(BIN).1.gz $(SHR_SOURCES)
+install: all install-cli
+
+verify:
+	cargo fmt
+	cargo clippy --all-targets --all-features -- -D warnings -A clippy::mutex-atomic
+	cargo test
 
 clean:
 	cargo clean
 
-distclean: clean
-	rm -rf .cargo vendor Cargo.lock vendor.tar
-
 vendor: vendor.tar
 
 vendor.tar:
-	mkdir -p .cargo
-	cargo vendor | head -n -1 > .cargo/config
-	echo 'directory = "vendor"' >> .cargo/config
+	cargo vendor
 	tar pcf vendor.tar vendor
 	rm -rf vendor
 
 install-cli: cli
-	install -Dm 0755 "$(TARGET)/$(BIN)" "$(DESTDIR)$(bindir)/$(BIN)"
+	install -Dm 0644 "$(completion_prefix).bash" "$(DESTDIR)/usr/share/bash-completion/completions/$(BIN).bash"
+	install -Dm 0644 "$(completion_prefix).fish" "$(DESTDIR)/usr/share/fish/completions/$(BIN).fish"
+	install -Dm 0644 "$(completion_dir)/_$(BIN)" "$(DESTDIR)/usr/share/zsh/vendor-completions/_$(BIN)"
+	install -sDm 0755 "$(TARGET)/$(BIN)" "$(DESTDIR)$(bindir)/$(BIN)"
 	install -Dm 0644 "$(TARGET)/$(BIN).1.gz" "$(DESTDIR)$(datadir)/man/man1/$(BIN).1.gz"
-	install -Dm 0644 "$(example_config)" "/etc/$(BIN)/$(config_File)"
+	install -Dm 0644 "$(example_config)" "$(DESTDIR)/etc/$(BIN)/$(config_file)"
 
-install: all install-cli
-
-uninstall-cli:
+uninstall:
 	rm -f "$(DESTDIR)$(bindir)/$(BIN)"
 	rm -f "$(DESTDIR)$(datadir)/man/man1/$(BIN).1.gz"
-	rm -rf "/etc/$(BIN)/"
-
-uninstall: uninstall-cli
-
-update:
-	cargo update
+	rm -rf "$(DESTDIR)/etc/$(BIN)/"
+	rm -f "$(DESTDIR)/usr/share/bash-completion/completions/$(BIN).bash"
+	rm -f "$(DESTDIR)/usr/share/zsh/vendor-completions/_$(BIN)"
+	rm -f "$(DESTDIR)/usr/share/fish/completions/$(BIN).fish"
 
 extract:
-ifeq ($(VENDORED),1)
+ifeq (1, $(VENDORED))
 	tar pxf vendor.tar
 endif
 
 $(TARGET)/$(BIN): extract
-	cargo build --manifest-path Cargo.toml $(ARGS)
+	mkdir -p .cargo debian
+	touch debian/cargo.config
+	cp debian/cargo.config .cargo/config.toml
+	cargo build $(ARGS)
 
 $(TARGET)/$(BIN).1.gz: $(TARGET)/$(BIN)
 	help2man --no-info $< | gzip -c > $@.partial

Makefile.toml

@@ -0,0 +1,32 @@
+# composite tasks
+[tasks.upgrade]
+dependencies = ["upgrade-deps", "update"]
+
+# cleaning
+[tasks.clean-state]
+script = """
+rm ferox-*.state
+"""
+
+# dependency management
+[tasks.upgrade-deps]
+command = "cargo"
+args = ["upgrade", "--exclude", "indicatif", "--exclude", "self_update"]
+
+[tasks.update]
+command = "cargo"
+args = ["update"]
+
+# clippy / lint
+[tasks.clippy]
+clear = true
+script = """
+cargo clippy --all-targets --all-features -- -D warnings
+"""
+
+# tests
+[tasks.test]
+clear = true
+script = """
+cargo nextest run --all-features --all-targets --retries 10
+"""

build.rs

@@ -1,6 +1,7 @@
-extern crate clap;
+use std::fs::{copy, create_dir_all, OpenOptions};
+use std::io::{Read, Seek, Write};
 
-use clap::Shell;
+use clap_complete::{generate_to, shells};
 
 include!("src/parser.rs");
 
@@ -15,9 +16,65 @@ fn main() {
 
     let mut app = initialize();
 
-    let shells: [Shell; 4] = [Shell::Bash, Shell::Fish, Shell::Zsh, Shell::PowerShell];
+    generate_to(shells::Bash, &mut app, "feroxbuster", outdir).unwrap();
+    generate_to(shells::Zsh, &mut app, "feroxbuster", outdir).unwrap();
+    generate_to(shells::Zsh, &mut app, "feroxbuster", outdir).unwrap();
+    generate_to(shells::PowerShell, &mut app, "feroxbuster", outdir).unwrap();
+    generate_to(shells::Elvish, &mut app, "feroxbuster", outdir).unwrap();
 
-    for shell in &shells {
-        app.gen_completions("feroxbuster", *shell, outdir);
+    // 0xdf pointed out an oddity when tab-completing options that expect file paths, the fix we
+    // landed on was to add -o plusdirs to the bash completion script. The following code aims to
+    // automate that fix and have it present in all future builds
+    let mut contents = String::new();
+
+    let mut bash_file = OpenOptions::new()
+        .read(true)
+        .write(true)
+        .open(format!("{outdir}/feroxbuster.bash"))
+        .expect("Couldn't open bash completion script");
+
+    bash_file
+        .read_to_string(&mut contents)
+        .expect("Couldn't read bash completion script");
+
+    contents = contents.replace("default feroxbuster", "default -o plusdirs feroxbuster");
+
+    bash_file
+        .rewind()
+        .expect("Couldn't seek to position 0 in bash completion script");
+
+    bash_file
+        .write_all(contents.as_bytes())
+        .expect("Couldn't write updated bash completion script to disk");
+
+    // hunter0x8 let me know that when installing via cargo, it would be nice if we dropped a
+    // config file during the build process. The following code will place an example config in
+    // the user's configuration directory
+    //   - linux: $XDG_CONFIG_HOME or $HOME/.config
+    //   - macOS: $HOME/Library/Application Support
+    //   - windows: {FOLDERID_RoamingAppData}
+    let mut config_dir = dirs::config_dir().expect("Couldn't resolve user's config directory");
+    config_dir = config_dir.join("feroxbuster"); // $HOME/.config/feroxbuster
+
+    if !config_dir.exists() {
+        // recursively create the feroxbuster directory and all of its parent components if
+        // they are missing
+        if create_dir_all(&config_dir).is_err() {
+            // only copy the config file when we're not running in the CI/CD pipeline
+            // which fails with permission denied
+            eprintln!("Couldn't create one or more directories needed to copy the config file");
+            return;
+        }
+    }
+
+    // hard-coding config name here to not rely on the crate we're building, if DEFAULT_CONFIG_NAME
+    // ever changes, this will need to be updated
+    let config_file = config_dir.join("ferox-config.toml");
+
+    if !config_file.exists() {
+        // config file doesn't exist, add it to the config directory
+        if copy("ferox-config.toml.example", config_file).is_err() {
+            eprintln!("Couldn't copy example config into config directory");
+        }
     }
 }

choco_package/feroxbuster.nuspec

@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>feroxbuster</id>
+    <version>2.8.0</version>
+    <packageSourceUrl>https://github.com/epi052/feroxbuster/releases/</packageSourceUrl>
+    <owners>epi052</owners>
+    <title>feroxbuster (Install)</title>
+    <authors>epi052</authors>
+    <projectUrl>https://github.com/epi052/feroxbuster</projectUrl>
+    <iconUrl>https://rawcdn.githack.com/epi052/feroxbuster/2d381e7e057ce60c580b324dd36c9abaf30c2ec7/img/logo/logo.png</iconUrl>
+    <copyright>2020-2023</copyright>
+    <licenseUrl>https://github.com/epi052/feroxbuster/blob/main/LICENSE</licenseUrl>
+    <requireLicenseAcceptance>true</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/epi052/feroxbuster</projectSourceUrl>
+    <docsUrl>https://epi052.github.io/feroxbuster-docs/docs/</docsUrl>
+    <!--<mailingListUrl></mailingListUrl>-->
+    <bugTrackerUrl>https://github.com/epi052/feroxbuster/issues</bugTrackerUrl>
+    <tags>content-discovery pentesting-tool url-bruteforcer</tags>
+    <summary>A simple, fast, recursive content discovery tool written in Rust</summary>
+    <description>
+    A simple, fast, recursive content discovery tool written in Rust
+[![Feroxbuster](https://github.com/epi052/feroxbuster/raw/main/img/logo/default-cropped.png)](https://github.com/epi052/feroxbuster)
+
+## What the heck is a ferox anyway?
+
+Ferox is short for Ferric Oxide. Ferric Oxide, simply put, is rust. The name rustbuster was taken, so I decided on a
+variation. 
+
+## What's it do tho?
+
+`feroxbuster` is a tool designed to perform [Forced Browsing](https://owasp.org/www-community/attacks/Forced_browsing).
+
+Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web
+application, but are still accessible by an attacker.
+
+`feroxbuster` uses brute force combined with a wordlist to search for unlinked content in target directories. These
+resources may store sensitive information about web applications and operational systems, such as source code,
+credentials, internal network addressing, etc...
+
+This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource
+Enumeration.
+
+## Quick Start
+
+This section will cover the minimum amount of information to get up and running with feroxbuster. Please refer the the [documentation](https://epi052.github.io/feroxbuster-docs/docs/), as it's much more comprehensive.
+
+### Installation
+
+There are quite a few other [installation methods](https://epi052.github.io/feroxbuster-docs/docs/installation/), but these snippets should cover the majority of users. 
+
+#### All others Docs
+
+Please refer the the [documentation](https://epi052.github.io/feroxbuster-docs/docs/).
+
+## Example Usage
+
+Here are a few brief examples to get you started.  Please note, feroxbuster can do a **lot more** than what's listed below.  As a result, there are **many more** examples, with **demonstration gifs** that highlight specific features, in the [documentation](https://epi052.github.io/feroxbuster-docs/docs/).
+
+### Multiple Values
+
+Options that take multiple values are very flexible. Consider the following ways of specifying extensions:
+
+```
+./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
+```
+
+The command above adds .pdf, .js, .html, .php, .txt, .json, and .docx to each url
+
+All of the methods above (multiple flags, space separated, comma separated, etc...) are valid and interchangeable. The
+same goes for urls, headers, status codes, queries, and size filters.
+</description>
+    <!-- <releaseNotes>__REPLACE_OR_REMOVE__MarkDown_Okay</releaseNotes> -->
+  </metadata>
+  <files>
+    <!-- this section controls what actually gets packaged into the Chocolatey package -->
+    <file src="tools\**" target="tools" />
+  </files>
+</package>

choco_package/legal/LICENSE.txt

@@ -0,0 +1,26 @@
+
+From: https://github.com/epi052/feroxbuster/blob/main/LICENSE
+
+LICENSE
+
+MIT License
+
+Copyright (c) 2020-2023 epi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

choco_package/legal/VERIFICATION.txt

@@ -0,0 +1,5 @@
+
+VERIFICATION
+
+checksum -t sha512 -f .\x86-windows-feroxbuster.exe.zip
+checksum -t sha512 -f .\x86_64-windows-feroxbuster.exe.zip

choco_package/tools/chocolateyinstall.ps1

@@ -0,0 +1,27 @@
+$ErrorActionPreference = 'Stop' 
+
+$toolsDir   = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
+$version    = '2.8.0'
+$url        = "https://github.com/epi052/feroxbuster/releases/download/v$version/x86-windows-feroxbuster.exe.zip"
+$url64      = "https://github.com/epi052/feroxbuster/releases/download/v$version/x86_64-windows-feroxbuster.exe.zip"
+
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  unzipLocation = $toolsDir
+  fileType      = 'exe' #only one of these: exe, msi, msu
+  url           = $url
+  url64bit      = $url64
+  #file         = $fileLocation
+
+  softwareName  = 'feroxbuster*' 
+
+  # Checksums are now required as of 0.10.0.
+  # To determine checksums, you can get that from the original site if provided.
+  # You can also use checksum.exe (choco install checksum) and use it
+  # e.g. checksum -t sha256 -f path\to\file
+  checksum      = 'e5cac59c737260233903a17706a68bac11fe0d7a15169e1c5a9637cc221e7230fd6ddbfc1a7243833dde6472ad053c033449ca8338164654f7354363da54ba88'
+  checksumType  = 'sha512'
+  checksum64    = 'cce58d6eacef7e12c31076f5a00fee9742a4e3fdfc69d807d98736200e50469f77359978e137ecafd87b14460845c65c6808d1f8b23ae561f7e7c637e355dee3'
+  checksumType64= 'sha512'
+}
+Install-ChocolateyZipPackage @packageArgs # https://docs.chocolatey.org/en-us/create/functions/install-chocolateyzippackage

choco_package/tools/chocolateyuninstall.ps1

@@ -0,0 +1,47 @@
+$ErrorActionPreference = 'Stop' # stop on all errors
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  softwareName  = 'feroxbuster*'  #part or all of the Display Name as you see it in Programs and Features. It should be enough to be unique
+  fileType      = 'exe' #only one of these: MSI or EXE (ignore MSU for now)
+}
+
+# Get-UninstallRegistryKey is new to 0.9.10, if supporting 0.9.9.x and below,
+# take a dependency on "chocolatey-core.extension" in your nuspec file.
+# This is only a fuzzy search if $softwareName includes '*'. Otherwise it is
+# exact. In the case of versions in key names, we recommend removing the version
+# and using '*'.
+[array]$key = Get-UninstallRegistryKey -SoftwareName $packageArgs['softwareName']
+
+if ($key.Count -eq 1) {
+  $key | % {
+    $packageArgs['file'] = "$($_.UninstallString)" #NOTE: You may need to split this if it contains spaces, see below
+
+    if ($packageArgs['fileType'] -eq 'MSI') {
+      # The Product Code GUID is all that should be passed for MSI, and very
+      # FIRST, because it comes directly after /x, which is already set in the
+      # Uninstall-ChocolateyPackage msiargs (facepalm).
+      $packageArgs['silentArgs'] = "$($_.PSChildName) $($packageArgs['silentArgs'])"
+
+      # Don't pass anything for file, it is ignored for msi (facepalm number 2)
+      # Alternatively if you need to pass a path to an msi, determine that and
+      # use it instead of the above in silentArgs, still very first
+      $packageArgs['file'] = ''
+    } else {
+      # NOTES:
+      # - You probably will need to sanitize $packageArgs['file'] as it comes from the registry and could be in a variety of fun but unusable formats
+      # - Split args from exe in $packageArgs['file'] and pass those args through $packageArgs['silentArgs'] or ignore them
+      # - Ensure you don't pass double quotes in $file (aka $packageArgs['file']) - otherwise you will get "Illegal characters in path when you attempt to run this"
+      # - Review the code for auto-uninstaller for all of the fun things it does in sanitizing - https://github.com/chocolatey/choco/blob/bfe351b7d10c798014efe4bfbb100b171db25099/src/chocolatey/infrastructure.app/services/AutomaticUninstallerService.cs#L142-L192
+    }
+
+    Uninstall-ChocolateyPackage @packageArgs
+  }
+} elseif ($key.Count -eq 0) {
+  Write-Warning "$packageName has already been uninstalled by other means."
+} elseif ($key.Count -gt 1) {
+  Write-Warning "$($key.Count) matches found!"
+  Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
+  Write-Warning "Please alert package maintainer the following keys were matched:"
+  $key | % {Write-Warning "- $($_.DisplayName)"}
+}
+

docs/index.html

@@ -0,0 +1,11 @@
+<html>
+<head>
+   <meta http-equiv="refresh"
+   content="0; url=https://epi052.github.io/feroxbuster-docs/">
+</head>
+<body>
+   <p>The page has moved to:
+   <a href="https://epi052.github.io/feroxbuster-docs/">feroxbuster-docs</a></p>
+</body>
+</html>
+

ferox-config.toml.example

@@ -27,15 +27,25 @@
 # output = "/targets/ellingson_mineral_company/gibson.txt"
 # debug_log = "/var/log/find-the-derp.log"
 # user_agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
+# random_agent = false
 # redirects = true
 # insecure = true
+# collect_words = true
+# collect_backups = true
+# collect_extensions = true
 # extensions = ["php", "html"]
+# dont_collect = ["png", "gif", "jpg", "jpeg"]
+# methods = ["GET", "POST"]
+# data = [11, 12, 13, 14, 15]
+# url_denylist = ["http://dont-scan.me", "https://also-not.me"]
+# regex_denylist = ["/deny.*"]
 # no_recursion = true
 # add_slash = true
 # stdin = true
 # dont_filter = true
 # extract_links = true
 # depth = 1
+# force_recursion = true
 # filter_size = [5174]
 # filter_regex = ["^ignore me$"]
 # filter_similar = ["https://somesite.com/soft404"]
@@ -44,6 +54,9 @@
 # queries = [["name","value"], ["rick", "astley"]]
 # save_state = false
 # time_limit = "10m"
+# server_certs = ["/some/cert.pem", "/some/other/cert.pem"]
+# client_cert = "/some/client/cert.pem"
+# client_key = "/some/client/key.pem"
 
 # headers can be specified on multiple lines or as an inline table
 #

install-nix.sh

@@ -3,59 +3,65 @@
 BASE_URL=https://github.com/epi052/feroxbuster/releases/latest/download
 
 MAC_ZIP=x86_64-macos-feroxbuster.zip
-MAC_URL="${BASE_URL}/${MAC_ZIP}"
+MAC_URL="$BASE_URL/$MAC_ZIP"
 
 LIN32_ZIP=x86-linux-feroxbuster.zip
-LIN32_URL="${BASE_URL}/${LIN32_ZIP}"
+LIN32_URL="$BASE_URL/$LIN32_ZIP"
 
 LIN64_ZIP=x86_64-linux-feroxbuster.zip
-LIN64_URL="${BASE_URL}/${LIN64_ZIP}"
+LIN64_URL="$BASE_URL/$LIN64_ZIP"
 
 EMOJI_URL=https://gist.github.com/epi052/8196b550ea51d0907ad4b93751b1b57d/raw/6112c9f32ae07922983fdc549c54fd3fb9a38e4c/NotoColorEmoji.ttf
 
-echo "[+] Installing feroxbuster!"
+INSTALL_DIR="${1:-$(pwd)}"
 
-if [[ "$(uname)" == "Darwin" ]]; then
-    echo "[=] Found MacOS, downloading from ${MAC_URL}"
+echo "[+] Installing feroxbuster to ${INSTALL_DIR}!"
 
-    curl -sLO "${MAC_URL}"
-    unzip -o "${MAC_ZIP}" > /dev/null
-    rm "${MAC_ZIP}"
-elif [[ "$(expr substr $(uname -s) 1 5)" == "Linux" ]]; then
-    if [[ $(getconf LONG_BIT) == 32 ]]; then
-        echo "[=] Found 32-bit Linux, downloading from ${LIN32_URL}"
-
-        curl -sLO "${LIN32_URL}"
-        unzip -o "${LIN32_ZIP}" > /dev/null
-        rm "${LIN32_ZIP}"
-    else
-        echo "[=] Found 64-bit Linux, downloading from ${LIN64_URL}"
-
-        curl -sLO "${LIN64_URL}"
-        unzip -o "${LIN64_ZIP}" > /dev/null
-        rm "${LIN64_ZIP}"
-    fi
-
-    if [[ -e ~/.fonts/NotoColorEmoji.ttf ]]; then
-       echo "[=] Found Noto Emoji Font, skipping install" 
-    else 
-        echo "[=] Installing Noto Emoji Font"
-        mkdir -p ~/.fonts
-        pushd ~/.fonts 2>&1 >/dev/null
-
-        curl -sLO "${EMOJI_URL}"
-
-        fc-cache -f -v >/dev/null
-
-        popd 2>&1 >/dev/null
-        echo "[+] Noto Emoji Font installed"
-    fi
+which unzip &>/dev/null
+if [ "$?" != "0" ]; then
+  echo "[!] unzip not found, exiting. "
+  exit -1
 fi
 
+if [[ "$(uname)" == "Darwin" ]]; then
+  echo "[=] Found MacOS, downloading from $MAC_URL"
 
-chmod +x ./feroxbuster
+  curl -sLO "$MAC_URL"
+  unzip -o "$MAC_ZIP" -d "${INSTALL_DIR}" >/dev/null
+  rm "$MAC_ZIP"
+elif [[ "$(expr substr $(uname -s) 1 5)" == "Linux" ]]; then
+  if [[ $(getconf LONG_BIT) == 32 ]]; then
+    echo "[=] Found 32-bit Linux, downloading from $LIN32_URL"
 
-echo "[+] Installed feroxbuster version $(./feroxbuster -V)"
+    curl -sLO "$LIN32_URL"
+    unzip -o "$LIN32_ZIP" -d "${INSTALL_DIR}" >/dev/null
+    rm "$LIN32_ZIP"
+  else
+    echo "[=] Found 64-bit Linux, downloading from $LIN64_URL"
 
+    curl -sLO "$LIN64_URL"
+    unzip -o "$LIN64_ZIP" -d "${INSTALL_DIR}" >/dev/null
+    rm "$LIN64_ZIP"
+  fi
 
+  if [[ -e ~/.fonts/NotoColorEmoji.ttf ]]; then
+    echo "[=] Found Noto Emoji Font, skipping install"
+  else
+    echo "[=] Installing Noto Emoji Font"
+    mkdir -p ~/.fonts
+    pushd ~/.fonts 2>&1 >/dev/null
 
+    curl -sLO "$EMOJI_URL"
+
+    fc-cache -f -v >/dev/null
+
+    popd 2>&1 >/dev/null
+    echo "[+] Noto Emoji Font installed"
+  fi
+fi
+
+chmod +x "${INSTALL_DIR}/feroxbuster"
+
+echo "[+] Installed feroxbuster"
+echo "  [-] path: ${INSTALL_DIR}/feroxbuster"
+echo "  [-] version: $(${INSTALL_DIR}/feroxbuster -V | awk '{print $2}')"

shell_completions/_feroxbuster

@@ -15,87 +15,116 @@ _feroxbuster() {
 
     local context curcontext="$curcontext" state line
     _arguments "${_arguments_options[@]}" \
-'-w+[Path to the wordlist]' \
-'--wordlist=[Path to the wordlist]' \
-'*-u+[The target URL(s) (required, unless --stdin used)]' \
-'*--url=[The target URL(s) (required, unless --stdin used)]' \
-'-t+[Number of concurrent threads (default: 50)]' \
-'--threads=[Number of concurrent threads (default: 50)]' \
-'-d+[Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)]' \
-'--depth=[Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)]' \
-'-T+[Number of seconds before a request times out (default: 7)]' \
-'--timeout=[Number of seconds before a request times out (default: 7)]' \
-'-p+[Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)]' \
-'--proxy=[Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)]' \
-'-P+[Send only unfiltered requests through a Replay Proxy, instead of all requests]' \
-'--replay-proxy=[Send only unfiltered requests through a Replay Proxy, instead of all requests]' \
-'*-R+[Status Codes to send through a Replay Proxy when found (default: --status-codes value)]' \
-'*--replay-codes=[Status Codes to send through a Replay Proxy when found (default: --status-codes value)]' \
-'*-s+[Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)]' \
-'*--status-codes=[Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)]' \
-'-o+[Output file to write results to (use w/ --json for JSON entries)]' \
-'--output=[Output file to write results to (use w/ --json for JSON entries)]' \
-'(-u --url)--resume-from=[State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)]' \
-'--debug-log=[Output file to write log entries (use w/ --json for JSON entries)]' \
-'-a+[Sets the User-Agent (default: feroxbuster/VERSION)]' \
-'--user-agent=[Sets the User-Agent (default: feroxbuster/VERSION)]' \
-'*-x+[File extension(s) to search for (ex: -x php -x pdf js)]' \
-'*--extensions=[File extension(s) to search for (ex: -x php -x pdf js)]' \
-'*-H+[Specify HTTP headers (ex: -H Header:val '\''stuff: things'\'')]' \
-'*--headers=[Specify HTTP headers (ex: -H Header:val '\''stuff: things'\'')]' \
-'*-Q+[Specify URL query parameters (ex: -Q token=stuff -Q secret=key)]' \
-'*--query=[Specify URL query parameters (ex: -Q token=stuff -Q secret=key)]' \
-'*-S+[Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)]' \
-'*--filter-size=[Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)]' \
-'*-X+[Filter out messages via regular expression matching on the response'\''s body (ex: -X '\''^ignore me$'\'')]' \
-'*--filter-regex=[Filter out messages via regular expression matching on the response'\''s body (ex: -X '\''^ignore me$'\'')]' \
-'*-W+[Filter out messages of a particular word count (ex: -W 312 -W 91,82)]' \
-'*--filter-words=[Filter out messages of a particular word count (ex: -W 312 -W 91,82)]' \
-'*-N+[Filter out messages of a particular line count (ex: -N 20 -N 31,30)]' \
-'*--filter-lines=[Filter out messages of a particular line count (ex: -N 20 -N 31,30)]' \
-'*-C+[Filter out status codes (deny list) (ex: -C 200 -C 401)]' \
-'*--filter-status=[Filter out status codes (deny list) (ex: -C 200 -C 401)]' \
-'*--filter-similar-to=[Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)]' \
-'-L+[Limit total number of concurrent scans (default: 0, i.e. no limit)]' \
-'--scan-limit=[Limit total number of concurrent scans (default: 0, i.e. no limit)]' \
-'--parallel=[Run parallel feroxbuster instances (one child process per url passed via stdin)]' \
-'(--auto-tune)--rate-limit=[Limit number of requests per second (per directory) (default: 0, i.e. no limit)]' \
-'--time-limit=[Limit total run time of all scans (ex: --time-limit 10m)]' \
-'(--silent)*-v[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
-'(--silent)*--verbosity[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
-'(-q --quiet)--silent[Only print URLs + turn off logging (good for piping a list of urls to other commands)]' \
-'-q[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
-'--quiet[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
-'(--auto-bail)--auto-tune[Automatically lower scan rate when an excessive amount of errors are encountered]' \
-'--auto-bail[Automatically stop scanning when an excessive amount of errors are encountered]' \
-'--json[Emit JSON logs to --output and --debug-log instead of normal text]' \
-'-D[Don'\''t auto-filter wildcard responses]' \
-'--dont-filter[Don'\''t auto-filter wildcard responses]' \
-'-r[Follow redirects]' \
-'--redirects[Follow redirects]' \
-'-k[Disables TLS certificate validation]' \
-'--insecure[Disables TLS certificate validation]' \
+'-u+[The target URL (required, unless \[--stdin || --resume-from\] used)]:URL:_urls' \
+'--url=[The target URL (required, unless \[--stdin || --resume-from\] used)]:URL:_urls' \
+'(-u --url)--resume-from=[State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)]:STATE_FILE:_files' \
+'-p+[Proxy to use for requests (ex\: http(s)\://host\:port, socks5(h)\://host\:port)]:PROXY:_urls' \
+'--proxy=[Proxy to use for requests (ex\: http(s)\://host\:port, socks5(h)\://host\:port)]:PROXY:_urls' \
+'-P+[Send only unfiltered requests through a Replay Proxy, instead of all requests]:REPLAY_PROXY:_urls' \
+'--replay-proxy=[Send only unfiltered requests through a Replay Proxy, instead of all requests]:REPLAY_PROXY:_urls' \
+'*-R+[Status Codes to send through a Replay Proxy when found (default\: --status-codes value)]:REPLAY_CODE: ' \
+'*--replay-codes=[Status Codes to send through a Replay Proxy when found (default\: --status-codes value)]:REPLAY_CODE: ' \
+'-a+[Sets the User-Agent (default\: feroxbuster/2.10.2)]:USER_AGENT: ' \
+'--user-agent=[Sets the User-Agent (default\: feroxbuster/2.10.2)]:USER_AGENT: ' \
+'*-x+[File extension(s) to search for (ex\: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex\: @ext.txt)]:FILE_EXTENSION: ' \
+'*--extensions=[File extension(s) to search for (ex\: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex\: @ext.txt)]:FILE_EXTENSION: ' \
+'*-m+[Which HTTP request method(s) should be sent (default\: GET)]:HTTP_METHODS: ' \
+'*--methods=[Which HTTP request method(s) should be sent (default\: GET)]:HTTP_METHODS: ' \
+'--data=[Request'\''s Body; can read data from a file if input starts with an @ (ex\: @post.bin)]:DATA: ' \
+'*-H+[Specify HTTP headers to be used in each request (ex\: -H Header\:val -H '\''stuff\: things'\'')]:HEADER: ' \
+'*--headers=[Specify HTTP headers to be used in each request (ex\: -H Header\:val -H '\''stuff\: things'\'')]:HEADER: ' \
+'*-b+[Specify HTTP cookies to be used in each request (ex\: -b stuff=things)]:COOKIE: ' \
+'*--cookies=[Specify HTTP cookies to be used in each request (ex\: -b stuff=things)]:COOKIE: ' \
+'*-Q+[Request'\''s URL query parameters (ex\: -Q token=stuff -Q secret=key)]:QUERY: ' \
+'*--query=[Request'\''s URL query parameters (ex\: -Q token=stuff -Q secret=key)]:QUERY: ' \
+'*--dont-scan=[URL(s) or Regex Pattern(s) to exclude from recursion/scans]:URL: ' \
+'*-S+[Filter out messages of a particular size (ex\: -S 5120 -S 4927,1970)]:SIZE: ' \
+'*--filter-size=[Filter out messages of a particular size (ex\: -S 5120 -S 4927,1970)]:SIZE: ' \
+'*-X+[Filter out messages via regular expression matching on the response'\''s body (ex\: -X '\''^ignore me\$'\'')]:REGEX: ' \
+'*--filter-regex=[Filter out messages via regular expression matching on the response'\''s body (ex\: -X '\''^ignore me\$'\'')]:REGEX: ' \
+'*-W+[Filter out messages of a particular word count (ex\: -W 312 -W 91,82)]:WORDS: ' \
+'*--filter-words=[Filter out messages of a particular word count (ex\: -W 312 -W 91,82)]:WORDS: ' \
+'*-N+[Filter out messages of a particular line count (ex\: -N 20 -N 31,30)]:LINES: ' \
+'*--filter-lines=[Filter out messages of a particular line count (ex\: -N 20 -N 31,30)]:LINES: ' \
+'(-s --status-codes)*-C+[Filter out status codes (deny list) (ex\: -C 200 -C 401)]:STATUS_CODE: ' \
+'(-s --status-codes)*--filter-status=[Filter out status codes (deny list) (ex\: -C 200 -C 401)]:STATUS_CODE: ' \
+'*--filter-similar-to=[Filter out pages that are similar to the given page (ex. --filter-similar-to http\://site.xyz/soft404)]:UNWANTED_PAGE:_urls' \
+'*-s+[Status Codes to include (allow list) (default\: All Status Codes)]:STATUS_CODE: ' \
+'*--status-codes=[Status Codes to include (allow list) (default\: All Status Codes)]:STATUS_CODE: ' \
+'-T+[Number of seconds before a client'\''s request times out (default\: 7)]:SECONDS: ' \
+'--timeout=[Number of seconds before a client'\''s request times out (default\: 7)]:SECONDS: ' \
+'--server-certs=[Add custom root certificate(s) for servers with unknown certificates]:PEM|DER:_files' \
+'--client-cert=[Add a PEM encoded certificate for mutual authentication (mTLS)]:PEM:_files' \
+'--client-key=[Add a PEM encoded private key for mutual authentication (mTLS)]:PEM:_files' \
+'-t+[Number of concurrent threads (default\: 50)]:THREADS: ' \
+'--threads=[Number of concurrent threads (default\: 50)]:THREADS: ' \
+'-d+[Maximum recursion depth, a depth of 0 is infinite recursion (default\: 4)]:RECURSION_DEPTH: ' \
+'--depth=[Maximum recursion depth, a depth of 0 is infinite recursion (default\: 4)]:RECURSION_DEPTH: ' \
+'-L+[Limit total number of concurrent scans (default\: 0, i.e. no limit)]:SCAN_LIMIT: ' \
+'--scan-limit=[Limit total number of concurrent scans (default\: 0, i.e. no limit)]:SCAN_LIMIT: ' \
+'--parallel=[Run parallel feroxbuster instances (one child process per url passed via stdin)]:PARALLEL_SCANS: ' \
+'(--auto-tune)--rate-limit=[Limit number of requests per second (per directory) (default\: 0, i.e. no limit)]:RATE_LIMIT: ' \
+'--time-limit=[Limit total run time of all scans (ex\: --time-limit 10m)]:TIME_SPEC: ' \
+'-w+[Path or URL of the wordlist]:FILE:_files' \
+'--wordlist=[Path or URL of the wordlist]:FILE:_files' \
+'-B+[Automatically request likely backup extensions for "found" urls (default\: ~, .bak, .bak2, .old, .1)]' \
+'--collect-backups=[Automatically request likely backup extensions for "found" urls (default\: ~, .bak, .bak2, .old, .1)]' \
+'*-I+[File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)]:FILE_EXTENSION: ' \
+'*--dont-collect=[File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)]:FILE_EXTENSION: ' \
+'-o+[Output file to write results to (use w/ --json for JSON entries)]:FILE:_files' \
+'--output=[Output file to write results to (use w/ --json for JSON entries)]:FILE:_files' \
+'--debug-log=[Output file to write log entries (use w/ --json for JSON entries)]:FILE:_files' \
+'(-u --url)--stdin[Read url(s) from STDIN]' \
+'(-p --proxy -k --insecure --burp-replay)--burp[Set --proxy to http\://127.0.0.1\:8080 and set --insecure to true]' \
+'(-P --replay-proxy -k --insecure)--burp-replay[Set --replay-proxy to http\://127.0.0.1\:8080 and set --insecure to true]' \
+'(--rate-limit --auto-bail)--smart[Set --auto-tune, --collect-words, and --collect-backups to true]' \
+'(--rate-limit --auto-bail)--thorough[Use the same settings as --smart and set --collect-extensions to true]' \
+'-A[Use a random User-Agent]' \
+'--random-agent[Use a random User-Agent]' \
+'-f[Append / to each request'\''s URL]' \
+'--add-slash[Append / to each request'\''s URL]' \
+'-r[Allow client to follow redirects]' \
+'--redirects[Allow client to follow redirects]' \
+'-k[Disables TLS certificate validation in the client]' \
+'--insecure[Disables TLS certificate validation in the client]' \
 '-n[Do not scan recursively]' \
 '--no-recursion[Do not scan recursively]' \
-'(-x --extensions)-f[Append / to each request]' \
-'(-x --extensions)--add-slash[Append / to each request]' \
-'(-u --url)--stdin[Read url(s) from STDIN]' \
-'-e[Extract links from response body (html, javascript, etc...); make new requests based on findings (default: false)]' \
-'--extract-links[Extract links from response body (html, javascript, etc...); make new requests based on findings (default: false)]' \
-'-h[Prints help information]' \
-'--help[Prints help information]' \
-'-V[Prints version information]' \
-'--version[Prints version information]' \
+'(-n --no-recursion)--force-recursion[Force recursion attempts on all '\''found'\'' endpoints (still respects recursion depth)]' \
+'-e[Extract links from response body (html, javascript, etc...); make new requests based on findings (default\: true)]' \
+'--extract-links[Extract links from response body (html, javascript, etc...); make new requests based on findings (default\: true)]' \
+'--dont-extract-links[Don'\''t extract links from response body (html, javascript, etc...)]' \
+'(--auto-bail)--auto-tune[Automatically lower scan rate when an excessive amount of errors are encountered]' \
+'--auto-bail[Automatically stop scanning when an excessive amount of errors are encountered]' \
+'-D[Don'\''t auto-filter wildcard responses]' \
+'--dont-filter[Don'\''t auto-filter wildcard responses]' \
+'-E[Automatically discover extensions and add them to --extensions (unless they'\''re in --dont-collect)]' \
+'--collect-extensions[Automatically discover extensions and add them to --extensions (unless they'\''re in --dont-collect)]' \
+'-g[Automatically discover important words from within responses and add them to the wordlist]' \
+'--collect-words[Automatically discover important words from within responses and add them to the wordlist]' \
+'(--silent)*-v[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
+'(--silent)*--verbosity[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
+'(-q --quiet)--silent[Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)]' \
+'-q[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
+'--quiet[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
+'--json[Emit JSON logs to --output and --debug-log instead of normal text]' \
+'--no-state[Disable state output file (*.state)]' \
+'-U[Update feroxbuster to the latest version]' \
+'--update[Update feroxbuster to the latest version]' \
+'-h[Print help (see more with '\''--help'\'')]' \
+'--help[Print help (see more with '\''--help'\'')]' \
+'-V[Print version]' \
+'--version[Print version]' \
 && ret=0
-    
 }
 
 (( $+functions[_feroxbuster_commands] )) ||
 _feroxbuster_commands() {
-    local commands; commands=(
-        
-    )
+    local commands; commands=()
     _describe -t commands 'feroxbuster commands' commands "$@"
 }
 
-_feroxbuster "$@"
+if [ "$funcstack[1]" = "_feroxbuster" ]; then
+    _feroxbuster "$@"
+else
+    compdef _feroxbuster feroxbuster
+fi

shell_completions/_feroxbuster.ps1

@@ -12,7 +12,8 @@ Register-ArgumentCompleter -Native -CommandName 'feroxbuster' -ScriptBlock {
             $element = $commandElements[$i]
             if ($element -isnot [StringConstantExpressionAst] -or
                 $element.StringConstantType -ne [StringConstantType]::BareWord -or
-                $element.Value.StartsWith('-')) {
+                $element.Value.StartsWith('-') -or
+                $element.Value -eq $wordToComplete) {
                 break
         }
         $element.Value
@@ -20,77 +21,105 @@ Register-ArgumentCompleter -Native -CommandName 'feroxbuster' -ScriptBlock {
 
     $completions = @(switch ($command) {
         'feroxbuster' {
-            [CompletionResult]::new('-w', 'w', [CompletionResultType]::ParameterName, 'Path to the wordlist')
-            [CompletionResult]::new('--wordlist', 'wordlist', [CompletionResultType]::ParameterName, 'Path to the wordlist')
-            [CompletionResult]::new('-u', 'u', [CompletionResultType]::ParameterName, 'The target URL(s) (required, unless --stdin used)')
-            [CompletionResult]::new('--url', 'url', [CompletionResultType]::ParameterName, 'The target URL(s) (required, unless --stdin used)')
+            [CompletionResult]::new('-u', 'u', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from] used)')
+            [CompletionResult]::new('--url', 'url', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from] used)')
+            [CompletionResult]::new('--resume-from', 'resume-from', [CompletionResultType]::ParameterName, 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)')
+            [CompletionResult]::new('-p', 'p', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
+            [CompletionResult]::new('--proxy', 'proxy', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
+            [CompletionResult]::new('-P', 'P ', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
+            [CompletionResult]::new('--replay-proxy', 'replay-proxy', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
+            [CompletionResult]::new('-R', 'R ', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
+            [CompletionResult]::new('--replay-codes', 'replay-codes', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
+            [CompletionResult]::new('-a', 'a', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.10.2)')
+            [CompletionResult]::new('--user-agent', 'user-agent', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.10.2)')
+            [CompletionResult]::new('-x', 'x', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)')
+            [CompletionResult]::new('--extensions', 'extensions', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)')
+            [CompletionResult]::new('-m', 'm', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
+            [CompletionResult]::new('--methods', 'methods', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
+            [CompletionResult]::new('--data', 'data', [CompletionResultType]::ParameterName, 'Request''s Body; can read data from a file if input starts with an @ (ex: @post.bin)')
+            [CompletionResult]::new('-H', 'H ', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
+            [CompletionResult]::new('--headers', 'headers', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
+            [CompletionResult]::new('-b', 'b', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
+            [CompletionResult]::new('--cookies', 'cookies', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
+            [CompletionResult]::new('-Q', 'Q ', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
+            [CompletionResult]::new('--query', 'query', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
+            [CompletionResult]::new('--dont-scan', 'dont-scan', [CompletionResultType]::ParameterName, 'URL(s) or Regex Pattern(s) to exclude from recursion/scans')
+            [CompletionResult]::new('-S', 'S ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
+            [CompletionResult]::new('--filter-size', 'filter-size', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
+            [CompletionResult]::new('-X', 'X ', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
+            [CompletionResult]::new('--filter-regex', 'filter-regex', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
+            [CompletionResult]::new('-W', 'W ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
+            [CompletionResult]::new('--filter-words', 'filter-words', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
+            [CompletionResult]::new('-N', 'N ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
+            [CompletionResult]::new('--filter-lines', 'filter-lines', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
+            [CompletionResult]::new('-C', 'C ', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
+            [CompletionResult]::new('--filter-status', 'filter-status', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
+            [CompletionResult]::new('--filter-similar-to', 'filter-similar-to', [CompletionResultType]::ParameterName, 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)')
+            [CompletionResult]::new('-s', 's', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
+            [CompletionResult]::new('--status-codes', 'status-codes', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
+            [CompletionResult]::new('-T', 'T ', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
+            [CompletionResult]::new('--timeout', 'timeout', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
+            [CompletionResult]::new('--server-certs', 'server-certs', [CompletionResultType]::ParameterName, 'Add custom root certificate(s) for servers with unknown certificates')
+            [CompletionResult]::new('--client-cert', 'client-cert', [CompletionResultType]::ParameterName, 'Add a PEM encoded certificate for mutual authentication (mTLS)')
+            [CompletionResult]::new('--client-key', 'client-key', [CompletionResultType]::ParameterName, 'Add a PEM encoded private key for mutual authentication (mTLS)')
             [CompletionResult]::new('-t', 't', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
             [CompletionResult]::new('--threads', 'threads', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
             [CompletionResult]::new('-d', 'd', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
             [CompletionResult]::new('--depth', 'depth', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
-            [CompletionResult]::new('-T', 'T', [CompletionResultType]::ParameterName, 'Number of seconds before a request times out (default: 7)')
-            [CompletionResult]::new('--timeout', 'timeout', [CompletionResultType]::ParameterName, 'Number of seconds before a request times out (default: 7)')
-            [CompletionResult]::new('-p', 'p', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
-            [CompletionResult]::new('--proxy', 'proxy', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
-            [CompletionResult]::new('-P', 'P', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
-            [CompletionResult]::new('--replay-proxy', 'replay-proxy', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
-            [CompletionResult]::new('-R', 'R', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
-            [CompletionResult]::new('--replay-codes', 'replay-codes', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
-            [CompletionResult]::new('-s', 's', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)')
-            [CompletionResult]::new('--status-codes', 'status-codes', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)')
-            [CompletionResult]::new('-o', 'o', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
-            [CompletionResult]::new('--output', 'output', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
-            [CompletionResult]::new('--resume-from', 'resume-from', [CompletionResultType]::ParameterName, 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)')
-            [CompletionResult]::new('--debug-log', 'debug-log', [CompletionResultType]::ParameterName, 'Output file to write log entries (use w/ --json for JSON entries)')
-            [CompletionResult]::new('-a', 'a', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/VERSION)')
-            [CompletionResult]::new('--user-agent', 'user-agent', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/VERSION)')
-            [CompletionResult]::new('-x', 'x', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js)')
-            [CompletionResult]::new('--extensions', 'extensions', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js)')
-            [CompletionResult]::new('-H', 'H', [CompletionResultType]::ParameterName, 'Specify HTTP headers (ex: -H Header:val ''stuff: things'')')
-            [CompletionResult]::new('--headers', 'headers', [CompletionResultType]::ParameterName, 'Specify HTTP headers (ex: -H Header:val ''stuff: things'')')
-            [CompletionResult]::new('-Q', 'Q', [CompletionResultType]::ParameterName, 'Specify URL query parameters (ex: -Q token=stuff -Q secret=key)')
-            [CompletionResult]::new('--query', 'query', [CompletionResultType]::ParameterName, 'Specify URL query parameters (ex: -Q token=stuff -Q secret=key)')
-            [CompletionResult]::new('-S', 'S', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
-            [CompletionResult]::new('--filter-size', 'filter-size', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
-            [CompletionResult]::new('-X', 'X', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
-            [CompletionResult]::new('--filter-regex', 'filter-regex', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
-            [CompletionResult]::new('-W', 'W', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
-            [CompletionResult]::new('--filter-words', 'filter-words', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
-            [CompletionResult]::new('-N', 'N', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
-            [CompletionResult]::new('--filter-lines', 'filter-lines', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
-            [CompletionResult]::new('-C', 'C', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
-            [CompletionResult]::new('--filter-status', 'filter-status', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
-            [CompletionResult]::new('--filter-similar-to', 'filter-similar-to', [CompletionResultType]::ParameterName, 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)')
-            [CompletionResult]::new('-L', 'L', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
+            [CompletionResult]::new('-L', 'L ', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
             [CompletionResult]::new('--scan-limit', 'scan-limit', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
             [CompletionResult]::new('--parallel', 'parallel', [CompletionResultType]::ParameterName, 'Run parallel feroxbuster instances (one child process per url passed via stdin)')
             [CompletionResult]::new('--rate-limit', 'rate-limit', [CompletionResultType]::ParameterName, 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)')
             [CompletionResult]::new('--time-limit', 'time-limit', [CompletionResultType]::ParameterName, 'Limit total run time of all scans (ex: --time-limit 10m)')
-            [CompletionResult]::new('-v', 'v', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
-            [CompletionResult]::new('--verbosity', 'verbosity', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
-            [CompletionResult]::new('--silent', 'silent', [CompletionResultType]::ParameterName, 'Only print URLs + turn off logging (good for piping a list of urls to other commands)')
-            [CompletionResult]::new('-q', 'q', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
-            [CompletionResult]::new('--quiet', 'quiet', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
-            [CompletionResult]::new('--auto-tune', 'auto-tune', [CompletionResultType]::ParameterName, 'Automatically lower scan rate when an excessive amount of errors are encountered')
-            [CompletionResult]::new('--auto-bail', 'auto-bail', [CompletionResultType]::ParameterName, 'Automatically stop scanning when an excessive amount of errors are encountered')
-            [CompletionResult]::new('--json', 'json', [CompletionResultType]::ParameterName, 'Emit JSON logs to --output and --debug-log instead of normal text')
-            [CompletionResult]::new('-D', 'D', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
-            [CompletionResult]::new('--dont-filter', 'dont-filter', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
-            [CompletionResult]::new('-r', 'r', [CompletionResultType]::ParameterName, 'Follow redirects')
-            [CompletionResult]::new('--redirects', 'redirects', [CompletionResultType]::ParameterName, 'Follow redirects')
-            [CompletionResult]::new('-k', 'k', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation')
-            [CompletionResult]::new('--insecure', 'insecure', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation')
+            [CompletionResult]::new('-w', 'w', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
+            [CompletionResult]::new('--wordlist', 'wordlist', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
+            [CompletionResult]::new('-B', 'B ', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)')
+            [CompletionResult]::new('--collect-backups', 'collect-backups', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)')
+            [CompletionResult]::new('-I', 'I ', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
+            [CompletionResult]::new('--dont-collect', 'dont-collect', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
+            [CompletionResult]::new('-o', 'o', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--output', 'output', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--debug-log', 'debug-log', [CompletionResultType]::ParameterName, 'Output file to write log entries (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--stdin', 'stdin', [CompletionResultType]::ParameterName, 'Read url(s) from STDIN')
+            [CompletionResult]::new('--burp', 'burp', [CompletionResultType]::ParameterName, 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true')
+            [CompletionResult]::new('--burp-replay', 'burp-replay', [CompletionResultType]::ParameterName, 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true')
+            [CompletionResult]::new('--smart', 'smart', [CompletionResultType]::ParameterName, 'Set --auto-tune, --collect-words, and --collect-backups to true')
+            [CompletionResult]::new('--thorough', 'thorough', [CompletionResultType]::ParameterName, 'Use the same settings as --smart and set --collect-extensions to true')
+            [CompletionResult]::new('-A', 'A ', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
+            [CompletionResult]::new('--random-agent', 'random-agent', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
+            [CompletionResult]::new('-f', 'f', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
+            [CompletionResult]::new('--add-slash', 'add-slash', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
+            [CompletionResult]::new('-r', 'r', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
+            [CompletionResult]::new('--redirects', 'redirects', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
+            [CompletionResult]::new('-k', 'k', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
+            [CompletionResult]::new('--insecure', 'insecure', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
             [CompletionResult]::new('-n', 'n', [CompletionResultType]::ParameterName, 'Do not scan recursively')
             [CompletionResult]::new('--no-recursion', 'no-recursion', [CompletionResultType]::ParameterName, 'Do not scan recursively')
-            [CompletionResult]::new('-f', 'f', [CompletionResultType]::ParameterName, 'Append / to each request')
-            [CompletionResult]::new('--add-slash', 'add-slash', [CompletionResultType]::ParameterName, 'Append / to each request')
-            [CompletionResult]::new('--stdin', 'stdin', [CompletionResultType]::ParameterName, 'Read url(s) from STDIN')
-            [CompletionResult]::new('-e', 'e', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: false)')
-            [CompletionResult]::new('--extract-links', 'extract-links', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: false)')
-            [CompletionResult]::new('-h', 'h', [CompletionResultType]::ParameterName, 'Prints help information')
-            [CompletionResult]::new('--help', 'help', [CompletionResultType]::ParameterName, 'Prints help information')
-            [CompletionResult]::new('-V', 'V', [CompletionResultType]::ParameterName, 'Prints version information')
-            [CompletionResult]::new('--version', 'version', [CompletionResultType]::ParameterName, 'Prints version information')
+            [CompletionResult]::new('--force-recursion', 'force-recursion', [CompletionResultType]::ParameterName, 'Force recursion attempts on all ''found'' endpoints (still respects recursion depth)')
+            [CompletionResult]::new('-e', 'e', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
+            [CompletionResult]::new('--extract-links', 'extract-links', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
+            [CompletionResult]::new('--dont-extract-links', 'dont-extract-links', [CompletionResultType]::ParameterName, 'Don''t extract links from response body (html, javascript, etc...)')
+            [CompletionResult]::new('--auto-tune', 'auto-tune', [CompletionResultType]::ParameterName, 'Automatically lower scan rate when an excessive amount of errors are encountered')
+            [CompletionResult]::new('--auto-bail', 'auto-bail', [CompletionResultType]::ParameterName, 'Automatically stop scanning when an excessive amount of errors are encountered')
+            [CompletionResult]::new('-D', 'D ', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
+            [CompletionResult]::new('--dont-filter', 'dont-filter', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
+            [CompletionResult]::new('-E', 'E ', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
+            [CompletionResult]::new('--collect-extensions', 'collect-extensions', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
+            [CompletionResult]::new('-g', 'g', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
+            [CompletionResult]::new('--collect-words', 'collect-words', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
+            [CompletionResult]::new('-v', 'v', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
+            [CompletionResult]::new('--verbosity', 'verbosity', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
+            [CompletionResult]::new('--silent', 'silent', [CompletionResultType]::ParameterName, 'Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)')
+            [CompletionResult]::new('-q', 'q', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
+            [CompletionResult]::new('--quiet', 'quiet', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
+            [CompletionResult]::new('--json', 'json', [CompletionResultType]::ParameterName, 'Emit JSON logs to --output and --debug-log instead of normal text')
+            [CompletionResult]::new('--no-state', 'no-state', [CompletionResultType]::ParameterName, 'Disable state output file (*.state)')
+            [CompletionResult]::new('-U', 'U ', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
+            [CompletionResult]::new('--update', 'update', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
+            [CompletionResult]::new('-h', 'h', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
+            [CompletionResult]::new('--help', 'help', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
+            [CompletionResult]::new('-V', 'V ', [CompletionResultType]::ParameterName, 'Print version')
+            [CompletionResult]::new('--version', 'version', [CompletionResultType]::ParameterName, 'Print version')
             break
         }
     })

shell_completions/feroxbuster.bash

@@ -1,5 +1,5 @@
 _feroxbuster() {
-    local i cur prev opts cmds
+    local i cur prev opts cmd
     COMPREPLY=()
     cur="${COMP_WORDS[COMP_CWORD]}"
     prev="${COMP_WORDS[COMP_CWORD-1]}"
@@ -8,11 +8,10 @@ _feroxbuster() {
 
     for i in ${COMP_WORDS[@]}
     do
-        case "${i}" in
-            feroxbuster)
+        case "${cmd},${i}" in
+            ",$1")
                 cmd="feroxbuster"
                 ;;
-            
             *)
                 ;;
         esac
@@ -20,90 +19,17 @@ _feroxbuster() {
 
     case "${cmd}" in
         feroxbuster)
-            opts=" -v -q -D -r -k -n -f -e -h -V -w -u -t -d -T -p -P -R -s -o -a -x -H -Q -S -X -W -N -C -L  --verbosity --silent --quiet --auto-tune --auto-bail --json --dont-filter --redirects --insecure --no-recursion --add-slash --stdin --extract-links --help --version --wordlist --url --threads --depth --timeout --proxy --replay-proxy --replay-codes --status-codes --output --resume-from --debug-log --user-agent --extensions --headers --query --filter-size --filter-regex --filter-words --filter-lines --filter-status --filter-similar-to --scan-limit --parallel --rate-limit --time-limit  "
+            opts="-u -p -P -R -a -A -x -m -H -b -Q -f -S -X -W -N -C -s -T -r -k -t -n -d -e -L -w -D -E -B -g -I -v -q -o -U -h -V --url --stdin --resume-from --burp --burp-replay --smart --thorough --proxy --replay-proxy --replay-codes --user-agent --random-agent --extensions --methods --data --headers --cookies --query --add-slash --dont-scan --filter-size --filter-regex --filter-words --filter-lines --filter-status --filter-similar-to --status-codes --timeout --redirects --insecure --server-certs --client-cert --client-key --threads --no-recursion --depth --force-recursion --extract-links --dont-extract-links --scan-limit --parallel --rate-limit --time-limit --wordlist --auto-tune --auto-bail --dont-filter --collect-extensions --collect-backups --collect-words --dont-collect --verbosity --silent --quiet --json --output --debug-log --no-state --update --help --version"
             if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]] ; then
                 COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
                 return 0
             fi
             case "${prev}" in
-                
-                --wordlist)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -w)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
                 --url)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -u)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --threads)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -t)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --depth)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -d)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --timeout)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -T)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --proxy)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -p)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --replay-proxy)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -P)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --replay-codes)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -R)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --status-codes)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -s)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                --output)
-                    COMPREPLY=($(compgen -f "${cur}"))
-                    return 0
-                    ;;
-                    -o)
+                -u)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -111,7 +37,27 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                --debug-log)
+                --proxy)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -p)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --replay-proxy)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -P)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --replay-codes)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -R)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -119,7 +65,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -a)
+                -a)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -127,7 +73,19 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -x)
+                -x)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --methods)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -m)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --data)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -135,7 +93,15 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -H)
+                -H)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --cookies)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -b)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -143,7 +109,11 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -Q)
+                -Q)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --dont-scan)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -151,7 +121,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -S)
+                -S)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -159,7 +129,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -X)
+                -X)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -167,7 +137,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -W)
+                -W)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -175,7 +145,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -N)
+                -N)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -183,7 +153,7 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -C)
+                -C)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -191,11 +161,55 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
+                --status-codes)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -s)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --timeout)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -T)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --server-certs)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --client-cert)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --client-key)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --threads)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -t)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --depth)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -d)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
                 --scan-limit)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
-                    -L)
+                -L)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -211,6 +225,42 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
+                --wordlist)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -w)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --collect-backups)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -B)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --dont-collect)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -I)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --output)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -o)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                --debug-log)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
                 *)
                     COMPREPLY=()
                     ;;
@@ -218,8 +268,11 @@ _feroxbuster() {
             COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
             return 0
             ;;
-        
     esac
 }
 
-complete -F _feroxbuster -o bashdefault -o default feroxbuster
+if [[ "${BASH_VERSINFO[0]}" -eq 4 && "${BASH_VERSINFO[1]}" -ge 4 || "${BASH_VERSINFO[0]}" -gt 4 ]]; then
+    complete -F _feroxbuster -o nosort -o bashdefault -o default -o plusdirs feroxbuster
+else
+    complete -F _feroxbuster -o bashdefault -o default -o plusdirs feroxbuster
+fi

shell_completions/feroxbuster.elv

@@ -0,0 +1,123 @@
+
+use builtin;
+use str;
+
+set edit:completion:arg-completer[feroxbuster] = {|@words|
+    fn spaces {|n|
+        builtin:repeat $n ' ' | str:join ''
+    }
+    fn cand {|text desc|
+        edit:complex-candidate $text &display=$text' '(spaces (- 14 (wcswidth $text)))$desc
+    }
+    var command = 'feroxbuster'
+    for word $words[1..-1] {
+        if (str:has-prefix $word '-') {
+            break
+        }
+        set command = $command';'$word
+    }
+    var completions = [
+        &'feroxbuster'= {
+            cand -u 'The target URL (required, unless [--stdin || --resume-from] used)'
+            cand --url 'The target URL (required, unless [--stdin || --resume-from] used)'
+            cand --resume-from 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)'
+            cand -p 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)'
+            cand --proxy 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)'
+            cand -P 'Send only unfiltered requests through a Replay Proxy, instead of all requests'
+            cand --replay-proxy 'Send only unfiltered requests through a Replay Proxy, instead of all requests'
+            cand -R 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)'
+            cand --replay-codes 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)'
+            cand -a 'Sets the User-Agent (default: feroxbuster/2.10.2)'
+            cand --user-agent 'Sets the User-Agent (default: feroxbuster/2.10.2)'
+            cand -x 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)'
+            cand --extensions 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)'
+            cand -m 'Which HTTP request method(s) should be sent (default: GET)'
+            cand --methods 'Which HTTP request method(s) should be sent (default: GET)'
+            cand --data 'Request''s Body; can read data from a file if input starts with an @ (ex: @post.bin)'
+            cand -H 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')'
+            cand --headers 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')'
+            cand -b 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)'
+            cand --cookies 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)'
+            cand -Q 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)'
+            cand --query 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)'
+            cand --dont-scan 'URL(s) or Regex Pattern(s) to exclude from recursion/scans'
+            cand -S 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
+            cand --filter-size 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
+            cand -X 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')'
+            cand --filter-regex 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')'
+            cand -W 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)'
+            cand --filter-words 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)'
+            cand -N 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)'
+            cand --filter-lines 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)'
+            cand -C 'Filter out status codes (deny list) (ex: -C 200 -C 401)'
+            cand --filter-status 'Filter out status codes (deny list) (ex: -C 200 -C 401)'
+            cand --filter-similar-to 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)'
+            cand -s 'Status Codes to include (allow list) (default: All Status Codes)'
+            cand --status-codes 'Status Codes to include (allow list) (default: All Status Codes)'
+            cand -T 'Number of seconds before a client''s request times out (default: 7)'
+            cand --timeout 'Number of seconds before a client''s request times out (default: 7)'
+            cand --server-certs 'Add custom root certificate(s) for servers with unknown certificates'
+            cand --client-cert 'Add a PEM encoded certificate for mutual authentication (mTLS)'
+            cand --client-key 'Add a PEM encoded private key for mutual authentication (mTLS)'
+            cand -t 'Number of concurrent threads (default: 50)'
+            cand --threads 'Number of concurrent threads (default: 50)'
+            cand -d 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)'
+            cand --depth 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)'
+            cand -L 'Limit total number of concurrent scans (default: 0, i.e. no limit)'
+            cand --scan-limit 'Limit total number of concurrent scans (default: 0, i.e. no limit)'
+            cand --parallel 'Run parallel feroxbuster instances (one child process per url passed via stdin)'
+            cand --rate-limit 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)'
+            cand --time-limit 'Limit total run time of all scans (ex: --time-limit 10m)'
+            cand -w 'Path or URL of the wordlist'
+            cand --wordlist 'Path or URL of the wordlist'
+            cand -B 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)'
+            cand --collect-backups 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)'
+            cand -I 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)'
+            cand --dont-collect 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)'
+            cand -o 'Output file to write results to (use w/ --json for JSON entries)'
+            cand --output 'Output file to write results to (use w/ --json for JSON entries)'
+            cand --debug-log 'Output file to write log entries (use w/ --json for JSON entries)'
+            cand --stdin 'Read url(s) from STDIN'
+            cand --burp 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true'
+            cand --burp-replay 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true'
+            cand --smart 'Set --auto-tune, --collect-words, and --collect-backups to true'
+            cand --thorough 'Use the same settings as --smart and set --collect-extensions to true'
+            cand -A 'Use a random User-Agent'
+            cand --random-agent 'Use a random User-Agent'
+            cand -f 'Append / to each request''s URL'
+            cand --add-slash 'Append / to each request''s URL'
+            cand -r 'Allow client to follow redirects'
+            cand --redirects 'Allow client to follow redirects'
+            cand -k 'Disables TLS certificate validation in the client'
+            cand --insecure 'Disables TLS certificate validation in the client'
+            cand -n 'Do not scan recursively'
+            cand --no-recursion 'Do not scan recursively'
+            cand --force-recursion 'Force recursion attempts on all ''found'' endpoints (still respects recursion depth)'
+            cand -e 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)'
+            cand --extract-links 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)'
+            cand --dont-extract-links 'Don''t extract links from response body (html, javascript, etc...)'
+            cand --auto-tune 'Automatically lower scan rate when an excessive amount of errors are encountered'
+            cand --auto-bail 'Automatically stop scanning when an excessive amount of errors are encountered'
+            cand -D 'Don''t auto-filter wildcard responses'
+            cand --dont-filter 'Don''t auto-filter wildcard responses'
+            cand -E 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)'
+            cand --collect-extensions 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)'
+            cand -g 'Automatically discover important words from within responses and add them to the wordlist'
+            cand --collect-words 'Automatically discover important words from within responses and add them to the wordlist'
+            cand -v 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)'
+            cand --verbosity 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)'
+            cand --silent 'Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)'
+            cand -q 'Hide progress bars and banner (good for tmux windows w/ notifications)'
+            cand --quiet 'Hide progress bars and banner (good for tmux windows w/ notifications)'
+            cand --json 'Emit JSON logs to --output and --debug-log instead of normal text'
+            cand --no-state 'Disable state output file (*.state)'
+            cand -U 'Update feroxbuster to the latest version'
+            cand --update 'Update feroxbuster to the latest version'
+            cand -h 'Print help (see more with ''--help'')'
+            cand --help 'Print help (see more with ''--help'')'
+            cand -V 'Print version'
+            cand --version 'Print version'
+        }
+    ]
+    $completions[$command]
+}

shell_completions/feroxbuster.fish

@@ -12,7 +12,11 @@ complete -c feroxbuster -n "__fish_use_subcommand" -l resume-from -d 'State file
 complete -c feroxbuster -n "__fish_use_subcommand" -l debug-log -d 'Output file to write log entries (use w/ --json for JSON entries)'
 complete -c feroxbuster -n "__fish_use_subcommand" -s a -l user-agent -d 'Sets the User-Agent (default: feroxbuster/VERSION)'
 complete -c feroxbuster -n "__fish_use_subcommand" -s x -l extensions -d 'File extension(s) to search for (ex: -x php -x pdf js)'
+complete -c feroxbuster -n "__fish_use_subcommand" -s m -l methods -d 'HTTP request method(s) (default: GET)'
+complete -c feroxbuster -n "__fish_use_subcommand" -l data -d 'HTTP Body data; can read data from a file if input starts with an @ (ex: @post.bin)'
+complete -c feroxbuster -n "__fish_use_subcommand" -l dont-scan -d 'URL(s) or Regex Pattern(s) to exclude from recursion/scans'
 complete -c feroxbuster -n "__fish_use_subcommand" -s H -l headers -d 'Specify HTTP headers (ex: -H Header:val \'stuff: things\')'
+complete -c feroxbuster -n "__fish_use_subcommand" -s b -l cookies -d 'Specify HTTP cookies (ex: -b stuff=things)'
 complete -c feroxbuster -n "__fish_use_subcommand" -s Q -l query -d 'Specify URL query parameters (ex: -Q token=stuff -Q secret=key)'
 complete -c feroxbuster -n "__fish_use_subcommand" -s S -l filter-size -d 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
 complete -c feroxbuster -n "__fish_use_subcommand" -s X -l filter-regex -d 'Filter out messages via regular expression matching on the response\'s body (ex: -X \'^ignore me$\')'
@@ -31,6 +35,7 @@ complete -c feroxbuster -n "__fish_use_subcommand" -l auto-tune -d 'Automaticall
 complete -c feroxbuster -n "__fish_use_subcommand" -l auto-bail -d 'Automatically stop scanning when an excessive amount of errors are encountered'
 complete -c feroxbuster -n "__fish_use_subcommand" -l json -d 'Emit JSON logs to --output and --debug-log instead of normal text'
 complete -c feroxbuster -n "__fish_use_subcommand" -s D -l dont-filter -d 'Don\'t auto-filter wildcard responses'
+complete -c feroxbuster -n "__fish_use_subcommand" -s A -l random-agent -d 'Use a random User-Agent'
 complete -c feroxbuster -n "__fish_use_subcommand" -s r -l redirects -d 'Follow redirects'
 complete -c feroxbuster -n "__fish_use_subcommand" -s k -l insecure -d 'Disables TLS certificate validation'
 complete -c feroxbuster -n "__fish_use_subcommand" -s n -l no-recursion -d 'Do not scan recursively'

src/banner/container.rs

@@ -1,14 +1,15 @@
 use super::entry::BannerEntry;
 use crate::{
+    client,
     config::Configuration,
     event_handlers::Handles,
-    utils::{logged_request, status_colorizer},
-    VERSION,
+    utils::{make_request, parse_url_with_raw_path, status_colorizer},
+    DEFAULT_IGNORED_EXTENSIONS, DEFAULT_METHOD, DEFAULT_STATUS_CODES, VERSION,
 };
 use anyhow::{bail, Result};
 use console::{style, Emoji};
-use reqwest::Url;
 use serde_json::Value;
+use std::collections::HashMap;
 use std::{io::Write, sync::Arc};
 
 /// Url used to query github's api; specifically used to look for the latest tagged release name
@@ -50,12 +51,24 @@ pub struct Banner {
     /// represents Configuration.user_agent
     user_agent: BannerEntry,
 
+    /// represents Configuration.random_agent
+    random_agent: BannerEntry,
+
     /// represents Configuration.config
     config: BannerEntry,
 
     /// represents Configuration.proxy
     proxy: BannerEntry,
 
+    /// represents Configuration.client_key
+    client_key: BannerEntry,
+
+    /// represents Configuration.client_cert
+    client_cert: BannerEntry,
+
+    /// represents Configuration.server_certs
+    server_certs: BannerEntry,
+
     /// represents Configuration.replay_proxy
     replay_proxy: BannerEntry,
 
@@ -95,6 +108,12 @@ pub struct Banner {
     /// represents Configuration.extensions
     extensions: BannerEntry,
 
+    /// represents Configuration.methods
+    methods: BannerEntry,
+
+    /// represents Configuration.data
+    data: BannerEntry,
+
     /// represents Configuration.insecure
     insecure: BannerEntry,
 
@@ -134,11 +153,29 @@ pub struct Banner {
     /// represents Configuration.auto_bail
     auto_bail: BannerEntry,
 
+    /// represents Configuration.url_denylist
+    url_denylist: Vec<BannerEntry>,
+
     /// current version of feroxbuster
     pub(super) version: String,
 
     /// whether or not there is a known new version
     pub(super) update_status: UpdateStatus,
+
+    /// represents Configuration.collect_extensions
+    collect_extensions: BannerEntry,
+
+    /// represents Configuration.dont_collect
+    dont_collect: BannerEntry,
+
+    /// represents Configuration.collect_backups
+    collect_backups: BannerEntry,
+
+    /// represents Configuration.collect_words
+    collect_words: BannerEntry,
+
+    /// represents Configuration.collect_words
+    force_recursion: BannerEntry,
 }
 
 /// implementation of Banner
@@ -146,6 +183,7 @@ impl Banner {
     /// Create a new Banner from a Configuration and live targets
     pub fn new(tgts: &[String], config: &Configuration) -> Self {
         let mut targets = Vec::new();
+        let mut url_denylist = Vec::new();
         let mut code_filters = Vec::new();
         let mut replay_codes = Vec::new();
         let mut headers = Vec::new();
@@ -160,12 +198,41 @@ impl Banner {
             targets.push(BannerEntry::new("🎯", "Target Url", target));
         }
 
-        let mut codes = vec![];
-        for code in &config.status_codes {
-            codes.push(status_colorizer(&code.to_string()))
+        for denied_url in &config.url_denylist {
+            url_denylist.push(BannerEntry::new(
+                "🚫",
+                "Don't Scan Url",
+                denied_url.as_str(),
+            ));
         }
-        let status_codes =
-            BannerEntry::new("👌", "Status Codes", &format!("[{}]", codes.join(", ")));
+
+        for denied_regex in &config.regex_denylist {
+            url_denylist.push(BannerEntry::new(
+                "🚫",
+                "Don't Scan Regex",
+                denied_regex.as_str(),
+            ));
+        }
+
+        // the +2 is for the 2 experimental status codes we add to the default list manually
+        let status_codes = if config.status_codes.len() == DEFAULT_STATUS_CODES.len() + 2 {
+            let all_str = format!(
+                "{} {} {}{}",
+                style("All").cyan(),
+                style("Status").green(),
+                style("Codes").yellow(),
+                style("!").red()
+            );
+            BannerEntry::new("👌", "Status Codes", &all_str)
+        } else {
+            let mut codes = vec![];
+
+            for code in &config.status_codes {
+                codes.push(status_colorizer(&code.to_string()))
+            }
+
+            BannerEntry::new("👌", "Status Codes", &format!("[{}]", codes.join(", ")))
+        };
 
         for code in &config.filter_status {
             code_filters.push(status_colorizer(&code.to_string()))
@@ -189,7 +256,7 @@ impl Banner {
             headers.push(BannerEntry::new(
                 "🤯",
                 "Header",
-                &format!("{}: {}", name, value),
+                &format!("{name}: {value}"),
             ));
         }
 
@@ -259,15 +326,25 @@ impl Banner {
             &config.scan_limit.to_string(),
         );
 
+        let force_recursion =
+            BannerEntry::new("🤘", "Force Recursion", &config.force_recursion.to_string());
         let replay_proxy = BannerEntry::new("🎥", "Replay Proxy", &config.replay_proxy);
         let auto_tune = BannerEntry::new("🎶", "Auto Tune", &config.auto_tune.to_string());
-        let auto_bail = BannerEntry::new("🪣", "Auto Bail", &config.auto_bail.to_string());
+        let auto_bail = BannerEntry::new("🙅", "Auto Bail", &config.auto_bail.to_string());
         let cfg = BannerEntry::new("💉", "Config File", &config.config);
         let proxy = BannerEntry::new("💎", "Proxy", &config.proxy);
+        let server_certs = BannerEntry::new(
+            "🏅",
+            "Server Certificates",
+            &format!("[{}]", config.server_certs.join(", ")),
+        );
+        let client_cert = BannerEntry::new("🏅", "Client Certificate", &config.client_cert);
+        let client_key = BannerEntry::new("🔑", "Client Key", &config.client_key);
         let threads = BannerEntry::new("🚀", "Threads", &config.threads.to_string());
         let wordlist = BannerEntry::new("📖", "Wordlist", &config.wordlist);
         let timeout = BannerEntry::new("💥", "Timeout (secs)", &config.timeout.to_string());
         let user_agent = BannerEntry::new("🦡", "User-Agent", &config.user_agent);
+        let random_agent = BannerEntry::new("🦡", "User-Agent", "Random");
         let extract_links =
             BannerEntry::new("🔎", "Extract Links", &config.extract_links.to_string());
         let json = BannerEntry::new("🧔", "JSON Output", &config.json.to_string());
@@ -278,6 +355,38 @@ impl Banner {
             "Extensions",
             &format!("[{}]", config.extensions.join(", ")),
         );
+        let methods = BannerEntry::new(
+            "🏁",
+            "HTTP methods",
+            &format!("[{}]", config.methods.join(", ")),
+        );
+
+        let dont_collect = if config.dont_collect == DEFAULT_IGNORED_EXTENSIONS {
+            // default has 30+ extensions, just trim it up
+            BannerEntry::new(
+                "💸",
+                "Ignored Extensions",
+                "[Images, Movies, Audio, etc...]",
+            )
+        } else {
+            BannerEntry::new(
+                "💸",
+                "Ignored Extensions",
+                &format!("[{}]", config.dont_collect.join(", ")),
+            )
+        };
+
+        let offset = std::cmp::min(config.data.len(), 30);
+        let data = String::from_utf8(config.data[..offset].to_vec())
+            .unwrap_or_else(|_err| {
+                format!(
+                    "{:x?} ...",
+                    &config.data[..std::cmp::min(config.data.len(), 13)]
+                )
+            })
+            .replace('\n', " ")
+            .replace('\r', "");
+        let data = BannerEntry::new("💣", "HTTP Body", &data);
         let insecure = BannerEntry::new("🔓", "Insecure", &config.insecure.to_string());
         let redirects = BannerEntry::new("📍", "Follow Redirects", &config.redirects.to_string());
         let dont_filter =
@@ -287,6 +396,16 @@ impl Banner {
         let parallel = BannerEntry::new("🛤", "Parallel Scans", &config.parallel.to_string());
         let rate_limit =
             BannerEntry::new("🚧", "Requests per Second", &config.rate_limit.to_string());
+        let collect_extensions = BannerEntry::new(
+            "💰",
+            "Collect Extensions",
+            &config.collect_extensions.to_string(),
+        );
+        let collect_backups =
+            BannerEntry::new("🏦", "Collect Backups", &config.collect_backups.to_string());
+
+        let collect_words =
+            BannerEntry::new("🤑", "Collect Words", &config.collect_words.to_string());
 
         Self {
             targets,
@@ -296,9 +415,13 @@ impl Banner {
             filter_status,
             timeout,
             user_agent,
+            random_agent,
             auto_bail,
             auto_tune,
             proxy,
+            client_cert,
+            client_key,
+            server_certs,
             replay_codes,
             replay_proxy,
             headers,
@@ -314,6 +437,8 @@ impl Banner {
             output,
             debug_log,
             extensions,
+            methods,
+            data,
             insecure,
             dont_filter,
             redirects,
@@ -322,7 +447,13 @@ impl Banner {
             no_recursion,
             rate_limit,
             scan_limit,
+            force_recursion,
             time_limit,
+            url_denylist,
+            collect_extensions,
+            collect_backups,
+            collect_words,
+            dont_collect,
             config: cfg,
             version: VERSION.to_string(),
             update_status: UpdateStatus::Unknown,
@@ -343,7 +474,7 @@ by Ben "epi" Risher {}                 ver: {}"#,
 
         let top = "───────────────────────────┬──────────────────────";
 
-        format!("{}\n{}", artwork, top)
+        format!("{artwork}\n{top}")
     }
 
     /// get a fancy footer for the banner
@@ -354,10 +485,10 @@ by Ben "epi" Risher {}                 ver: {}"#,
         let instructions = format!(
             " 🏁  Press [{}] to use the {}™",
             style("ENTER").yellow(),
-            style("Scan Cancel Menu").bright().yellow(),
+            style("Scan Management Menu").bright().yellow(),
         );
 
-        format!("{}\n{}\n{}", bottom, instructions, addl_section)
+        format!("{bottom}\n{instructions}\n{addl_section}")
     }
 
     /// Makes a request to the given url, expecting to receive a JSON response that contains a field
@@ -367,9 +498,36 @@ by Ben "epi" Risher {}                 ver: {}"#,
     pub async fn check_for_updates(&mut self, url: &str, handles: Arc<Handles>) -> Result<()> {
         log::trace!("enter: needs_update({}, {:?})", url, handles);
 
-        let api_url = Url::parse(url)?;
+        let api_url = parse_url_with_raw_path(url)?;
+
+        // we don't want to leak sensitive header info / include auth headers
+        // with the github api request, so we'll build a client specifically
+        // for this task. thanks to @stuhlmann for the suggestion!
+        let client = client::initialize(
+            handles.config.timeout,
+            "feroxbuster-update-check",
+            handles.config.redirects,
+            handles.config.insecure,
+            &HashMap::new(),
+            Some(&handles.config.proxy),
+            &handles.config.server_certs,
+            Some(&handles.config.client_cert),
+            Some(&handles.config.client_key),
+        )?;
+        let level = handles.config.output_level;
+        let tx_stats = handles.stats.tx.clone();
+
+        let result = make_request(
+            &client,
+            &api_url,
+            DEFAULT_METHOD,
+            None,
+            level,
+            &handles.config,
+            tx_stats,
+        )
+        .await?;
 
-        let result = logged_request(&api_url, handles.clone()).await?;
         let body = result.text().await?;
 
         let json_response: Value = serde_json::from_str(&body)?;
@@ -410,21 +568,31 @@ by Ben "epi" Risher {}                 ver: {}"#,
 
         // begin with always printed items
         for target in &self.targets {
-            writeln!(&mut writer, "{}", target)?;
+            writeln!(&mut writer, "{target}")?;
+        }
+
+        for denied_url in &self.url_denylist {
+            writeln!(&mut writer, "{denied_url}")?;
         }
 
         writeln!(&mut writer, "{}", self.threads)?;
         writeln!(&mut writer, "{}", self.wordlist)?;
-        writeln!(&mut writer, "{}", self.status_codes)?;
 
-        if !config.filter_status.is_empty() {
-            // exception here for an optional print in the middle of always printed values is due
-            // to me wanting the allows and denys to be printed one after the other
+        if config.filter_status.is_empty() {
+            // -C and -s are mutually exclusive, and -s meaning changes when -C is used
+            // so only print one or the other
+            writeln!(&mut writer, "{}", self.status_codes)?;
+        } else {
             writeln!(&mut writer, "{}", self.filter_status)?;
         }
 
         writeln!(&mut writer, "{}", self.timeout)?;
-        writeln!(&mut writer, "{}", self.user_agent)?;
+
+        if config.random_agent {
+            writeln!(&mut writer, "{}", self.random_agent)?;
+        } else {
+            writeln!(&mut writer, "{}", self.user_agent)?;
+        }
 
         // followed by the maybe printed or variably displayed values
         if !config.config.is_empty() {
@@ -435,6 +603,18 @@ by Ben "epi" Risher {}                 ver: {}"#,
             writeln!(&mut writer, "{}", self.proxy)?;
         }
 
+        if !config.client_cert.is_empty() {
+            writeln!(&mut writer, "{}", self.client_cert)?;
+        }
+
+        if !config.client_key.is_empty() {
+            writeln!(&mut writer, "{}", self.client_key)?;
+        }
+
+        if !config.server_certs.is_empty() {
+            writeln!(&mut writer, "{}", self.server_certs)?;
+        }
+
         if !config.replay_proxy.is_empty() {
             // i include replay codes logic here because in config.rs, replay codes are set to the
             // value in status codes, meaning it's never empty
@@ -443,27 +623,27 @@ by Ben "epi" Risher {}                 ver: {}"#,
         }
 
         for header in &self.headers {
-            writeln!(&mut writer, "{}", header)?;
+            writeln!(&mut writer, "{header}")?;
         }
 
         for filter in &self.filter_size {
-            writeln!(&mut writer, "{}", filter)?;
+            writeln!(&mut writer, "{filter}")?;
         }
 
         for filter in &self.filter_similar {
-            writeln!(&mut writer, "{}", filter)?;
+            writeln!(&mut writer, "{filter}")?;
         }
 
         for filter in &self.filter_word_count {
-            writeln!(&mut writer, "{}", filter)?;
+            writeln!(&mut writer, "{filter}")?;
         }
 
         for filter in &self.filter_line_count {
-            writeln!(&mut writer, "{}", filter)?;
+            writeln!(&mut writer, "{filter}")?;
         }
 
         for filter in &self.filter_regex {
-            writeln!(&mut writer, "{}", filter)?;
+            writeln!(&mut writer, "{filter}")?;
         }
 
         if config.extract_links {
@@ -475,7 +655,7 @@ by Ben "epi" Risher {}                 ver: {}"#,
         }
 
         for query in &self.queries {
-            writeln!(&mut writer, "{}", query)?;
+            writeln!(&mut writer, "{query}")?;
         }
 
         if !config.output.is_empty() {
@@ -490,6 +670,28 @@ by Ben "epi" Risher {}                 ver: {}"#,
             writeln!(&mut writer, "{}", self.extensions)?;
         }
 
+        if config.collect_extensions {
+            // dont-collect is active only when collect-extensions is used
+            writeln!(&mut writer, "{}", self.collect_extensions)?;
+            writeln!(&mut writer, "{}", self.dont_collect)?;
+        }
+
+        if config.collect_backups {
+            writeln!(&mut writer, "{}", self.collect_backups)?;
+        }
+
+        if config.collect_words {
+            writeln!(&mut writer, "{}", self.collect_words)?;
+        }
+
+        if !config.methods.is_empty() {
+            writeln!(&mut writer, "{}", self.methods)?;
+        }
+
+        if !config.data.is_empty() {
+            writeln!(&mut writer, "{}", self.data)?;
+        }
+
         if config.insecure {
             writeln!(&mut writer, "{}", self.insecure)?;
         }
@@ -519,6 +721,10 @@ by Ben "epi" Risher {}                 ver: {}"#,
 
         writeln!(&mut writer, "{}", self.no_recursion)?;
 
+        if config.force_recursion {
+            writeln!(&mut writer, "{}", self.force_recursion)?;
+        }
+
         if config.scan_limit > 0 {
             writeln!(&mut writer, "{}", self.scan_limit)?;
         }
@@ -541,7 +747,7 @@ by Ben "epi" Risher {}                 ver: {}"#,
                 "New Version Available",
                 "https://github.com/epi052/feroxbuster/releases/latest",
             );
-            writeln!(&mut writer, "{}", update)?;
+            writeln!(&mut writer, "{update}")?;
         }
 
         writeln!(&mut writer, "{}", self.footer())?;

src/client.rs

@@ -1,19 +1,29 @@
-use anyhow::Result;
+use anyhow::{Context, Result};
 use reqwest::header::HeaderMap;
 use reqwest::{redirect::Policy, Client, Proxy};
 use std::collections::HashMap;
 use std::convert::TryInto;
+use std::path::Path;
 use std::time::Duration;
 
 /// Create and return an instance of [reqwest::Client](https://docs.rs/reqwest/latest/reqwest/struct.Client.html)
-pub fn initialize(
+/// For now, silence clippy for this one
+#[allow(clippy::too_many_arguments)]
+pub fn initialize<I>(
     timeout: u64,
     user_agent: &str,
     redirects: bool,
     insecure: bool,
     headers: &HashMap<String, String>,
     proxy: Option<&str>,
-) -> Result<Client> {
+    server_certs: I,
+    client_cert: Option<&str>,
+    client_key: Option<&str>,
+) -> Result<Client>
+where
+    I: IntoIterator,
+    I::Item: AsRef<Path> + std::fmt::Debug,
+{
     let policy = if redirects {
         Policy::limited(10)
     } else {
@@ -22,18 +32,53 @@ pub fn initialize(
 
     let header_map: HeaderMap = headers.try_into()?;
 
-    let client = Client::builder()
+    let mut client = Client::builder()
         .timeout(Duration::new(timeout, 0))
         .user_agent(user_agent)
         .danger_accept_invalid_certs(insecure)
         .default_headers(header_map)
-        .redirect(policy);
+        .redirect(policy)
+        .http1_title_case_headers();
 
     if let Some(some_proxy) = proxy {
         if !some_proxy.is_empty() {
             // it's not an empty string; set the proxy
             let proxy_obj = Proxy::all(some_proxy)?;
-            return Ok(client.proxy(proxy_obj).build()?);
+            // just add the proxy to the client
+            // don't build and return it just yet
+            client = client.proxy(proxy_obj);
+        }
+    }
+
+    for cert_path in server_certs {
+        let buf = std::fs::read(&cert_path)?;
+
+        let cert = match reqwest::Certificate::from_pem(&buf) {
+            Ok(cert) => cert,
+            Err(err) => reqwest::Certificate::from_der(&buf).with_context(|| {
+                format!(
+                    "{:?} does not contain a valid PEM or DER certificate\n{}",
+                    &cert_path, err
+                )
+            })?,
+        };
+
+        client = client.add_root_certificate(cert);
+    }
+
+    if let (Some(cert_path), Some(key_path)) = (client_cert, client_key) {
+        if !cert_path.is_empty() && !key_path.is_empty() {
+            let cert = std::fs::read(cert_path)?;
+            let key = std::fs::read(key_path)?;
+
+            let identity = reqwest::Identity::from_pkcs8_pem(&cert, &key).with_context(|| {
+                format!(
+                    "either {} or {} are invalid; expecting PEM encoded certificate and key",
+                    cert_path, key_path
+                )
+            })?;
+
+            client = client.identity(identity);
         }
     }
 
@@ -49,7 +94,18 @@ mod tests {
     /// create client with a bad proxy, expect panic
     fn client_with_bad_proxy() {
         let headers = HashMap::new();
-        initialize(0, "stuff", true, false, &headers, Some("not a valid proxy")).unwrap();
+        initialize(
+            0,
+            "stuff",
+            true,
+            false,
+            &headers,
+            Some("not a valid proxy"),
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .unwrap();
     }
 
     #[test]
@@ -57,6 +113,99 @@ mod tests {
     fn client_with_good_proxy() {
         let headers = HashMap::new();
         let proxy = "http://127.0.0.1:8080";
-        initialize(0, "stuff", true, true, &headers, Some(proxy)).unwrap();
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            Some(proxy),
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with a server cert in pem format, expect no error
+    fn client_with_valid_server_pem() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/server/server.crt.1".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with a server cert in der format, expect no error
+    fn client_with_valid_server_der() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/server/server.der".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with two server certs (pem and der), expect no error
+    fn client_with_valid_server_pem_and_der() {
+        let headers = HashMap::new();
+
+        println!("{}", std::env::current_dir().unwrap().display());
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec![
+                "tests/mutual-auth/certs/server/server.crt.1".to_string(),
+                "tests/mutual-auth/certs/server/server.der".to_string(),
+            ],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    /// create client with invalid certificate, expect panic
+    #[test]
+    #[should_panic]
+    fn client_with_invalid_server_cert() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/client/client.key".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
     }
 }

src/config/container.rs

@@ -1,16 +1,21 @@
 use super::utils::{
-    depth, report_and_exit, save_state, serialized_type, status_codes, threads, timeout,
-    user_agent, wordlist, OutputLevel, RequesterPolicy,
+    backup_extensions, depth, extract_links, ignored_extensions, methods, report_and_exit,
+    save_state, serialized_type, status_codes, threads, timeout, user_agent, wordlist, OutputLevel,
+    RequesterPolicy,
 };
 use crate::config::determine_output_level;
 use crate::config::utils::determine_requester_policy;
 use crate::{
-    client, parser, scan_manager::resume_scan, traits::FeroxSerialize, utils::fmt_err,
+    client, parser,
+    scan_manager::resume_scan,
+    traits::FeroxSerialize,
+    utils::{fmt_err, parse_url_with_raw_path},
     DEFAULT_CONFIG_NAME,
 };
 use anyhow::{anyhow, Context, Result};
-use clap::{value_t, ArgMatches};
-use reqwest::{Client, StatusCode};
+use clap::{parser::ValueSource, ArgMatches};
+use regex::Regex;
+use reqwest::{Client, Method, StatusCode, Url};
 use serde::{Deserialize, Serialize};
 use std::{
     collections::HashMap,
@@ -21,17 +26,10 @@ use std::{
 
 /// macro helper to abstract away repetitive configuration updates
 macro_rules! update_config_if_present {
-    ($c:expr, $m:ident, $v:expr, $t:ty) => {
-        match value_t!($m, $v, $t) {
-            Ok(value) => *$c = value, // Update value
-            Err(clap::Error {
-                kind: clap::ErrorKind::ArgumentNotFound,
-                message: _,
-                info: _,
-            }) => {
-                // Do nothing if argument not found
-            }
-            Err(e) => e.exit(), // Exit with error on parse error
+    ($conf_val:expr, $matches:ident, $arg_name:expr, $arg_type:ty) => {
+        match $matches.get_one::<$arg_type>($arg_name) {
+            Some(value) => *$conf_val = value.to_owned(), // Update value
+            None => {}
         }
     };
 }
@@ -45,6 +43,35 @@ macro_rules! update_if_not_default {
     };
 }
 
+/// macro helper to abstract away repetitive checks to see if the user has specified a value
+/// for a given argument from the commandline or if we just had a default value in the parser
+macro_rules! came_from_cli {
+    ($matches:ident, $arg_name:expr) => {
+        matches!(
+            $matches.value_source($arg_name),
+            Some(ValueSource::CommandLine)
+        )
+    };
+}
+
+/// macro helper to abstract away repetitive if not default: update checks, specifically for
+/// values that are number types, i.e. usize, u64, etc
+macro_rules! update_config_with_num_type_if_present {
+    ($conf_val:expr, $matches:ident, $arg_name:expr, $arg_type:ty) => {
+        if let Some(val) = $matches.get_one::<String>($arg_name) {
+            match val.parse::<$arg_type>() {
+                Ok(v) => *$conf_val = v,
+                Err(_) => {
+                    report_and_exit(&format!(
+                        "Invalid value for --{}, must be a positive integer",
+                        $arg_name
+                    ));
+                }
+            }
+        }
+    };
+}
+
 /// Represents the final, global configuration of the program.
 ///
 /// This struct is the combination of the following:
@@ -77,6 +104,18 @@ pub struct Configuration {
     #[serde(default)]
     pub replay_proxy: String,
 
+    /// Path to a custom root certificate for connecting to servers with a self-signed certificate
+    #[serde(default)]
+    pub server_certs: Vec<String>,
+
+    /// Path to a client's PEM encoded X509 certificate used during mutual authentication
+    #[serde(default)]
+    pub client_cert: String,
+
+    /// Path to a client's PEM encoded PKSC #8 private key used during mutual authentication
+    #[serde(default)]
+    pub client_key: String,
+
     /// The target URL
     #[serde(default)]
     pub target_url: String,
@@ -154,6 +193,10 @@ pub struct Configuration {
     #[serde(default = "user_agent")]
     pub user_agent: String,
 
+    /// Use random User-Agent
+    #[serde(default)]
+    pub random_agent: bool,
+
     /// Follow redirects
     #[serde(default)]
     pub redirects: bool,
@@ -166,6 +209,14 @@ pub struct Configuration {
     #[serde(default)]
     pub extensions: Vec<String>,
 
+    /// HTTP requests methods(s) to search for
+    #[serde(default = "methods")]
+    pub methods: Vec<String>,
+
+    /// HTTP Body data to send during request
+    #[serde(default)]
+    pub data: Vec<u8>,
+
     /// HTTP headers to be used in each request
     #[serde(default)]
     pub headers: HashMap<String, String>,
@@ -179,7 +230,7 @@ pub struct Configuration {
     pub no_recursion: bool,
 
     /// Extract links from html/javscript
-    #[serde(default)]
+    #[serde(default = "extract_links")]
     pub extract_links: bool,
 
     /// Append / to each request
@@ -235,8 +286,6 @@ pub struct Configuration {
     pub resume_from: String,
 
     /// Whether or not a scan's current state should be saved when user presses Ctrl+C
-    ///
-    /// Not configurable from CLI; can only be set from a config file
     #[serde(default = "save_state")]
     pub save_state: bool,
 
@@ -248,6 +297,41 @@ pub struct Configuration {
     /// Filter out response bodies that meet a certain threshold of similarity
     #[serde(default)]
     pub filter_similar: Vec<String>,
+
+    /// URLs that should never be scanned/recursed into
+    #[serde(default)]
+    pub url_denylist: Vec<Url>,
+
+    /// URLs that should never be scanned/recursed into based on a regular expression
+    #[serde(with = "serde_regex", default)]
+    pub regex_denylist: Vec<Regex>,
+
+    /// Automatically discover extensions and add them to --extensions (unless they're in --dont-collect)
+    #[serde(default)]
+    pub collect_extensions: bool,
+
+    /// don't collect any of these extensions when --collect-extensions is used
+    #[serde(default = "ignored_extensions")]
+    pub dont_collect: Vec<String>,
+
+    /// Automatically request likely backup extensions on "found" urls
+    #[serde(default)]
+    pub collect_backups: bool,
+
+    #[serde(default = "backup_extensions")]
+    pub backup_extensions: Vec<String>,
+
+    /// Automatically discover important words from within responses and add them to the wordlist
+    #[serde(default)]
+    pub collect_words: bool,
+
+    /// override recursion logic to always attempt recursion, still respects --depth
+    #[serde(default)]
+    pub force_recursion: bool,
+
+    /// Auto update app feature
+    #[serde(skip)]
+    pub update_app: bool,
 }
 
 impl Default for Configuration {
@@ -255,14 +339,25 @@ impl Default for Configuration {
     fn default() -> Self {
         let timeout = timeout();
         let user_agent = user_agent();
-        let client = client::initialize(timeout, &user_agent, false, false, &HashMap::new(), None)
-            .expect("Could not build client");
+        let client = client::initialize(
+            timeout,
+            &user_agent,
+            false,
+            false,
+            &HashMap::new(),
+            None,
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .expect("Could not build client");
         let replay_client = None;
         let status_codes = status_codes();
         let replay_codes = status_codes.clone();
         let kind = serialized_type();
         let output_level = OutputLevel::Default;
         let requester_policy = RequesterPolicy::Default;
+        let extract_links = extract_links();
 
         Configuration {
             kind,
@@ -271,6 +366,7 @@ impl Default for Configuration {
             user_agent,
             replay_codes,
             status_codes,
+            extract_links,
             replay_client,
             requester_policy,
             dont_filter: false,
@@ -290,9 +386,16 @@ impl Default for Configuration {
             insecure: false,
             redirects: false,
             no_recursion: false,
-            extract_links: false,
+            random_agent: false,
+            collect_extensions: false,
+            collect_backups: false,
+            collect_words: false,
             save_state: true,
+            force_recursion: false,
+            update_app: false,
             proxy: String::new(),
+            client_cert: String::new(),
+            client_key: String::new(),
             config: String::new(),
             output: String::new(),
             debug_log: String::new(),
@@ -300,10 +403,15 @@ impl Default for Configuration {
             time_limit: String::new(),
             resume_from: String::new(),
             replay_proxy: String::new(),
+            server_certs: Vec::new(),
             queries: Vec::new(),
             extensions: Vec::new(),
+            methods: methods(),
+            data: Vec::new(),
             filter_size: Vec::new(),
             filter_regex: Vec::new(),
+            url_denylist: Vec::new(),
+            regex_denylist: Vec::new(),
             filter_line_count: Vec::new(),
             filter_word_count: Vec::new(),
             filter_status: Vec::new(),
@@ -312,6 +420,8 @@ impl Default for Configuration {
             depth: depth(),
             threads: threads(),
             wordlist: wordlist(),
+            dont_collect: ignored_extensions(),
+            backup_extensions: backup_extensions(),
         }
     }
 }
@@ -322,7 +432,7 @@ impl Configuration {
     ///
     /// - **timeout**: `5` seconds
     /// - **redirects**: `false`
-    /// - **extract-links**: `false`
+    /// - **extract_links**: `true`
     /// - **wordlist**: [`DEFAULT_WORDLIST`](constant.DEFAULT_WORDLIST.html)
     /// - **config**: `None`
     /// - **threads**: `50`
@@ -339,8 +449,18 @@ impl Configuration {
     /// - **auto_bail**: `false`
     /// - **save_state**: `true`
     /// - **user_agent**: `feroxbuster/VERSION`
+    /// - **random_agent**: `false`
     /// - **insecure**: `false` (don't be insecure, i.e. don't allow invalid certs)
     /// - **extensions**: `None`
+    /// - **collect_extensions**: `false`
+    /// - **collect_backups**: `false`
+    /// - **backup_extensions**: [`DEFAULT_BACKUP_EXTENSIONS`](constant.DEFAULT_BACKUP_EXTENSIONS.html)
+    /// - **collect_words**: `false`
+    /// - **dont_collect**: [`DEFAULT_IGNORED_EXTENSIONS`](constant.DEFAULT_RESPONSE_CODES.html)
+    /// - **methods**: [`DEFAULT_METHOD`](constant.DEFAULT_METHOD.html)
+    /// - **data**: `None`
+    /// - **url_denylist**: `None`
+    /// - **regex_denylist**: `None`
     /// - **filter_size**: `None`
     /// - **filter_similar**: `None`
     /// - **filter_regex**: `None`
@@ -354,12 +474,14 @@ impl Configuration {
     /// - **json**: `false`
     /// - **dont_filter**: `false` (auto filter wildcard responses)
     /// - **depth**: `4` (maximum recursion depth)
+    /// - **force_recursion**: `false` (still respects recursion depth)
     /// - **scan_limit**: `0` (no limit on concurrent scans imposed)
     /// - **parallel**: `0` (no limit on parallel scans imposed)
     /// - **rate_limit**: `0` (no limit on requests per second imposed)
     /// - **time_limit**: `None` (no limit on length of scan imposed)
     /// - **replay_proxy**: `None` (no limit on concurrent scans imposed)
     /// - **replay_codes**: [`DEFAULT_RESPONSE_CODES`](constant.DEFAULT_RESPONSE_CODES.html)
+    /// - **update_app**: `false`
     ///
     /// After which, any values defined in a
     /// [ferox-config.toml](constant.DEFAULT_CONFIG_NAME.html) config file will override the
@@ -403,7 +525,7 @@ impl Configuration {
 
         // --resume-from used, need to first read the Configuration from disk, and then
         // merge the cli_config into the resumed config
-        if let Some(filename) = args.value_of("resume_from") {
+        if let Some(filename) = args.get_one::<String>("resume_from") {
             // when resuming a scan, instead of normal configuration loading, we just
             // load the config from disk by calling resume_scan
             let mut previous_config = resume_scan(filename);
@@ -441,7 +563,7 @@ impl Configuration {
 
     /// Parse all possible versions of the ferox-config.toml file, adhering to the order of
     /// precedence outlined above
-    fn parse_config_files(mut config: &mut Self) -> Result<()> {
+    fn parse_config_files(config: &mut Self) -> Result<()> {
         // Next, we parse the ferox-config.toml file, if present and set the values
         // therein to overwrite our default values. Deserialized defaults are specified
         // in the Configuration struct so that we don't change anything that isn't
@@ -457,7 +579,7 @@ impl Configuration {
         let config_file = PathBuf::new()
             .join("/etc/feroxbuster")
             .join(DEFAULT_CONFIG_NAME);
-        Self::parse_and_merge_config(config_file, &mut config)?;
+        Self::parse_and_merge_config(config_file, config)?;
 
         // merge a config found at ~/.config/feroxbuster/ferox-config.toml
         // config_dir() resolves to one of the following
@@ -466,7 +588,7 @@ impl Configuration {
         //   - windows: {FOLDERID_RoamingAppData}
         let config_dir = dirs::config_dir().ok_or_else(|| anyhow!("Couldn't load config"))?;
         let config_file = config_dir.join("feroxbuster").join(DEFAULT_CONFIG_NAME);
-        Self::parse_and_merge_config(config_file, &mut config)?;
+        Self::parse_and_merge_config(config_file, config)?;
 
         // merge a config found in same the directory as feroxbuster executable
         let exe_path = current_exe()?;
@@ -474,12 +596,12 @@ impl Configuration {
             .parent()
             .ok_or_else(|| anyhow!("Couldn't load config"))?;
         let config_file = bin_dir.join(DEFAULT_CONFIG_NAME);
-        Self::parse_and_merge_config(config_file, &mut config)?;
+        Self::parse_and_merge_config(config_file, config)?;
 
         // merge a config found in the user's current working directory
         let cwd = current_dir()?;
         let config_file = cwd.join(DEFAULT_CONFIG_NAME);
-        Self::parse_and_merge_config(config_file, &mut config)?;
+        Self::parse_and_merge_config(config_file, config)?;
 
         Ok(())
     }
@@ -489,18 +611,21 @@ impl Configuration {
     fn parse_cli_args(args: &ArgMatches) -> Self {
         let mut config = Configuration::default();
 
-        update_config_if_present!(&mut config.threads, args, "threads", usize);
-        update_config_if_present!(&mut config.depth, args, "depth", usize);
-        update_config_if_present!(&mut config.scan_limit, args, "scan_limit", usize);
-        update_config_if_present!(&mut config.parallel, args, "parallel", usize);
-        update_config_if_present!(&mut config.rate_limit, args, "rate_limit", usize);
+        update_config_with_num_type_if_present!(&mut config.threads, args, "threads", usize);
+        update_config_with_num_type_if_present!(&mut config.parallel, args, "parallel", usize);
+        update_config_with_num_type_if_present!(&mut config.depth, args, "depth", usize);
+        update_config_with_num_type_if_present!(&mut config.scan_limit, args, "scan_limit", usize);
+        update_config_with_num_type_if_present!(&mut config.rate_limit, args, "rate_limit", usize);
         update_config_if_present!(&mut config.wordlist, args, "wordlist", String);
         update_config_if_present!(&mut config.output, args, "output", String);
         update_config_if_present!(&mut config.debug_log, args, "debug_log", String);
-        update_config_if_present!(&mut config.time_limit, args, "time_limit", String);
         update_config_if_present!(&mut config.resume_from, args, "resume_from", String);
 
-        if let Some(arg) = args.values_of("status_codes") {
+        if let Ok(Some(inner)) = args.try_get_one::<String>("time_limit") {
+            config.time_limit = inner.to_owned();
+        }
+
+        if let Some(arg) = args.get_many::<String>("status_codes") {
             config.status_codes = arg
                 .map(|code| {
                     StatusCode::from_bytes(code.as_bytes())
@@ -510,7 +635,7 @@ impl Configuration {
                 .collect();
         }
 
-        if let Some(arg) = args.values_of("replay_codes") {
+        if let Some(arg) = args.get_many::<String>("replay_codes") {
             // replay codes passed in by the user
             config.replay_codes = arg
                 .map(|code| {
@@ -524,7 +649,7 @@ impl Configuration {
             config.replay_codes = config.status_codes.clone();
         }
 
-        if let Some(arg) = args.values_of("filter_status") {
+        if let Some(arg) = args.get_many::<String>("filter_status") {
             config.filter_status = arg
                 .map(|code| {
                     StatusCode::from_bytes(code.as_bytes())
@@ -534,19 +659,114 @@ impl Configuration {
                 .collect();
         }
 
-        if let Some(arg) = args.values_of("extensions") {
-            config.extensions = arg.map(|val| val.to_string()).collect();
+        if let Some(arg) = args.get_many::<String>("extensions") {
+            let mut extensions = Vec::<String>::new();
+            for ext in arg {
+                if let Some(stripped) = ext.strip_prefix('@') {
+                    let contents = read_to_string(stripped)
+                        .unwrap_or_else(|e| report_and_exit(&e.to_string()));
+                    let exts_from_file = contents.split('\n').filter_map(|s| {
+                        let trimmed = s.trim().trim_start_matches('.');
+
+                        if trimmed.is_empty() || trimmed.starts_with('#') {
+                            None
+                        } else {
+                            Some(trimmed.to_string())
+                        }
+                    });
+
+                    extensions.extend(exts_from_file);
+                } else {
+                    extensions.push(ext.trim().trim_start_matches('.').to_string());
+                }
+            }
+            config.extensions = extensions;
         }
 
-        if let Some(arg) = args.values_of("filter_regex") {
+        if let Some(arg) = args.get_many::<String>("dont_collect") {
+            config.dont_collect = arg.map(|val| val.to_string()).collect();
+        }
+
+        if let Some(arg) = args.get_many::<String>("methods") {
+            config.methods = arg
+                .map(|val| {
+                    // Check methods if they are correct
+                    Method::from_bytes(val.as_bytes())
+                        .unwrap_or_else(|e| report_and_exit(&e.to_string()))
+                        .as_str()
+                        .to_string()
+                })
+                .collect();
+        }
+
+        if let Some(arg) = args.get_one::<String>("data") {
+            if let Some(stripped) = arg.strip_prefix('@') {
+                config.data =
+                    std::fs::read(stripped).unwrap_or_else(|e| report_and_exit(&e.to_string()));
+            } else {
+                config.data = arg.as_bytes().to_vec();
+            }
+        }
+
+        if came_from_cli!(args, "stdin") {
+            config.stdin = true;
+        } else if let Some(url) = args.get_one::<String>("url") {
+            config.target_url = url.into();
+        }
+
+        if let Some(arg) = args.get_many::<String>("url_denylist") {
+            // compile all regular expressions and absolute urls used for --dont-scan
+            //
+            // when --dont-scan is used, the should_deny_url function is called at least once per
+            // url to be scanned. With the addition of regex support, I want to move parsing
+            // out of should_deny_url and into here, so it's performed once instead of thousands
+            // of times
+            for denier in arg {
+                // could be an absolute url or a regex, need to determine which and populate the
+                // appropriate vector
+                match parse_url_with_raw_path(denier.trim_end_matches('/')) {
+                    Ok(absolute) => {
+                        // denier is an absolute url and can be parsed as such
+                        config.url_denylist.push(absolute);
+                    }
+                    Err(err) => {
+                        // there are some expected errors that happen when we try to parse a url
+                        //     ex: Url::parse("/login") -> Err("relative URL without a base")
+                        //     ex: Url::parse("http:") -> Err("empty host")
+                        //
+                        // these are known errors and are used to determine a valid value to
+                        // --dont-scan, when it's not an absolute url
+                        //
+                        // when expected errors are encountered, we're going to assume
+                        // that the input is a regular expression to be parsed. The possibility
+                        // exists that the user rolled their face across the keyboard and we're
+                        // dealing with the results, in which case we'll report it as an error and
+                        // give up
+                        if err.to_string().contains("relative URL without a base")
+                            || err.to_string().contains("empty host")
+                        {
+                            let regex = Regex::new(denier)
+                                .unwrap_or_else(|e| report_and_exit(&e.to_string()));
+
+                            config.regex_denylist.push(regex);
+                        } else {
+                            // unexpected error has occurred; bail
+                            report_and_exit(&err.to_string());
+                        }
+                    }
+                }
+            }
+        }
+
+        if let Some(arg) = args.get_many::<String>("filter_regex") {
             config.filter_regex = arg.map(|val| val.to_string()).collect();
         }
 
-        if let Some(arg) = args.values_of("filter_similar") {
+        if let Some(arg) = args.get_many::<String>("filter_similar") {
             config.filter_similar = arg.map(|val| val.to_string()).collect();
         }
 
-        if let Some(arg) = args.values_of("filter_size") {
+        if let Some(arg) = args.get_many::<String>("filter_size") {
             config.filter_size = arg
                 .map(|size| {
                     size.parse::<u64>()
@@ -555,7 +775,7 @@ impl Configuration {
                 .collect();
         }
 
-        if let Some(arg) = args.values_of("filter_words") {
+        if let Some(arg) = args.get_many::<String>("filter_words") {
             config.filter_word_count = arg
                 .map(|size| {
                     size.parse::<usize>()
@@ -564,7 +784,7 @@ impl Configuration {
                 .collect();
         }
 
-        if let Some(arg) = args.values_of("filter_lines") {
+        if let Some(arg) = args.get_many::<String>("filter_lines") {
             config.filter_line_count = arg
                 .map(|size| {
                     size.parse::<usize>()
@@ -573,79 +793,141 @@ impl Configuration {
                 .collect();
         }
 
-        if args.is_present("silent") {
+        if came_from_cli!(args, "silent") {
             // the reason this is protected by an if statement:
             // consider a user specifying silent = true in ferox-config.toml
             // if the line below is outside of the if, we'd overwrite true with
             // false if no --silent is used on the command line
             config.silent = true;
-            config.output_level = OutputLevel::Silent;
+            config.output_level = if config.json {
+                OutputLevel::SilentJSON
+            } else {
+                OutputLevel::Silent
+            };
         }
 
-        if args.is_present("quiet") {
+        if came_from_cli!(args, "quiet") {
             config.quiet = true;
             config.output_level = OutputLevel::Quiet;
         }
 
-        if args.is_present("auto_tune") {
+        if came_from_cli!(args, "auto_tune")
+            || came_from_cli!(args, "smart")
+            || came_from_cli!(args, "thorough")
+        {
             config.auto_tune = true;
             config.requester_policy = RequesterPolicy::AutoTune;
         }
 
-        if args.is_present("auto_bail") {
+        if came_from_cli!(args, "auto_bail") {
             config.auto_bail = true;
             config.requester_policy = RequesterPolicy::AutoBail;
         }
 
-        if args.is_present("dont_filter") {
+        if came_from_cli!(args, "no_state") {
+            config.save_state = false;
+        }
+
+        if came_from_cli!(args, "dont_filter") {
             config.dont_filter = true;
         }
 
-        if args.occurrences_of("verbosity") > 0 {
-            // occurrences_of returns 0 if none are found; this is protected in
-            // an if block for the same reason as the quiet option
-            config.verbosity = args.occurrences_of("verbosity") as u8;
+        if came_from_cli!(args, "collect_extensions") || came_from_cli!(args, "thorough") {
+            config.collect_extensions = true;
         }
 
-        if args.is_present("no_recursion") {
+        if came_from_cli!(args, "collect_backups")
+            || came_from_cli!(args, "smart")
+            || came_from_cli!(args, "thorough")
+        {
+            config.collect_backups = true;
+            config.backup_extensions = backup_extensions();
+
+            if came_from_cli!(args, "collect_backups") {
+                if let Some(arg) = args.get_many::<String>("collect_backups") {
+                    let backup_exts = arg
+                        .map(|ext| ext.trim().to_string())
+                        .collect::<Vec<String>>();
+
+                    if !backup_exts.is_empty() {
+                        // have at least one cli backup, override the defaults
+                        config.backup_extensions = backup_exts;
+                    }
+                }
+            }
+        }
+
+        if came_from_cli!(args, "collect_words")
+            || came_from_cli!(args, "smart")
+            || came_from_cli!(args, "thorough")
+        {
+            config.collect_words = true;
+        }
+
+        if args.get_count("verbosity") > 0 {
+            // occurrences_of returns 0 if none are found; this is protected in
+            // an if block for the same reason as the quiet option
+            config.verbosity = args.get_count("verbosity");
+        }
+
+        if came_from_cli!(args, "no_recursion") {
             config.no_recursion = true;
         }
 
-        if args.is_present("add_slash") {
+        if came_from_cli!(args, "add_slash") {
             config.add_slash = true;
         }
 
-        if args.is_present("extract_links") {
-            config.extract_links = true;
+        if came_from_cli!(args, "dont_extract_links") {
+            config.extract_links = false;
         }
 
-        if args.is_present("json") {
+        if came_from_cli!(args, "json") {
             config.json = true;
         }
 
-        if args.is_present("stdin") {
-            config.stdin = true;
-        } else if let Some(url) = args.value_of("url") {
-            config.target_url = String::from(url);
+        if came_from_cli!(args, "force_recursion") {
+            config.force_recursion = true;
+        }
+
+        if came_from_cli!(args, "update_app") {
+            config.update_app = true;
         }
 
         ////
         // organizational breakpoint; all options below alter the Client configuration
         ////
         update_config_if_present!(&mut config.proxy, args, "proxy", String);
+        update_config_if_present!(&mut config.client_cert, args, "client_cert", String);
+        update_config_if_present!(&mut config.client_key, args, "client_key", String);
         update_config_if_present!(&mut config.replay_proxy, args, "replay_proxy", String);
         update_config_if_present!(&mut config.user_agent, args, "user_agent", String);
-        update_config_if_present!(&mut config.timeout, args, "timeout", u64);
+        update_config_with_num_type_if_present!(&mut config.timeout, args, "timeout", u64);
 
-        if args.is_present("redirects") {
+        if came_from_cli!(args, "burp") {
+            config.proxy = String::from("http://127.0.0.1:8080");
+        }
+
+        if came_from_cli!(args, "burp_replay") {
+            config.replay_proxy = String::from("http://127.0.0.1:8080");
+        }
+
+        if came_from_cli!(args, "random_agent") {
+            config.random_agent = true;
+        }
+
+        if came_from_cli!(args, "redirects") {
             config.redirects = true;
         }
 
-        if args.is_present("insecure") {
+        if came_from_cli!(args, "insecure")
+            || came_from_cli!(args, "burp")
+            || came_from_cli!(args, "burp_replay")
+        {
             config.insecure = true;
         }
 
-        if let Some(headers) = args.values_of("headers") {
+        if let Some(headers) = args.get_many::<String>("headers") {
             for val in headers {
                 let mut split_val = val.split(':');
 
@@ -659,7 +941,23 @@ impl Configuration {
             }
         }
 
-        if let Some(queries) = args.values_of("queries") {
+        if let Some(cookies) = args.get_many::<String>("cookies") {
+            config.headers.insert(
+                // we know the header name is always "cookie"
+                "Cookie".to_string(),
+                // on splitting, there should be only two elements,
+                // a key and a value
+                cookies
+                    .map(|cookie| cookie.split('=').collect::<Vec<&str>>()[..].to_owned())
+                    .filter(|parts| parts.len() == 2)
+                    .map(|parts| format!("{}={}", parts[0].trim(), parts[1].trim()))
+                    // trim the spaces, join with an equals sign
+                    .collect::<Vec<String>>()
+                    .join("; "), // join all the cookies with semicolons for the final header
+            );
+        }
+
+        if let Some(queries) = args.get_many::<String>("queries") {
             for val in queries {
                 // same basic logic used as reading in the headers HashMap above
                 let mut split_val = val.split('=');
@@ -672,6 +970,12 @@ impl Configuration {
             }
         }
 
+        if let Some(certs) = args.get_many::<String>("server_certs") {
+            for val in certs {
+                config.server_certs.push(val.to_string());
+            }
+        }
+
         config
     }
 
@@ -679,35 +983,53 @@ impl Configuration {
     /// either the config file or command line arguments; if we have, we need to rebuild
     /// the client and store it in the config struct
     fn try_rebuild_clients(configuration: &mut Configuration) {
-        if !configuration.proxy.is_empty()
+        // check if the proxy and certificate fields are empty
+        // and parse them into Some or None variants ahead of time
+        // so we may use the is_some method on them instead of
+        // multiple initializations
+        let proxy = if configuration.proxy.is_empty() {
+            None
+        } else {
+            Some(configuration.proxy.as_str())
+        };
+
+        let server_certs = &configuration.server_certs;
+
+        let client_cert = if configuration.client_cert.is_empty() {
+            None
+        } else {
+            Some(configuration.client_cert.as_str())
+        };
+
+        let client_key = if configuration.client_key.is_empty() {
+            None
+        } else {
+            Some(configuration.client_key.as_str())
+        };
+
+        if proxy.is_some()
             || configuration.timeout != timeout()
             || configuration.user_agent != user_agent()
             || configuration.redirects
             || configuration.insecure
             || !configuration.headers.is_empty()
             || configuration.resumed
+            || !server_certs.is_empty()
+            || client_cert.is_some()
+            || client_key.is_some()
         {
-            if configuration.proxy.is_empty() {
-                configuration.client = client::initialize(
-                    configuration.timeout,
-                    &configuration.user_agent,
-                    configuration.redirects,
-                    configuration.insecure,
-                    &configuration.headers,
-                    None,
-                )
-                .expect("Could not rebuild client")
-            } else {
-                configuration.client = client::initialize(
-                    configuration.timeout,
-                    &configuration.user_agent,
-                    configuration.redirects,
-                    configuration.insecure,
-                    &configuration.headers,
-                    Some(&configuration.proxy),
-                )
-                .expect("Could not rebuild client")
-            }
+            configuration.client = client::initialize(
+                configuration.timeout,
+                &configuration.user_agent,
+                configuration.redirects,
+                configuration.insecure,
+                &configuration.headers,
+                proxy,
+                server_certs,
+                client_cert,
+                client_key,
+            )
+            .expect("Could not rebuild client");
         }
 
         if !configuration.replay_proxy.is_empty() {
@@ -720,6 +1042,9 @@ impl Configuration {
                     configuration.insecure,
                     &configuration.headers,
                     Some(&configuration.replay_proxy),
+                    server_certs,
+                    client_cert,
+                    client_key,
                 )
                 .expect("Could not rebuild client"),
             );
@@ -728,7 +1053,7 @@ impl Configuration {
 
     /// Given a configuration file's location and an instance of `Configuration`, read in
     /// the config file if found and update the current settings with the settings found therein
-    fn parse_and_merge_config(config_file: PathBuf, mut config: &mut Self) -> Result<()> {
+    fn parse_and_merge_config(config_file: PathBuf, config: &mut Self) -> Result<()> {
         if config_file.exists() {
             // save off a string version of the path before it goes out of scope
             let conf_str = config_file.to_str().unwrap_or("").to_string();
@@ -738,7 +1063,7 @@ impl Configuration {
             config.config = conf_str;
 
             // update the settings
-            Self::merge_config(&mut config, settings);
+            Self::merge_config(config, settings);
         }
         Ok(())
     }
@@ -754,19 +1079,43 @@ impl Configuration {
         update_if_not_default!(&mut conf.target_url, new.target_url, "");
         update_if_not_default!(&mut conf.time_limit, new.time_limit, "");
         update_if_not_default!(&mut conf.proxy, new.proxy, "");
+        update_if_not_default!(
+            &mut conf.server_certs,
+            new.server_certs,
+            Vec::<String>::new()
+        );
+        update_if_not_default!(&mut conf.json, new.json, false);
+        update_if_not_default!(&mut conf.client_cert, new.client_cert, "");
+        update_if_not_default!(&mut conf.client_key, new.client_key, "");
         update_if_not_default!(&mut conf.verbosity, new.verbosity, 0);
         update_if_not_default!(&mut conf.silent, new.silent, false);
         update_if_not_default!(&mut conf.quiet, new.quiet, false);
         update_if_not_default!(&mut conf.auto_bail, new.auto_bail, false);
         update_if_not_default!(&mut conf.auto_tune, new.auto_tune, false);
+        update_if_not_default!(&mut conf.collect_extensions, new.collect_extensions, false);
+        update_if_not_default!(&mut conf.collect_backups, new.collect_backups, false);
+        update_if_not_default!(&mut conf.collect_words, new.collect_words, false);
         // use updated quiet/silent values to determine output level; same for requester policy
-        conf.output_level = determine_output_level(conf.quiet, conf.silent);
+        conf.output_level = determine_output_level(conf.quiet, conf.silent, conf.json);
         conf.requester_policy = determine_requester_policy(conf.auto_tune, conf.auto_bail);
         update_if_not_default!(&mut conf.output, new.output, "");
         update_if_not_default!(&mut conf.redirects, new.redirects, false);
         update_if_not_default!(&mut conf.insecure, new.insecure, false);
-        update_if_not_default!(&mut conf.extract_links, new.extract_links, false);
+        update_if_not_default!(&mut conf.force_recursion, new.force_recursion, false);
+        update_if_not_default!(&mut conf.extract_links, new.extract_links, extract_links());
         update_if_not_default!(&mut conf.extensions, new.extensions, Vec::<String>::new());
+        update_if_not_default!(&mut conf.methods, new.methods, methods());
+        update_if_not_default!(&mut conf.data, new.data, Vec::<u8>::new());
+        update_if_not_default!(&mut conf.url_denylist, new.url_denylist, Vec::<Url>::new());
+        update_if_not_default!(&mut conf.update_app, new.update_app, false);
+        if !new.regex_denylist.is_empty() {
+            // cant use the update_if_not_default macro due to the following error
+            //
+            //    binary operation `!=` cannot be applied to type `Vec<regex::Regex>`
+            //
+            // if we get a non-empty list of regex in the new config, override the old
+            conf.regex_denylist = new.regex_denylist;
+        }
         update_if_not_default!(&mut conf.headers, new.headers, HashMap::new());
         update_if_not_default!(&mut conf.queries, new.queries, Vec::new());
         update_if_not_default!(&mut conf.no_recursion, new.no_recursion, false);
@@ -805,10 +1154,15 @@ impl Configuration {
         update_if_not_default!(&mut conf.replay_proxy, new.replay_proxy, "");
         update_if_not_default!(&mut conf.debug_log, new.debug_log, "");
         update_if_not_default!(&mut conf.resume_from, new.resume_from, "");
-        update_if_not_default!(&mut conf.json, new.json, false);
 
         update_if_not_default!(&mut conf.timeout, new.timeout, timeout());
         update_if_not_default!(&mut conf.user_agent, new.user_agent, user_agent());
+        update_if_not_default!(
+            &mut conf.backup_extensions,
+            new.backup_extensions,
+            backup_extensions()
+        );
+        update_if_not_default!(&mut conf.random_agent, new.random_agent, false);
         update_if_not_default!(&mut conf.threads, new.threads, threads());
         update_if_not_default!(&mut conf.depth, new.depth, depth());
         update_if_not_default!(&mut conf.wordlist, new.wordlist, wordlist());
@@ -816,6 +1170,11 @@ impl Configuration {
         // status_codes() is the default for replay_codes, if they're not provided
         update_if_not_default!(&mut conf.replay_codes, new.replay_codes, status_codes());
         update_if_not_default!(&mut conf.save_state, new.save_state, save_state());
+        update_if_not_default!(
+            &mut conf.dont_collect,
+            new.dont_collect,
+            ignored_extensions()
+        );
     }
 
     /// If present, read in `DEFAULT_CONFIG_NAME` and deserialize the specified values
@@ -823,7 +1182,17 @@ impl Configuration {
     /// uses serde to deserialize the toml into a `Configuration` struct
     pub(super) fn parse_config(config_file: PathBuf) -> Result<Self> {
         let content = read_to_string(config_file)?;
-        let config: Self = toml::from_str(content.as_str())?;
+        let mut config: Self = toml::from_str(content.as_str())?;
+
+        if !config.extensions.is_empty() {
+            // remove leading periods, if any are found
+            config.extensions = config
+                .extensions
+                .iter()
+                .map(|ext| ext.trim_start_matches('.').to_string())
+                .collect();
+        }
+
         Ok(config)
     }
 }

src/config/tests.rs

@@ -1,6 +1,8 @@
 use super::utils::*;
 use super::*;
 use crate::{traits::FeroxSerialize, DEFAULT_CONFIG_NAME};
+use regex::Regex;
+use reqwest::Url;
 use std::{collections::HashMap, fs::write};
 use tempfile::TempDir;
 
@@ -28,23 +30,36 @@ fn setup_config_test() -> Configuration {
             resume_from = "/some/state/file"
             redirects = true
             insecure = true
+            collect_backups = true
+            collect_extensions = true
+            collect_words = true
             extensions = ["html", "php", "js"]
+            dont_collect = ["png", "gif", "jpg", "jpeg"]
+            methods = ["GET", "PUT", "DELETE"]
+            data = [31, 32, 33, 34]
+            url_denylist = ["http://dont-scan.me", "https://also-not.me"]
+            regex_denylist = ["/deny.*"]
             headers = {stuff = "things", mostuff = "mothings"}
             queries = [["name","value"], ["rick", "astley"]]
             no_recursion = true
             add_slash = true
             stdin = true
             dont_filter = true
-            extract_links = true
+            extract_links = false
             json = true
             save_state = false
             depth = 1
+            force_recursion = true
             filter_size = [4120]
             filter_regex = ["^ignore me$"]
             filter_similar = ["https://somesite.com/soft404"]
             filter_word_count = [994, 992]
             filter_line_count = [34]
             filter_status = [201]
+            server_certs = ["/some/cert.pem", "/some/other/cert.pem"]
+            client_cert = "/some/client/cert.pem"
+            client_key = "/some/client/key.pem"
+            backup_extensions = [".save"]
         "#;
     let tmp_dir = TempDir::new().unwrap();
     let file = tmp_dir.path().join(DEFAULT_CONFIG_NAME);
@@ -72,30 +87,44 @@ fn default_configuration() {
     assert_eq!(config.timeout, timeout());
     assert_eq!(config.verbosity, 0);
     assert_eq!(config.scan_limit, 0);
-    assert_eq!(config.silent, false);
-    assert_eq!(config.quiet, false);
+    assert!(!config.silent);
+    assert!(!config.quiet);
     assert_eq!(config.output_level, OutputLevel::Default);
-    assert_eq!(config.dont_filter, false);
-    assert_eq!(config.auto_tune, false);
-    assert_eq!(config.auto_bail, false);
+    assert!(!config.dont_filter);
+    assert!(!config.auto_tune);
+    assert!(!config.auto_bail);
     assert_eq!(config.requester_policy, RequesterPolicy::Default);
-    assert_eq!(config.no_recursion, false);
-    assert_eq!(config.json, false);
-    assert_eq!(config.save_state, true);
-    assert_eq!(config.stdin, false);
-    assert_eq!(config.add_slash, false);
-    assert_eq!(config.redirects, false);
-    assert_eq!(config.extract_links, false);
-    assert_eq!(config.insecure, false);
+    assert!(!config.no_recursion);
+    assert!(!config.random_agent);
+    assert!(!config.json);
+    assert!(config.save_state);
+    assert!(!config.stdin);
+    assert!(!config.add_slash);
+    assert!(!config.force_recursion);
+    assert!(!config.redirects);
+    assert!(config.extract_links);
+    assert!(!config.insecure);
+    assert!(!config.collect_extensions);
+    assert!(!config.collect_backups);
+    assert!(!config.collect_words);
+    assert!(config.regex_denylist.is_empty());
     assert_eq!(config.queries, Vec::new());
-    assert_eq!(config.extensions, Vec::<String>::new());
     assert_eq!(config.filter_size, Vec::<u64>::new());
+    assert_eq!(config.extensions, Vec::<String>::new());
+    assert_eq!(config.methods, vec!["GET"]);
+    assert_eq!(config.data, Vec::<u8>::new());
+    assert_eq!(config.url_denylist, Vec::<Url>::new());
+    assert_eq!(config.dont_collect, ignored_extensions());
     assert_eq!(config.filter_regex, Vec::<String>::new());
     assert_eq!(config.filter_similar, Vec::<String>::new());
     assert_eq!(config.filter_word_count, Vec::<usize>::new());
     assert_eq!(config.filter_line_count, Vec::<usize>::new());
     assert_eq!(config.filter_status, Vec::<u16>::new());
     assert_eq!(config.headers, HashMap::new());
+    assert_eq!(config.server_certs, Vec::<String>::new());
+    assert_eq!(config.client_cert, String::new());
+    assert_eq!(config.client_key, String::new());
+    assert_eq!(config.backup_extensions, backup_extensions());
 }
 
 #[test]
@@ -186,35 +215,42 @@ fn config_reads_replay_proxy() {
 /// parse the test config and see that the value parsed is correct
 fn config_reads_silent() {
     let config = setup_config_test();
-    assert_eq!(config.silent, true);
+    assert!(config.silent);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_force_recursion() {
+    let config = setup_config_test();
+    assert!(config.force_recursion);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_quiet() {
     let config = setup_config_test();
-    assert_eq!(config.quiet, true);
+    assert!(config.quiet);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_json() {
     let config = setup_config_test();
-    assert_eq!(config.json, true);
+    assert!(config.json);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_auto_bail() {
     let config = setup_config_test();
-    assert_eq!(config.auto_bail, true);
+    assert!(config.auto_bail);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_auto_tune() {
     let config = setup_config_test();
-    assert_eq!(config.auto_tune, true);
+    assert!(config.auto_tune);
 }
 
 #[test]
@@ -235,49 +271,70 @@ fn config_reads_output() {
 /// parse the test config and see that the value parsed is correct
 fn config_reads_redirects() {
     let config = setup_config_test();
-    assert_eq!(config.redirects, true);
+    assert!(config.redirects);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_insecure() {
     let config = setup_config_test();
-    assert_eq!(config.insecure, true);
+    assert!(config.insecure);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_no_recursion() {
     let config = setup_config_test();
-    assert_eq!(config.no_recursion, true);
+    assert!(config.no_recursion);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_stdin() {
     let config = setup_config_test();
-    assert_eq!(config.stdin, true);
+    assert!(config.stdin);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_dont_filter() {
     let config = setup_config_test();
-    assert_eq!(config.dont_filter, true);
+    assert!(config.dont_filter);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_add_slash() {
     let config = setup_config_test();
-    assert_eq!(config.add_slash, true);
+    assert!(config.add_slash);
 }
 
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_extract_links() {
     let config = setup_config_test();
-    assert_eq!(config.extract_links, true);
+    assert!(!config.extract_links);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_collect_extensions() {
+    let config = setup_config_test();
+    assert!(config.collect_extensions);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_collect_backups() {
+    let config = setup_config_test();
+    assert!(config.collect_backups);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_collect_words() {
+    let config = setup_config_test();
+    assert!(config.collect_words);
 }
 
 #[test]
@@ -287,6 +344,50 @@ fn config_reads_extensions() {
     assert_eq!(config.extensions, vec!["html", "php", "js"]);
 }
 
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_dont_collect() {
+    let config = setup_config_test();
+    assert_eq!(config.dont_collect, vec!["png", "gif", "jpg", "jpeg"]);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_methods() {
+    let config = setup_config_test();
+    assert_eq!(config.methods, vec!["GET", "PUT", "DELETE"]);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_data() {
+    let config = setup_config_test();
+    assert_eq!(config.data, vec![31, 32, 33, 34]);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_regex_denylist() {
+    let config = setup_config_test();
+    assert_eq!(
+        config.regex_denylist[0].as_str(),
+        Regex::new("/deny.*").unwrap().as_str()
+    );
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_url_denylist() {
+    let config = setup_config_test();
+    assert_eq!(
+        config.url_denylist,
+        vec![
+            Url::parse("http://dont-scan.me").unwrap(),
+            Url::parse("https://also-not.me").unwrap(),
+        ]
+    );
+}
+
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_filter_regex() {
@@ -333,7 +434,7 @@ fn config_reads_filter_status() {
 /// parse the test config and see that the value parsed is correct
 fn config_reads_save_state() {
     let config = setup_config_test();
-    assert_eq!(config.save_state, false);
+    assert!(!config.save_state);
 }
 
 #[test]
@@ -350,6 +451,37 @@ fn config_reads_resume_from() {
     assert_eq!(config.resume_from, "/some/state/file");
 }
 
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_server_certs() {
+    let config = setup_config_test();
+    assert_eq!(
+        config.server_certs,
+        ["/some/cert.pem", "/some/other/cert.pem"]
+    );
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_backup_extensions() {
+    let config = setup_config_test();
+    assert_eq!(config.backup_extensions, [".save"]);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_client_cert() {
+    let config = setup_config_test();
+    assert_eq!(config.client_cert, "/some/client/cert.pem");
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_client_key() {
+    let config = setup_config_test();
+    assert_eq!(config.client_key, "/some/client/key.pem");
+}
+
 #[test]
 /// parse the test config and see that the values parsed are correct
 fn config_reads_headers() {
@@ -364,12 +496,19 @@ fn config_reads_headers() {
 /// parse the test config and see that the values parsed are correct
 fn config_reads_queries() {
     let config = setup_config_test();
-    let mut queries = vec![];
-    queries.push(("name".to_string(), "value".to_string()));
-    queries.push(("rick".to_string(), "astley".to_string()));
+    let queries = vec![
+        ("name".to_string(), "value".to_string()),
+        ("rick".to_string(), "astley".to_string()),
+    ];
     assert_eq!(config.queries, queries);
 }
 
+#[test]
+fn config_default_not_random_agent() {
+    let config = setup_config_test();
+    assert!(!config.random_agent);
+}
+
 #[test]
 #[should_panic]
 /// test that an error message is printed and panic is called when report_and_exit is called
@@ -382,7 +521,7 @@ fn config_report_and_exit_works() {
 fn as_str_returns_string_with_newline() {
     let config = Configuration::new().unwrap();
     let config_str = config.as_str();
-    println!("{}", config_str);
+    println!("{config_str}");
     assert!(config_str.starts_with("Configuration {"));
     assert!(config_str.ends_with("}\n"));
     assert!(config_str.contains("replay_codes:"));

src/config/utils.rs

@@ -1,6 +1,7 @@
 use crate::{
     utils::{module_colorizer, status_colorizer},
-    DEFAULT_STATUS_CODES, DEFAULT_WORDLIST, VERSION,
+    DEFAULT_BACKUP_EXTENSIONS, DEFAULT_IGNORED_EXTENSIONS, DEFAULT_METHOD, DEFAULT_STATUS_CODES,
+    DEFAULT_WORDLIST, VERSION,
 };
 #[cfg(not(test))]
 use std::process::exit;
@@ -49,6 +50,31 @@ pub(super) fn status_codes() -> Vec<u16> {
     DEFAULT_STATUS_CODES
         .iter()
         .map(|code| code.as_u16())
+        // add experimental codes not found in reqwest
+        // - 103 - EARLY_HINTS
+        // - 425 - TOO_EARLY
+        .chain([103, 425])
+        .collect()
+}
+
+/// default HTTP Method
+pub(super) fn methods() -> Vec<String> {
+    vec![DEFAULT_METHOD.to_owned()]
+}
+
+/// default extensions to ignore while auto-collecting
+pub(super) fn ignored_extensions() -> Vec<String> {
+    DEFAULT_IGNORED_EXTENSIONS
+        .iter()
+        .map(|s| s.to_string())
+        .collect()
+}
+
+/// default backup extensions to collect
+pub(super) fn backup_extensions() -> Vec<String> {
+    DEFAULT_BACKUP_EXTENSIONS
+        .iter()
+        .map(|s| s.to_string())
         .collect()
 }
 
@@ -59,7 +85,7 @@ pub(super) fn wordlist() -> String {
 
 /// default user-agent
 pub(super) fn user_agent() -> String {
-    format!("feroxbuster/{}", VERSION)
+    format!("feroxbuster/{VERSION}")
 }
 
 /// default recursion depth
@@ -67,8 +93,13 @@ pub(super) fn depth() -> usize {
     4
 }
 
+/// default extract links
+pub(super) fn extract_links() -> bool {
+    true
+}
+
 /// enum representing the three possible states for informational output (not logging verbosity)
-#[derive(Debug, Copy, Clone, PartialEq)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub enum OutputLevel {
     /// normal scan, no --quiet|--silent
     Default,
@@ -78,6 +109,9 @@ pub enum OutputLevel {
 
     /// silent scan, only print urls (used to be --quiet in versions 1.x.x)
     Silent,
+
+    /// silent scan, but with JSON output
+    SilentJSON,
 }
 
 /// implement a default for OutputLevel
@@ -89,21 +123,29 @@ impl Default for OutputLevel {
 }
 
 /// given the current settings for quiet and silent, determine output_level (DRY helper)
-pub fn determine_output_level(quiet: bool, silent: bool) -> OutputLevel {
+pub fn determine_output_level(quiet: bool, silent: bool, json: bool) -> OutputLevel {
     if quiet && silent {
         // user COULD have both as true in config file, take the more quiet of the two
-        OutputLevel::Silent
+        if json {
+            OutputLevel::SilentJSON
+        } else {
+            OutputLevel::Silent
+        }
     } else if quiet {
         OutputLevel::Quiet
     } else if silent {
-        OutputLevel::Silent
+        if json {
+            OutputLevel::SilentJSON
+        } else {
+            OutputLevel::Silent
+        }
     } else {
         OutputLevel::Default
     }
 }
 
 /// represents actions the Requester should take in certain situations
-#[derive(Debug, PartialEq, Copy, Clone)]
+#[derive(Debug, PartialEq, Eq, Copy, Clone)]
 pub enum RequesterPolicy {
     /// automatically try to lower request rate in order to reduce errors
     AutoTune,
@@ -144,16 +186,28 @@ mod tests {
     #[test]
     /// test determine_output_level returns higher of the two levels if both given values are true
     fn determine_output_level_returns_correct_results() {
-        let mut level = determine_output_level(true, true);
+        let mut level = determine_output_level(true, true, false);
         assert_eq!(level, OutputLevel::Silent);
 
-        level = determine_output_level(false, true);
+        level = determine_output_level(false, true, false);
         assert_eq!(level, OutputLevel::Silent);
 
-        level = determine_output_level(false, false);
+        let mut level = determine_output_level(true, true, true);
+        assert_eq!(level, OutputLevel::SilentJSON);
+
+        level = determine_output_level(false, true, true);
+        assert_eq!(level, OutputLevel::SilentJSON);
+
+        level = determine_output_level(false, false, false);
         assert_eq!(level, OutputLevel::Default);
 
-        level = determine_output_level(true, false);
+        level = determine_output_level(true, false, false);
+        assert_eq!(level, OutputLevel::Quiet);
+
+        level = determine_output_level(false, false, true);
+        assert_eq!(level, OutputLevel::Default);
+
+        level = determine_output_level(true, false, true);
         assert_eq!(level, OutputLevel::Quiet);
     }
 

src/event_handlers/command.rs

@@ -1,4 +1,3 @@
-use std::collections::HashSet;
 use std::sync::Arc;
 
 use reqwest::StatusCode;
@@ -6,6 +5,8 @@ use tokio::sync::oneshot::Sender;
 
 use crate::response::FeroxResponse;
 use crate::{
+    event_handlers::Handles,
+    message::FeroxMessage,
     statistics::{StatError, StatField},
     traits::FeroxFilter,
 };
@@ -23,7 +24,9 @@ pub enum Command {
     AddStatus(StatusCode),
 
     /// Create the progress bar (`BarType::Total`) that is updated from the stats thread
-    CreateBar,
+    ///
+    /// the u64 value is the offset at which to start the progress bar (can be 0)
+    CreateBar(u64),
 
     /// Add to a `Stats` field that corresponds to the given `StatField` by the given `usize` value
     AddToUsizeField(StatField, usize),
@@ -43,17 +46,23 @@ pub enum Command {
     /// Add a `FeroxFilter` implementor to `FilterHandler`'s instance of `FeroxFilters`
     AddFilter(Box<dyn FeroxFilter>),
 
+    /// Remove a set of `FeroxFilter` implementors from `FeroxFilters` by index
+    RemoveFilters(Vec<usize>),
+
     /// Send a `FeroxResponse` to the output handler for reporting
     Report(Box<FeroxResponse>),
 
     /// Send a group of urls to be scanned (only used for the urls passed in explicitly by the user)
     ScanInitialUrls(Vec<String>),
 
+    /// Send a single url to be scanned (presumably added from the interactive menu)
+    ScanNewUrl(String),
+
     /// Determine whether or not recursion is appropriate, given a FeroxResponse, if so start a scan
     TryRecursion(Box<FeroxResponse>),
 
     /// Send a pointer to the wordlist to the recursion handler
-    UpdateWordlist(Arc<HashSet<String>>),
+    UpdateWordlist(Arc<Vec<String>>),
 
     /// Instruct the ScanHandler to join on all known scans, use sender to notify main when done
     JoinTasks(Sender<bool>),
@@ -64,6 +73,16 @@ pub enum Command {
     /// Just receive a sender and reply, used for slowing down the main thread
     Sync(Sender<bool>),
 
+    /// Notify event handler that a new extension has been seen
+    AddDiscoveredExtension(String),
+
+    /// Write an arbitrary string to disk
+    WriteToDisk(Box<FeroxMessage>),
+
     /// Break out of the (infinite) mpsc receive loop
     Exit,
+
+    /// Give a handler access to an Arc<Handles> instance after the handler has
+    /// already been initialized
+    AddHandles(Arc<Handles>),
 }

src/event_handlers/container.rs

@@ -6,6 +6,7 @@ use crate::Joiner;
 #[cfg(test)]
 use crate::{filters::FeroxFilters, statistics::Stats, Command};
 use anyhow::{bail, Result};
+use std::collections::HashSet;
 use std::sync::{Arc, RwLock};
 #[cfg(test)]
 use tokio::sync::mpsc::{self, UnboundedReceiver};
@@ -56,6 +57,9 @@ pub struct Handles {
 
     /// Handle for recursion
     pub scans: RwLock<Option<ScanHandle>>,
+
+    /// Pointer to the list of words generated from reading in the wordlist
+    pub wordlist: Arc<Vec<String>>,
 }
 
 /// implementation of Handles
@@ -66,6 +70,7 @@ impl Handles {
         filters: FiltersHandle,
         output: TermOutHandle,
         config: Arc<Configuration>,
+        wordlist: Arc<Vec<String>>,
     ) -> Self {
         Self {
             stats,
@@ -73,6 +78,7 @@ impl Handles {
             output,
             config,
             scans: RwLock::new(None),
+            wordlist,
         }
     }
 
@@ -85,15 +91,16 @@ impl Handles {
         let configuration = config.unwrap_or_else(|| Arc::new(Configuration::new().unwrap()));
         let (tx, rx) = mpsc::unbounded_channel::<Command>();
         let terminal_handle = TermOutHandle::new(tx.clone(), tx.clone());
-        let stats_handle = StatsHandle::new(
-            Arc::new(Stats::new(
-                configuration.extensions.len(),
-                configuration.json,
-            )),
-            tx.clone(),
-        );
+        let stats_handle = StatsHandle::new(Arc::new(Stats::new(configuration.json)), tx.clone());
         let filters_handle = FiltersHandle::new(Arc::new(FeroxFilters::default()), tx.clone());
-        let handles = Self::new(stats_handle, filters_handle, terminal_handle, configuration);
+        let wordlist = Arc::new(vec![String::from("this_is_a_test")]);
+        let handles = Self::new(
+            stats_handle,
+            filters_handle,
+            terminal_handle,
+            configuration,
+            wordlist,
+        );
         if let Some(sh) = scanned_urls {
             let scan_handle = ScanHandle::new(sh, tx);
             handles.set_scan_handle(scan_handle);
@@ -122,6 +129,50 @@ impl Handles {
         bail!("Could not get underlying CommandSender object")
     }
 
+    /// wrapper to reach into `FeroxScans` and yank out the length of `collected_extensions`
+    pub fn num_collected_extensions(&self) -> usize {
+        if !self.config.collect_extensions {
+            // if --collect-extensions wasn't used, simply return 0 and forego unlocking
+            return 0;
+        }
+
+        self.collected_extensions().len()
+    }
+
+    /// wrapper to reach into `FeroxScans` and yank out the length of `collected_extensions`
+    pub fn collected_extensions(&self) -> HashSet<String> {
+        if let Ok(scans) = self.ferox_scans() {
+            if let Ok(extensions) = scans.collected_extensions.read() {
+                return extensions.clone();
+            }
+        }
+
+        HashSet::new()
+    }
+
+    /// number of words in the wordlist, multiplied by `expected_num_requests_multiplier`
+    pub fn expected_num_requests_per_dir(&self) -> usize {
+        let num_words = self.wordlist.len();
+        let multiplier = self.expected_num_requests_multiplier();
+        multiplier * num_words
+    }
+
+    /// number of extensions plus the number of request method types plus any dynamically collected
+    /// extensions
+    pub fn expected_num_requests_multiplier(&self) -> usize {
+        let mut multiplier = self.config.extensions.len().max(1);
+
+        if multiplier > 1 {
+            // when we have more than one extension, we need to account for the fact that we'll
+            // be making a request for each extension and the base word (e.g. /foo.html and /foo)
+            multiplier += 1;
+        }
+
+        multiplier *= self.config.methods.len().max(1) * self.num_collected_extensions().max(1);
+
+        multiplier
+    }
+
     /// Helper to easily get the (locked) underlying FeroxScans object
     pub fn ferox_scans(&self) -> Result<Arc<FeroxScans>> {
         if let Ok(guard) = self.scans.read().as_ref() {

src/event_handlers/filters.rs

@@ -1,4 +1,5 @@
 use super::*;
+use crate::filters::EmptyFilter;
 use crate::{filters::FeroxFilters, CommandSender, FeroxChannel, Joiner};
 use anyhow::Result;
 use std::sync::Arc;
@@ -84,8 +85,12 @@ impl FiltersHandler {
         while let Some(command) = self.receiver.recv().await {
             match command {
                 Command::AddFilter(filter) => {
-                    self.data.push(filter)?;
+                    if filter.as_any().downcast_ref::<EmptyFilter>().is_none() {
+                        // don't add an empty filter
+                        self.data.push(filter)?;
+                    }
                 }
+                Command::RemoveFilters(mut indices) => self.data.remove(&mut indices),
                 Command::Sync(sender) => {
                     log::debug!("filters: {:?}", self);
                     sender.send(true).unwrap_or_default();
@@ -99,3 +104,41 @@ impl FiltersHandler {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::filters::WordsFilter;
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn empty_filter_skipped() {
+        let data = Arc::new(FeroxFilters::default());
+        let (tx, rx): FeroxChannel<Command> = mpsc::unbounded_channel();
+
+        let mut handler = FiltersHandler::new(data.clone(), rx);
+
+        let event_handle = FiltersHandle::new(data, tx);
+
+        let _task = tokio::spawn(async move { handler.start().await });
+
+        event_handle
+            .send(Command::AddFilter(Box::new(EmptyFilter {})))
+            .unwrap();
+
+        let (tx, rx) = oneshot::channel::<bool>();
+        event_handle.send(Command::Sync(tx)).unwrap();
+        rx.await.unwrap();
+
+        assert!(event_handle.data.filters.read().unwrap().is_empty());
+
+        event_handle
+            .send(Command::AddFilter(Box::new(WordsFilter { word_count: 1 })))
+            .unwrap();
+
+        let (tx, rx) = oneshot::channel::<bool>();
+        event_handle.send(Command::Sync(tx)).unwrap();
+        rx.await.unwrap();
+
+        assert_eq!(event_handle.data.filters.read().unwrap().len(), 1);
+    }
+}

src/event_handlers/inputs.rs

@@ -4,6 +4,7 @@ use crate::{
     scan_manager::{FeroxState, PAUSE_SCAN},
     scanner::RESPONSES,
     statistics::StatError,
+    utils::slugify_filename,
     utils::{open_file, write_to},
     SLEEP_DURATION,
 };
@@ -11,13 +12,13 @@ use anyhow::Result;
 use console::style;
 use crossterm::event::{self, Event, KeyCode};
 use std::{
+    env::temp_dir,
     sync::{
         atomic::{AtomicBool, Ordering},
         Arc,
     },
     thread::sleep,
     time::Duration,
-    time::{SystemTime, UNIX_EPOCH},
 };
 
 /// Atomic boolean flag, used to determine whether or not the terminal input handler should exit
@@ -33,7 +34,7 @@ pub struct TermInputHandler {
 ///
 /// kicks off the following handlers related to terminal input:
 ///     ctrl+c handler that saves scan state to disk
-///     enter handler that listens for enter during scans to drop into interactive scan cancel menu
+///     enter handler that listens for enter during scans to drop into interactive scan management menu
 impl TermInputHandler {
     /// Create new event handler
     pub fn new(handles: Arc<Handles>) -> Self {
@@ -77,22 +78,14 @@ impl TermInputHandler {
     pub fn sigint_handler(handles: Arc<Handles>) -> Result<()> {
         log::trace!("enter: sigint_handler({:?})", handles);
 
-        let ts = SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs();
-
-        let slug = if !handles.config.target_url.is_empty() {
+        let filename = if !handles.config.target_url.is_empty() {
             // target url populated
-            handles
-                .config
-                .target_url
-                .replace("://", "_")
-                .replace("/", "_")
-                .replace(".", "_")
+            slugify_filename(&handles.config.target_url, "ferox", "state")
         } else {
             // stdin used
-            "stdin".to_string()
+            slugify_filename("stdin", "ferox", "state")
         };
 
-        let filename = format!("ferox-{}-{}.state", slug, ts);
         let warning = format!(
             "🚨 Caught {} 🚨 saving scan state to {} ...",
             style("ctrl+c").yellow(),
@@ -106,12 +99,42 @@ impl TermInputHandler {
             handles.config.clone(),
             &RESPONSES,
             handles.stats.data.clone(),
+            handles.filters.data.clone(),
         );
 
-        let state_file = open_file(&filename);
+        // User didn't set the --no-state flag (so saved_state is still the default true)
+        if handles.config.save_state {
+            let Ok(mut state_file) = open_file(&filename) else {
+                // couldn't open the file, let the user know we're going to try again
+                let error = format!(
+                    "❌ Could not save {}, falling back to {}",
+                    filename,
+                    temp_dir().to_string_lossy()
+                );
+                PROGRESS_PRINTER.println(error);
 
-        let mut buffered_file = state_file?;
-        write_to(&state, &mut buffered_file, true)?;
+                let temp_filename = temp_dir().join(&filename);
+
+                let Ok(mut state_file) = open_file(&temp_filename.to_string_lossy()) else {
+                    // couldn't open the fallback file, let the user know
+                    let error = format!("❌❌ Could not save {:?}, giving up...", temp_filename);
+                    PROGRESS_PRINTER.println(error);
+
+                    log::trace!("exit: sigint_handler (failed to write)");
+                    std::process::exit(1);
+                };
+
+                write_to(&state, &mut state_file, true)?;
+
+                let msg = format!("✅ Saved scan state to {:?}", temp_filename);
+                PROGRESS_PRINTER.println(msg);
+
+                log::trace!("exit: sigint_handler (saved to temp folder)");
+                std::process::exit(1);
+            };
+
+            write_to(&state, &mut state_file, true)?;
+        }
 
         log::trace!("exit: sigint_handler (end of program)");
         std::process::exit(1);

src/event_handlers/outputs.rs

@@ -2,19 +2,32 @@ use super::Command::AddToUsizeField;
 use super::*;
 
 use anyhow::{Context, Result};
+use futures::future::{BoxFuture, FutureExt};
 use tokio::sync::{mpsc, oneshot};
 
 use crate::{
     config::Configuration,
     progress::PROGRESS_PRINTER,
+    response::FeroxResponse,
     scanner::RESPONSES,
     send_command, skip_fail,
-    statistics::StatField::ResourcesDiscovered,
+    statistics::StatField::{ResourcesDiscovered, TotalExpected},
     traits::FeroxSerialize,
     utils::{ferox_print, fmt_err, make_request, open_file, write_to},
     CommandReceiver, CommandSender, Joiner,
 };
 use std::sync::Arc;
+use url::Url;
+
+#[derive(Debug, Copy, Clone)]
+/// Simple enum for semantic clarity around calling expectations for `process_response`
+enum ProcessResponseCall {
+    /// call should allow recursion
+    Recursive,
+
+    /// call should not allow recursion
+    NotRecursive,
+}
 
 #[derive(Debug)]
 /// Container for terminal output transmitter
@@ -90,6 +103,12 @@ impl FileOutHandler {
                 Command::Report(response) => {
                     skip_fail!(write_to(&*response, &mut file, self.config.json));
                 }
+                Command::WriteToDisk(message) => {
+                    // todo consider making report accept dyn FeroxSerialize; would mean adding
+                    //  as_any/box_eq/PartialEq to the trait and then adding them to the
+                    //  implementing structs
+                    skip_fail!(write_to(&*message, &mut file, self.config.json));
+                }
                 Command::Exit => {
                     break;
                 }
@@ -124,6 +143,9 @@ pub struct TermOutHandler {
 
     /// pointer to "global" configuration struct
     config: Arc<Configuration>,
+
+    /// handles instance
+    handles: Option<Arc<Handles>>,
 }
 
 /// implementation of TermOutHandler
@@ -139,8 +161,9 @@ impl TermOutHandler {
         Self {
             receiver,
             tx_file,
-            config,
             file_task,
+            config,
+            handles: None,
         }
     }
 
@@ -185,57 +208,20 @@ impl TermOutHandler {
 
         while let Some(command) = self.receiver.recv().await {
             match command {
-                Command::Report(mut resp) => {
-                    let contains_sentry =
-                        self.config.status_codes.contains(&resp.status().as_u16());
-                    let unknown_sentry = !RESPONSES.contains(&resp); // !contains == unknown
-                    let should_process_response = contains_sentry && unknown_sentry;
-
-                    if should_process_response {
-                        // print to stdout
-                        ferox_print(&resp.as_str(), &PROGRESS_PRINTER);
-
-                        send_command!(tx_stats, AddToUsizeField(ResourcesDiscovered, 1));
-
-                        if self.file_task.is_some() {
-                            // -o used, need to send the report to be written out to disk
-                            self.tx_file
-                                .send(Command::Report(resp.clone()))
-                                .with_context(|| {
-                                    fmt_err(&format!("Could not send {} to file handler", resp))
-                                })?;
-                        }
-                    }
-                    log::trace!("report complete: {}", resp.url());
-
-                    if self.config.replay_client.is_some() && should_process_response {
-                        // replay proxy specified/client created and this response's status code is one that
-                        // should be replayed; not using logged_request due to replay proxy client
-                        make_request(
-                            self.config.replay_client.as_ref().unwrap(),
-                            &resp.url(),
-                            self.config.output_level,
-                            tx_stats.clone(),
-                        )
+                Command::Report(resp) => {
+                    if let Err(err) = self
+                        .process_response(tx_stats.clone(), resp, ProcessResponseCall::Recursive)
                         .await
-                        .with_context(|| "Could not replay request through replay proxy")?;
-                    }
-
-                    if should_process_response {
-                        // add response to RESPONSES for serialization in case of ctrl+c
-                        // placed all by its lonesome like this so that RESPONSES can take ownership
-                        // of the FeroxResponse
-
-                        // before ownership is transferred, there's no real reason to keep the body anymore
-                        // so we can free that piece of data, reducing memory usage
-                        resp.drop_text();
-
-                        RESPONSES.insert(*resp);
+                    {
+                        log::warn!("{}", err);
                     }
                 }
                 Command::Sync(sender) => {
                     sender.send(true).unwrap_or_default();
                 }
+                Command::AddHandles(handles) => {
+                    self.handles = Some(handles);
+                }
                 Command::Exit => {
                     if self.file_task.is_some() && self.tx_file.send(Command::Exit).is_ok() {
                         self.file_task.as_mut().unwrap().await??; // wait for death
@@ -248,11 +234,205 @@ impl TermOutHandler {
         log::trace!("exit: start");
         Ok(())
     }
+
+    /// upon receiving a `FeroxResponse` from the mpsc, handle printing, sending to the replay
+    /// proxy, checking for backups of the `FeroxResponse`'s url, and tracking the response.
+    fn process_response(
+        &self,
+        tx_stats: CommandSender,
+        mut resp: Box<FeroxResponse>,
+        call_type: ProcessResponseCall,
+    ) -> BoxFuture<'_, Result<()>> {
+        log::trace!("enter: process_response({:?}, {:?})", resp, call_type);
+
+        async move {
+            let contains_sentry = if !self.config.filter_status.is_empty() {
+                // -C was used, meaning -s was not and we should ignore the defaults
+                // https://github.com/epi052/feroxbuster/issues/535
+                // -C indicates that we should filter that status code, but allow all others
+                !self.config.filter_status.contains(&resp.status().as_u16())
+            } else {
+                // -C wasn't used, so, we defer to checking the -s values
+                self.config.status_codes.contains(&resp.status().as_u16())
+            };
+
+            let unknown_sentry = !RESPONSES.contains(&resp); // !contains == unknown
+            let should_process_response = contains_sentry && unknown_sentry;
+
+            if should_process_response {
+                // print to stdout
+                ferox_print(&resp.as_str(), &PROGRESS_PRINTER);
+
+                send_command!(tx_stats, AddToUsizeField(ResourcesDiscovered, 1));
+
+                if self.file_task.is_some() {
+                    // -o used, need to send the report to be written out to disk
+                    self.tx_file
+                        .send(Command::Report(resp.clone()))
+                        .with_context(|| {
+                            fmt_err(&format!("Could not send {resp} to file handler"))
+                        })?;
+                }
+            }
+            log::trace!("report complete: {}", resp.url());
+
+            if self.config.replay_client.is_some() && should_process_response {
+                // replay proxy specified/client created and this response's status code is one that
+                // should be replayed; not using logged_request due to replay proxy client
+                let data = if self.config.data.is_empty() {
+                    None
+                } else {
+                    Some(self.config.data.as_slice())
+                };
+
+                make_request(
+                    self.config.replay_client.as_ref().unwrap(),
+                    resp.url(),
+                    resp.method().as_str(),
+                    data,
+                    self.config.output_level,
+                    &self.config,
+                    tx_stats.clone(),
+                )
+                .await
+                .with_context(|| "Could not replay request through replay proxy")?;
+            }
+
+            if self.config.collect_backups
+                && should_process_response
+                && matches!(call_type, ProcessResponseCall::Recursive)
+            {
+                // --collect-backups was used; the response is one we care about, and the function
+                // call came from the loop in `.start` (i.e. recursive was specified)
+                let backup_urls = self.generate_backup_urls(&resp).await;
+
+                // need to manually adjust stats
+                send_command!(tx_stats, AddToUsizeField(TotalExpected, backup_urls.len()));
+
+                for backup_url in &backup_urls {
+                    let backup_response = make_request(
+                        &self.config.client,
+                        backup_url,
+                        resp.method().as_str(),
+                        None,
+                        self.config.output_level,
+                        &self.config,
+                        tx_stats.clone(),
+                    )
+                    .await
+                    .with_context(|| {
+                        format!("Could not request backup of {}", resp.url().as_str())
+                    })?;
+
+                    let ferox_response = FeroxResponse::from(
+                        backup_response,
+                        resp.url().as_str(),
+                        resp.method().as_str(),
+                        resp.output_level,
+                    )
+                    .await;
+
+                    let Some(handles) = self.handles.as_ref() else {
+                        // shouldn't ever happen, but we'll log and return early if it does
+                        log::error!("handles were unexpectedly None, this shouldn't happen");
+                        return Ok(());
+                    };
+
+                    if handles
+                        .filters
+                        .data
+                        .should_filter_response(&ferox_response, tx_stats.clone())
+                    {
+                        // response was filtered for one reason or another, don't process it
+                        continue;
+                    }
+
+                    self.process_response(
+                        tx_stats.clone(),
+                        Box::new(ferox_response),
+                        ProcessResponseCall::NotRecursive,
+                    )
+                    .await?;
+                }
+            }
+
+            if should_process_response {
+                // add response to RESPONSES for serialization in case of ctrl+c
+                // placed all by its lonesome like this so that RESPONSES can take ownership
+                // of the FeroxResponse
+
+                // before ownership is transferred, there's no real reason to keep the body anymore
+                // so we can free that piece of data, reducing memory usage
+                resp.drop_text();
+
+                RESPONSES.insert(*resp);
+            }
+            log::trace!("exit: process_response");
+            Ok(())
+        }
+        .boxed()
+    }
+
+    /// internal helper to stay DRY
+    fn add_new_url_to_vec(&self, url: &Url, new_name: &str, urls: &mut Vec<Url>) {
+        if let Ok(joined) = url.join(new_name) {
+            urls.push(joined);
+        }
+    }
+
+    /// given a `FeroxResponse`, generate either 6 or 7 urls that are likely backups of the
+    /// original.
+    ///
+    /// example:
+    ///     original: LICENSE.txt
+    ///     backups:    
+    ///         - LICENSE.txt~
+    ///         - LICENSE.txt.bak
+    ///         - LICENSE.txt.bak2
+    ///         - LICENSE.txt.old
+    ///         - LICENSE.txt.1
+    ///         - LICENSE.bak
+    ///         - .LICENSE.txt.swp
+    async fn generate_backup_urls(&self, response: &FeroxResponse) -> Vec<Url> {
+        log::trace!("enter: generate_backup_urls({:?})", response);
+
+        let mut urls = vec![];
+        let url = response.url();
+
+        // confirmed safe: see src/response.rs for comments
+        let filename = url.path_segments().unwrap().last().unwrap();
+
+        if !filename.is_empty() {
+            // append rules
+            for suffix in &self.config.backup_extensions {
+                self.add_new_url_to_vec(url, &format!("{filename}{suffix}"), &mut urls);
+            }
+
+            // vim swap rule
+            self.add_new_url_to_vec(url, &format!(".{filename}.swp"), &mut urls);
+
+            // replace original extension rule
+            let parts: Vec<_> = filename
+                .split('.')
+                // keep things like /.bash_history out of results
+                .filter(|part| !part.is_empty())
+                .collect();
+
+            if parts.len() > 1 {
+                // filename + at least one extension, i.e. whatever.js becomes ["whatever", "js"]
+                self.add_new_url_to_vec(url, &format!("{}.bak", parts.first().unwrap()), &mut urls);
+            }
+        }
+
+        log::trace!("exit: generate_backup_urls -> {:?}", urls);
+        urls
+    }
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::event_handlers::Command;
 
     #[test]
     /// try to hit struct field coverage of FileOutHandler
@@ -263,7 +443,7 @@ mod tests {
             config,
             receiver: rx,
         };
-        println!("{:?}", foh);
+        println!("{foh:?}");
     }
 
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
@@ -272,15 +452,149 @@ mod tests {
         let (tx, rx) = mpsc::unbounded_channel::<Command>();
         let (tx_file, _) = mpsc::unbounded_channel::<Command>();
         let config = Arc::new(Configuration::new().unwrap());
+        let handles = Arc::new(Handles::for_testing(None, None).0);
 
         let toh = TermOutHandler {
             config,
             file_task: None,
             receiver: rx,
             tx_file,
+            handles: Some(handles),
         };
 
-        println!("{:?}", toh);
+        println!("{toh:?}");
+        tx.send(Command::Exit).unwrap();
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    /// when the feroxresponse's url contains an extension, there should be 7 urls returned
+    async fn generate_backup_urls_creates_correct_urls_when_extension_present() {
+        let (tx, rx) = mpsc::unbounded_channel::<Command>();
+        let (tx_file, _) = mpsc::unbounded_channel::<Command>();
+        let config = Arc::new(Configuration::new().unwrap());
+        let handles = Arc::new(Handles::for_testing(None, None).0);
+
+        let toh = TermOutHandler {
+            config,
+            file_task: None,
+            receiver: rx,
+            tx_file,
+            handles: Some(handles),
+        };
+
+        let expected: Vec<_> = vec![
+            "derp.php~",
+            "derp.php.bak",
+            "derp.php.bak2",
+            "derp.php.old",
+            "derp.php.1",
+            ".derp.php.swp",
+            "derp.bak",
+        ];
+
+        let mut fr = FeroxResponse::default();
+        fr.set_url("http://localhost/derp.php");
+
+        let urls = toh.generate_backup_urls(&fr).await;
+
+        let paths: Vec<_> = urls
+            .iter()
+            .map(|url| url.path_segments().unwrap().last().unwrap())
+            .collect();
+
+        assert_eq!(urls.len(), 7);
+
+        for path in paths {
+            assert!(expected.contains(&path));
+        }
+
+        tx.send(Command::Exit).unwrap();
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    /// when the feroxresponse's url doesn't contain an extension, there should be 6 urls returned
+    async fn generate_backup_urls_creates_correct_urls_when_extension_not_present() {
+        let (tx, rx) = mpsc::unbounded_channel::<Command>();
+        let (tx_file, _) = mpsc::unbounded_channel::<Command>();
+        let config = Arc::new(Configuration::new().unwrap());
+        let handles = Arc::new(Handles::for_testing(None, None).0);
+
+        let toh = TermOutHandler {
+            config,
+            file_task: None,
+            receiver: rx,
+            tx_file,
+            handles: Some(handles),
+        };
+
+        let expected: Vec<_> = vec![
+            "derp~",
+            "derp.bak",
+            "derp.bak2",
+            "derp.old",
+            "derp.1",
+            ".derp.swp",
+        ];
+
+        let mut fr = FeroxResponse::default();
+        fr.set_url("http://localhost/derp");
+
+        let urls = toh.generate_backup_urls(&fr).await;
+
+        let paths: Vec<_> = urls
+            .iter()
+            .map(|url| url.path_segments().unwrap().last().unwrap())
+            .collect();
+
+        assert_eq!(urls.len(), 6);
+
+        for path in paths {
+            assert!(expected.contains(&path));
+        }
+
+        tx.send(Command::Exit).unwrap();
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    /// test to ensure that backups are requested from the directory in which they were found
+    /// re: issue #513
+    async fn generate_backup_urls_creates_correct_urls_when_not_at_root() {
+        let (tx, rx) = mpsc::unbounded_channel::<Command>();
+        let (tx_file, _) = mpsc::unbounded_channel::<Command>();
+        let config = Arc::new(Configuration::new().unwrap());
+        let handles = Arc::new(Handles::for_testing(None, None).0);
+
+        let toh = TermOutHandler {
+            config,
+            file_task: None,
+            receiver: rx,
+            tx_file,
+            handles: Some(handles),
+        };
+
+        let expected: Vec<_> = vec![
+            "http://localhost/wordpress/derp.php~",
+            "http://localhost/wordpress/derp.php.bak",
+            "http://localhost/wordpress/derp.php.bak2",
+            "http://localhost/wordpress/derp.php.old",
+            "http://localhost/wordpress/derp.php.1",
+            "http://localhost/wordpress/.derp.php.swp",
+            "http://localhost/wordpress/derp.bak",
+        ];
+
+        let mut fr = FeroxResponse::default();
+        fr.set_url("http://localhost/wordpress/derp.php");
+
+        let urls = toh.generate_backup_urls(&fr).await;
+
+        let url_strs: Vec<_> = urls.iter().map(|url| url.as_str()).collect();
+
+        assert_eq!(urls.len(), 7);
+
+        for url_str in url_strs {
+            assert!(expected.contains(&url_str));
+        }
+
         tx.send(Command::Exit).unwrap();
     }
 }

src/event_handlers/scans.rs

@@ -1,20 +1,22 @@
-use std::collections::HashSet;
 use std::sync::Arc;
 
 use anyhow::{bail, Result};
 use tokio::sync::{mpsc, Semaphore};
 
-use crate::response::FeroxResponse;
-use crate::url::FeroxUrl;
 use crate::{
+    response::FeroxResponse,
     scan_manager::{FeroxScan, FeroxScans, ScanOrder},
-    scanner::FeroxScanner,
+    scanner::{FeroxScanner, RESPONSES},
     statistics::StatField::TotalScans,
+    url::FeroxUrl,
+    utils::should_deny_url,
     CommandReceiver, CommandSender, FeroxChannel, Joiner, SLEEP_DURATION,
 };
 
 use super::command::Command::AddToUsizeField;
 use super::*;
+use crate::statistics::StatField;
+use crate::utils::parse_url_with_raw_path;
 use tokio::time::Duration;
 
 #[derive(Debug)]
@@ -54,7 +56,7 @@ pub struct ScanHandler {
     receiver: CommandReceiver,
 
     /// wordlist (re)used for each scan
-    wordlist: std::sync::Mutex<Option<Arc<HashSet<String>>>>,
+    wordlist: std::sync::Mutex<Option<Arc<Vec<String>>>>,
 
     /// group of scans that need to be joined
     tasks: Vec<Arc<FeroxScan>>,
@@ -105,7 +107,7 @@ impl ScanHandler {
     }
 
     /// Set the wordlist
-    fn wordlist(&self, wordlist: Arc<HashSet<String>>) {
+    fn wordlist(&self, wordlist: Arc<Vec<String>>) {
         if let Ok(mut guard) = self.wordlist.lock() {
             if guard.is_none() {
                 let _ = std::mem::replace(&mut *guard, Some(wordlist));
@@ -145,6 +147,15 @@ impl ScanHandler {
                 Command::ScanInitialUrls(targets) => {
                     self.ordered_scan_url(targets, ScanOrder::Initial).await?;
                 }
+                Command::ScanNewUrl(target) => {
+                    // added as part of interactive menu ability (2.4.1) to add a new scan.
+                    // we don't have a way of knowing if they're adding a new url entirely (i.e.
+                    // new base url), or simply adding a new sub-directory found some other way.
+                    // Since we can't know, we'll start a scan as though we received the scan
+                    // from -u | --stdin
+                    self.ordered_scan_url(vec![target], ScanOrder::Initial)
+                        .await?;
+                }
                 Command::UpdateWordlist(wordlist) => {
                     self.wordlist(wordlist);
                 }
@@ -166,6 +177,23 @@ impl ScanHandler {
                 Command::Sync(sender) => {
                     sender.send(true).unwrap_or_default();
                 }
+                Command::AddDiscoveredExtension(new_extension) => {
+                    // if --collect-extensions was used, AND the new extension isn't in
+                    // the --dont-collect list AND it's also not in the --extensions list, AND
+                    // we actually added a new extension (i.e. wasn't previously known), add
+                    // it to FeroxScans.collected_extensions
+                    if self.handles.config.collect_extensions
+                        && !self.handles.config.dont_collect.contains(&new_extension)
+                        && !self.handles.config.extensions.contains(&new_extension)
+                        && self.data.add_discovered_extension(new_extension)
+                    {
+                        self.update_all_bar_lengths()?;
+                        self.handles
+                            .stats
+                            .send(Command::AddToUsizeField(StatField::ExtensionsCollected, 1))
+                            .unwrap_or_default();
+                    }
+                }
                 _ => {} // no other commands needed for RecursionHandler
             }
         }
@@ -174,11 +202,102 @@ impl ScanHandler {
         Ok(())
     }
 
+    /// update all current and future bar lengths
+    ///
+    /// updating all bar lengths correctly requires a few different actions on our part.
+    /// - get the current number of requests expected per scan (dynamic when --collect-extensions
+    ///     is used)
+    /// - update the overall progress bar via the statistics handler (total expected)
+    /// - update the expected per scan value tracked in the statistics handler
+    /// - update progress bars on each FeroxScan (type::directory) that are running/not-started
+    /// - update progress bar length on FeroxScans (this is used when creating new a FeroxScan and
+    ///     determines the new scan's progress bar length)
+    fn update_all_bar_lengths(&self) -> Result<()> {
+        log::trace!("enter: update_all_bar_lengths");
+
+        // current number of requests expected per scan
+        // ExpectedPerScan and TotalExpected are a += action, so we need the wordlist length to
+        // update them while the other updates use expected_num_requests_per_dir
+        let num_words = self.get_wordlist(0)?.len();
+        let current_expectation = self.handles.expected_num_requests_per_dir() as u64;
+
+        // used in the calculation of bar width down below, see explanation there
+        let divisor = (self.handles.expected_num_requests_multiplier() as u64 - 1).max(1);
+
+        // add another `wordlist.len` to the expected per scan tracker in the statistics handler
+        self.handles
+            .stats
+            .send(AddToUsizeField(StatField::ExpectedPerScan, num_words))?;
+
+        // since we're adding extensions in the middle of scans (potentially), we need to take
+        // current number of requests into account, new_total will be used as an accumulator
+        // used to increment the overall progress bar
+        let mut new_total = 0;
+
+        if let Ok(ferox_scans) = self.handles.ferox_scans() {
+            // update progress bar length on FeroxScans, which used when creating a new FeroxScan's
+            // progress bar and should mirror the expected_per_scan field on Statistics
+            ferox_scans.set_bar_length(current_expectation);
+
+            if let Ok(scans_guard) = ferox_scans.scans.read() {
+                // update progress bars on each FeroxScan where its scan type is directory and
+                // scan status is either running or not-started
+                for scan in scans_guard.iter() {
+                    if scan.is_active() {
+                        // current number of words left in the 'to-scan' bin, for example:
+                        //
+                        // say we have a 2000 word wordlist, have `-x js` on the command line, and
+                        // just found `php` as a new extension
+                        //
+                        // that puts our state at:
+                        // - wordlist length: 2000
+                        // - total expected: 4000 (original length * 2 for -x js)
+                        //
+                        // let's assume the current scan has sent 3000 requests so far
+                        // that means to get the number of `words` left to send, we need to take
+                        // the difference of 4000 and 3000 and then divide that by the current
+                        // multiplier (2 in the example)
+                        //
+                        // (4000 - 3000) / 2 => 500 words left to send
+                        //
+                        // the remaining 500 words will be sent as 3 variations (word, word.js,
+                        // word.php). So, we would then need to increment the bar by 500 to
+                        // reflect the dynamism of adding extensions mid-scan.
+                        let bar = scan.progress_bar();
+
+                        // (4000 - 3000) / 2 => 500 words left to send
+                        let length = bar.length().unwrap_or(1);
+                        let num_words_left = (length - bar.position()) / divisor;
+
+                        // accumulate each bar's increment value for incrementing the total bar
+                        new_total += num_words_left;
+
+                        bar.inc_length(num_words_left);
+                    }
+                }
+            }
+
+            // add the total number of newly expected requests to the overall progress bar
+            // via the statistics handler
+            self.handles.stats.send(AddToUsizeField(
+                StatField::TotalExpected,
+                new_total as usize,
+            ))?;
+        }
+
+        log::trace!("exit: update_all_bar_lengths");
+        Ok(())
+    }
+
     /// Helper to easily get the (locked) underlying wordlist
-    pub fn get_wordlist(&self) -> Result<Arc<HashSet<String>>> {
+    pub fn get_wordlist(&self, offset: usize) -> Result<Arc<Vec<String>>> {
         if let Ok(guard) = self.wordlist.lock().as_ref() {
             if let Some(list) = guard.as_ref() {
-                return Ok(list.clone());
+                return if offset > 0 {
+                    Ok(Arc::new(list[offset..].to_vec()))
+                } else {
+                    Ok(list.clone())
+                };
             }
         }
 
@@ -188,6 +307,8 @@ impl ScanHandler {
     /// wrapper around scanning a url to stay DRY
     async fn ordered_scan_url(&mut self, targets: Vec<String>, order: ScanOrder) -> Result<()> {
         log::trace!("enter: ordered_scan_url({:?}, {:?})", targets, order);
+        let should_test_deny = !self.handles.config.url_denylist.is_empty()
+            || !self.handles.config.regex_denylist.is_empty();
 
         for target in targets {
             if self.data.contains(&target) && matches!(order, ScanOrder::Latest) {
@@ -204,7 +325,27 @@ impl ScanHandler {
                 self.data.add_directory_scan(&target, order).1 // add the new target; return FeroxScan
             };
 
-            let list = self.get_wordlist()?;
+            if should_test_deny
+                && should_deny_url(&parse_url_with_raw_path(&target)?, self.handles.clone())?
+            {
+                // response was caught by a user-provided deny list
+                // checking this last, since it's most susceptible to longer runtimes due to what
+                // input is received
+                continue;
+            }
+
+            let divisor = self.handles.expected_num_requests_multiplier();
+
+            let list = if divisor > 1 && scan.requests() > 0 {
+                // if there were extensions provided and/or more than a single method used, and some
+                // number of requests have already been sent, we need to adjust the offset into the
+                // wordlist to ensure we don't index out of bounds
+
+                let adjusted = scan.requests_made_so_far() as f64 / (divisor as f64 - 1.0).max(1.0);
+                self.get_wordlist(adjusted as usize)?
+            } else {
+                self.get_wordlist(scan.requests_made_so_far() as usize)?
+            };
 
             log::info!("scan handler received {} - beginning scan", target);
 
@@ -244,6 +385,11 @@ impl ScanHandler {
     async fn try_recursion(&mut self, response: Box<FeroxResponse>) -> Result<()> {
         log::trace!("enter: try_recursion({:?})", response,);
 
+        if !self.handles.config.force_recursion && !response.is_directory() {
+            // not a directory and --force-recursion wasn't used, quick exit
+            return Ok(());
+        }
+
         let mut base_depth = 1_usize;
 
         for (base_url, base_url_depth) in &self.depths {
@@ -257,9 +403,56 @@ impl ScanHandler {
             return Ok(());
         }
 
-        if !response.is_directory() {
-            // not a directory
-            return Ok(());
+        if let Ok(responses) = RESPONSES.responses.read() {
+            for maybe_wild in responses.iter() {
+                if !maybe_wild.wildcard() || !maybe_wild.is_directory() {
+                    // if the stored response isn't a wildcard, skip it
+                    // if the stored response isn't a directory, skip it
+                    // we're only interested in preventing recursion into wildcard directories
+                    continue;
+                }
+
+                if maybe_wild.method() != response.method() {
+                    // methods don't match, skip it
+                    continue;
+                }
+
+                // methods match and is a directory wildcard
+                // need to check the wildcard's parent directory
+                // for equality with the incoming response's parent directory
+                //
+                // if the parent directories match, we need to prevent recursion
+                // into the wildcard directory
+
+                match (
+                    maybe_wild.url().path_segments(),
+                    response.url().path_segments(),
+                ) {
+                    // both urls must have path segments
+                    (Some(mut maybe_wild_segments), Some(mut response_segments)) => {
+                        match (
+                            maybe_wild_segments.nth_back(1),
+                            response_segments.nth_back(1),
+                        ) {
+                            // both urls must have at least 2 path segments, the next to last being the parent
+                            (Some(maybe_wild_parent), Some(response_parent)) => {
+                                if maybe_wild_parent == response_parent {
+                                    // the parent directories match, so we need to prevent recursion
+                                    return Ok(());
+                                }
+                            }
+                            _ => {
+                                // we couldn't get the parent directory, so we'll skip this
+                                continue;
+                            }
+                        }
+                    }
+                    _ => {
+                        // we couldn't get the path segments, so we'll skip this
+                        continue;
+                    }
+                }
+            }
         }
 
         let targets = vec![response.url().to_string()];

src/event_handlers/statistics.rs

@@ -103,7 +103,7 @@ impl StatsHandler {
                 Command::AddToUsizeField(field, value) => {
                     self.stats.update_usize_field(field, value);
 
-                    if matches!(field, StatField::TotalScans) {
+                    if matches!(field, StatField::TotalScans | StatField::TotalExpected) {
                         self.bar.set_length(self.stats.total_expected() as u64);
                     }
                 }
@@ -115,8 +115,9 @@ impl StatsHandler {
                     }
                 }
                 Command::AddToF64Field(field, value) => self.stats.update_f64_field(field, value),
-                Command::CreateBar => {
+                Command::CreateBar(offset) => {
                     self.bar = add_bar("", self.stats.total_expected() as u64, BarType::Total);
+                    self.bar.set_position(offset);
                 }
                 Command::LoadStats(filename) => {
                     self.stats.merge_from(&filename)?;
@@ -146,8 +147,13 @@ impl StatsHandler {
             self.stats.errors(),
         );
 
-        self.bar.set_message(&msg);
-        self.bar.inc(1);
+        self.bar.set_message(msg);
+
+        if self.bar.position() < self.stats.total_expected() as u64 {
+            // don't run off the end when we're a few requests over the expected total
+            // due to the heuristics tests
+            self.bar.inc(1);
+        }
     }
 
     /// Initialize new `Stats` object and the sc side of an mpsc channel that is responsible for
@@ -155,7 +161,7 @@ impl StatsHandler {
     pub fn initialize(config: Arc<Configuration>) -> (Joiner, StatsHandle) {
         log::trace!("enter: initialize");
 
-        let data = Arc::new(Stats::new(config.extensions.len(), config.json));
+        let data = Arc::new(Stats::new(config.json));
         let (tx, rx): FeroxChannel<Command> = mpsc::unbounded_channel();
 
         let mut handler = StatsHandler::new(data.clone(), rx);

src/extractor/builder.rs

@@ -13,14 +13,22 @@ pub(super) const LINKFINDER_REGEX: &str = r#"(?:"|')(((?:[a-zA-Z]{1,10}://|//)[^
 pub(super) const ROBOTS_TXT_REGEX: &str =
     r#"(?m)^ *(Allow|Disallow): *(?P<url_path>[a-zA-Z0-9._/?#@!&'()+,;%=-]+?)$"#; // multi-line (?m)
 
+/// Regular expression to filter bad characters from extracted url paths
+///
+/// ref: https://www.rfc-editor.org/rfc/rfc3986#section-2
+pub(super) const URL_CHARS_REGEX: &str = r#"["<>\\^`{|} ]"#;
+
 /// Which type of extraction should be performed
 #[derive(Debug, Copy, Clone)]
 pub enum ExtractionTarget {
-    /// Examine a response body and extract links
+    /// Examine a response body and extract javascript and html links (multiple tags)
     ResponseBody,
 
     /// Examine robots.txt (specifically) and extract links
     RobotsTxt,
+
+    /// Extract all <a> tags from a page
+    DirectoryListing,
 }
 
 /// responsible for building an `Extractor`
@@ -28,7 +36,7 @@ pub struct ExtractorBuilder<'a> {
     /// Response from which to extract links
     response: Option<&'a FeroxResponse>,
 
-    /// Response from which to extract links
+    /// URL of where to extract links
     url: String,
 
     /// Handles object to house the underlying mpsc transmitters
@@ -76,9 +84,9 @@ impl<'a> ExtractorBuilder<'a> {
         self
     }
 
-    /// finalize configuration of ExtratorBuilder and return an Extractor
+    /// finalize configuration of `ExtractorBuilder` and return an `Extractor`
     ///
-    /// requires either with_url or with_response to have been used in the build process
+    /// requires either `with_url` or `with_response` to have been used in the build process
     pub fn build(&self) -> Result<Extractor<'a>> {
         if (self.url.is_empty() && self.response.is_none()) || self.handles.is_none() {
             bail!("Extractor requires a URL or a FeroxResponse be specified as well as a Handles object")
@@ -87,6 +95,7 @@ impl<'a> ExtractorBuilder<'a> {
         Ok(Extractor {
             links_regex: Regex::new(LINKFINDER_REGEX).unwrap(),
             robots_regex: Regex::new(ROBOTS_TXT_REGEX).unwrap(),
+            url_regex: Regex::new(URL_CHARS_REGEX).unwrap(),
             response: if self.response.is_some() {
                 Some(self.response.unwrap())
             } else {

src/extractor/container.rs

@@ -2,7 +2,6 @@ use super::*;
 use crate::{
     client,
     event_handlers::{
-        Command,
         Command::{AddError, AddToUsizeField},
         Handles,
     },
@@ -12,15 +11,60 @@ use crate::{
         StatField::{LinksExtracted, TotalExpected},
     },
     url::FeroxUrl,
-    utils::{logged_request, make_request},
+    utils::{
+        logged_request, make_request, parse_url_with_raw_path, send_try_recursion_command,
+        should_deny_url,
+    },
+    ExtractionResult, DEFAULT_METHOD,
 };
 use anyhow::{bail, Context, Result};
-use reqwest::{StatusCode, Url};
-use std::collections::HashSet;
-use tokio::sync::oneshot;
+use futures::StreamExt;
+use reqwest::{Client, Response, StatusCode, Url};
+use scraper::{Html, Selector};
+use std::{borrow::Cow, collections::HashSet};
+
+/// Wrapper around link extraction logic
+///   - create a new Url object based on cli options/args
+///   - check if the new Url has already been seen/scanned -> None
+///   - make a request to the new Url ? -> Some(response) : None
+pub(super) async fn request_link(url: &str, handles: Arc<Handles>) -> Result<Response> {
+    log::trace!("enter: request_link({})", url);
+
+    let ferox_url = FeroxUrl::from_string(url, handles.clone());
+
+    // create a url based on the given command line options
+    let new_url = ferox_url.format("", None)?;
+
+    let scanned_urls = handles.ferox_scans()?;
+
+    if scanned_urls.get_scan_by_url(new_url.as_ref()).is_some() {
+        //we've seen the url before and don't need to scan again
+        log::trace!("exit: request_link -> None");
+        bail!("previously seen url");
+    }
+
+    if (!handles.config.url_denylist.is_empty() || !handles.config.regex_denylist.is_empty())
+        && should_deny_url(&new_url, handles.clone())?
+    {
+        // can't allow a denied url to be requested
+        bail!(
+            "prevented request to {} due to {:?} || {:?}",
+            url,
+            handles.config.url_denylist,
+            handles.config.regex_denylist,
+        );
+    }
+
+    // make the request and store the response
+    let new_response = logged_request(&new_url, DEFAULT_METHOD, None, handles.clone()).await?;
+
+    log::trace!("exit: request_link -> {:?}", new_response);
+
+    Ok(new_response)
+}
 
 /// Whether an active scan is recursive or not
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone)]
 enum RecursionStatus {
     /// Scan is recursive
     Recursive,
@@ -38,10 +82,13 @@ pub struct Extractor<'a> {
     /// `ROBOTS_TXT_REGEX` as a regex::Regex type
     pub(super) robots_regex: Regex,
 
+    /// regex to validate a url
+    pub(super) url_regex: Regex,
+
     /// Response from which to extract links
     pub(super) response: Option<&'a FeroxResponse>,
 
-    /// Response from which to extract links
+    /// URL of where to extract links
     pub(super) url: String,
 
     /// Handles object to house the underlying mpsc transmitters
@@ -53,79 +100,227 @@ pub struct Extractor<'a> {
 
 /// Extractor implementation
 impl<'a> Extractor<'a> {
-    /// business logic that handles getting links from a normal http body response
-    pub async fn extract(&self) -> Result<()> {
-        let links = match self.target {
-            ExtractionTarget::ResponseBody => self.extract_from_body().await?,
-            ExtractionTarget::RobotsTxt => self.extract_from_robots().await?,
-        };
+    /// perform extraction from the given target and return any links found
+    pub async fn extract(&self) -> Result<ExtractionResult> {
+        log::trace!(
+            "enter: extract({:?}) (this fn has no associated trace exit msg)",
+            self.target
+        );
+        match self.target {
+            ExtractionTarget::ResponseBody => Ok(self.extract_from_body().await?),
+            ExtractionTarget::RobotsTxt => Ok(self.extract_from_robots().await?),
+            ExtractionTarget::DirectoryListing => Ok(self.extract_from_dir_listing().await?),
+        }
+    }
 
+    /// wrapper around logic that performs the following:
+    /// - parses `url_to_parse`
+    /// - bails if the parsed url doesn't belong to the original host/domain
+    /// - otherwise, calls `add_all_sub_paths` with the parsed result
+    fn parse_url_and_add_subpaths(
+        &self,
+        url_to_parse: &str,
+        original_url: &Url,
+        links: &mut HashSet<String>,
+    ) -> Result<()> {
+        log::trace!("enter: parse_url_and_add_subpaths({:?})", links);
+
+        match parse_url_with_raw_path(url_to_parse) {
+            Ok(absolute) => {
+                if absolute.domain() != original_url.domain()
+                    || absolute.host() != original_url.host()
+                {
+                    // domains/ips are not the same, don't scan things that aren't part of the original
+                    // target url
+                    bail!("parsed url does not belong to original domain/host");
+                }
+
+                if self.add_all_sub_paths(absolute.path(), links).is_err() {
+                    log::warn!("could not add sub-paths from {} to {:?}", absolute, links);
+                }
+            }
+            Err(e) => {
+                // this is the expected error that happens when we try to parse a url fragment
+                //     ex: Url::parse("/login") -> Err("relative URL without a base")
+                // while this is technically an error, these are good results for us
+                if e.to_string().contains("relative URL without a base") {
+                    if self.add_all_sub_paths(url_to_parse, links).is_err() {
+                        log::warn!(
+                            "could not add sub-paths from {} to {:?}",
+                            url_to_parse,
+                            links
+                        );
+                    }
+                } else {
+                    // unexpected error has occurred
+                    log::warn!("Could not parse given url: {}", e);
+                    self.handles.stats.send(AddError(Other)).unwrap_or_default();
+                }
+            }
+        }
+
+        log::trace!("exit: parse_url_and_add_subpaths");
+        Ok(())
+    }
+
+    /// given a set of links from a normal http body response, task the request handler to make
+    /// the requests
+    pub async fn request_links(
+        &mut self,
+        links: HashSet<String>,
+    ) -> Result<Option<tokio::task::JoinHandle<()>>> {
+        log::trace!("enter: request_links({:?})", links);
+
+        if links.is_empty() {
+            return Ok(None);
+        }
+
+        self.update_stats(links.len())?;
+
+        // create clones/remove use of self of/from everything the async move block will need to function
+        let cloned_scanned_urls = self.handles.ferox_scans()?;
+        let cloned_handles = self.handles.clone();
+        let cloned_url = self.url.clone();
+        let threads = self.handles.config.threads;
         let recursive = if self.handles.config.no_recursion {
             RecursionStatus::NotRecursive
         } else {
             RecursionStatus::Recursive
         };
 
-        let scanned_urls = self.handles.ferox_scans()?;
+        let link_request_task = tokio::spawn(async move {
+            let producers = futures::stream::iter(links.into_iter())
+                .map(|link| {
+                    // another clone to satisfy the async move block
+                    let inner_clone = cloned_handles.clone();
 
-        for link in links {
-            let mut resp = match self.request_link(&link).await {
-                Ok(resp) => resp,
-                Err(_) => continue,
-            };
+                    (
+                        tokio::spawn(async move { request_link(&link, inner_clone).await }),
+                        cloned_handles.clone(),
+                        cloned_scanned_urls.clone(),
+                        recursive,
+                        cloned_url.clone(),
+                    )
+                })
+                .for_each_concurrent(
+                    threads,
+                    |(join_handle, c_handles, c_scanned_urls, c_recursive, og_url)| async move {
+                        match join_handle.await {
+                            Ok(Ok(reqwest_response)) => {
+                                let mut resp = FeroxResponse::from(
+                                    reqwest_response,
+                                    &og_url,
+                                    DEFAULT_METHOD,
+                                    c_handles.config.output_level,
+                                )
+                                .await;
 
-            // filter if necessary
-            if self
-                .handles
-                .filters
-                .data
-                .should_filter_response(&resp, self.handles.stats.tx.clone())
-            {
-                continue;
-            }
+                                // filter if necessary
+                                if c_handles
+                                    .filters
+                                    .data
+                                    .should_filter_response(&resp, c_handles.stats.tx.clone())
+                                {
+                                    return;
+                                }
 
-            if resp.is_file() {
-                // very likely a file, simply request and report
-                log::debug!("Extracted file: {}", resp);
+                                // request and report assumed file
+                                if resp.is_file() || !resp.is_directory() {
+                                    log::debug!("Extracted File: {}", resp);
 
-                scanned_urls.add_file_scan(&resp.url().to_string(), ScanOrder::Latest);
+                                    c_scanned_urls
+                                        .add_file_scan(resp.url().as_str(), ScanOrder::Latest);
 
-                if let Err(e) = resp.send_report(self.handles.output.tx.clone()) {
-                    log::warn!("Could not send FeroxResponse to output handler: {}", e);
-                }
+                                    if c_handles.config.collect_extensions {
+                                        // no real reason this should fail
+                                        resp.parse_extension(c_handles.clone()).unwrap();
+                                    }
 
-                continue;
-            }
+                                    if let Err(e) = resp.send_report(c_handles.output.tx.clone()) {
+                                        log::warn!(
+                                            "Could not send FeroxResponse to output handler: {}",
+                                            e
+                                        );
+                                    }
 
-            if matches!(recursive, RecursionStatus::Recursive) {
-                log::debug!("Extracted Directory: {}", resp);
+                                    return;
+                                }
 
-                if !resp.url().as_str().ends_with('/')
-                    && (resp.status().is_success()
-                        || matches!(resp.status(), &StatusCode::FORBIDDEN))
-                {
-                    // if the url doesn't end with a /
-                    // and the response code is either a 2xx or 403
+                                if matches!(c_recursive, RecursionStatus::Recursive) {
+                                    log::debug!("Extracted Directory: {}", resp);
 
-                    // since all of these are 2xx or 403, recursion is only attempted if the
-                    // url ends in a /. I am actually ok with adding the slash and not
-                    // adding it, as both have merit.  Leaving it in for now to see how
-                    // things turn out (current as of: v1.1.0)
-                    resp.set_url(&format!("{}/", resp.url()));
-                }
+                                    if !resp.url().as_str().ends_with('/')
+                                        && (resp.status().is_success()
+                                            || matches!(resp.status(), &StatusCode::FORBIDDEN))
+                                    {
+                                        // if the url doesn't end with a /
+                                        // and the response code is either a 2xx or 403
 
-                self.handles
-                    .send_scan_command(Command::TryRecursion(Box::new(resp)))?;
-                let (tx, rx) = oneshot::channel::<bool>();
-                self.handles.send_scan_command(Command::Sync(tx))?;
-                rx.await?;
-            }
-        }
-        Ok(())
+                                        // since all of these are 2xx or 403, recursion is only attempted if the
+                                        // url ends in a /. I am actually ok with adding the slash and not
+                                        // adding it, as both have merit.  Leaving it in for now to see how
+                                        // things turn out (current as of: v1.1.0)
+                                        resp.set_url(&format!("{}/", resp.url()));
+                                    }
+
+                                    if c_handles.config.filter_status.is_empty() {
+                                        // -C wasn't used, so -s is the only 'filter' left to account for
+                                        if c_handles
+                                            .config
+                                            .status_codes
+                                            .contains(&resp.status().as_u16())
+                                        {
+                                            send_try_recursion_command(c_handles.clone(), resp)
+                                                .await
+                                                .unwrap_or_default();
+                                        }
+                                    } else {
+                                        // -C was used, that means the filters above would have removed
+                                        // those responses, and anything else should be let through
+                                        send_try_recursion_command(c_handles.clone(), resp)
+                                            .await
+                                            .unwrap_or_default();
+                                    }
+                                }
+                            }
+                            Ok(Err(err)) => {
+                                log::warn!("Error during link extraction: {}", err);
+                            }
+                            Err(err) => {
+                                log::warn!("JoinError during link extraction: {}", err);
+                            }
+                        }
+                    },
+                );
+
+            // wait for the requests to finish
+            producers.await;
+        });
+
+        log::trace!("exit: request_links");
+        Ok(Some(link_request_task))
     }
 
-    /// Given a `reqwest::Response`, perform the following actions
-    ///   - parse the response's text for links using the linkfinder regex
+    /// wrapper around link extraction via html attributes
+    fn extract_all_links_from_html_tags(
+        &self,
+        resp_url: &Url,
+        links: &mut HashSet<String>,
+        html: &Html,
+    ) {
+        self.extract_links_by_attr(resp_url, links, html, "a", "href");
+        self.extract_links_by_attr(resp_url, links, html, "img", "src");
+        self.extract_links_by_attr(resp_url, links, html, "form", "action");
+        self.extract_links_by_attr(resp_url, links, html, "script", "src");
+        self.extract_links_by_attr(resp_url, links, html, "iframe", "src");
+        self.extract_links_by_attr(resp_url, links, html, "div", "src");
+        self.extract_links_by_attr(resp_url, links, html, "frame", "src");
+        self.extract_links_by_attr(resp_url, links, html, "embed", "src");
+        self.extract_links_by_attr(resp_url, links, html, "link", "href");
+    }
+
+    /// Given the body of a `reqwest::Response`, perform the following actions
+    ///   - parse the body for links using the linkfinder regex
     ///   - for every link found take its url path and parse each sub-path
     ///     - example: Response contains a link fragment `homepage/assets/img/icons/handshake.svg`
     ///       with a base url of http://localhost, the following urls would be returned:
@@ -134,73 +329,90 @@ impl<'a> Extractor<'a> {
     ///         - homepage/assets/img/
     ///         - homepage/assets/
     ///         - homepage/
-    pub(super) async fn extract_from_body(&self) -> Result<HashSet<String>> {
-        log::trace!("enter: get_links");
+    fn extract_all_links_from_javascript(
+        &self,
+        response_body: &str,
+        response_url: &Url,
+        links: &mut HashSet<String>,
+    ) {
+        log::trace!(
+            "enter: extract_all_links_from_javascript(html body..., {}, {:?})",
+            response_url.as_str(),
+            links
+        );
 
-        let mut links = HashSet::<String>::new();
-
-        let body = self.response.unwrap().text();
-
-        for capture in self.links_regex.captures_iter(&body) {
+        for capture in self.links_regex.captures_iter(response_body) {
             // remove single & double quotes from both ends of the capture
             // capture[0] is the entire match, additional capture groups start at [1]
             let link = capture[0].trim_matches(|c| c == '\'' || c == '"');
 
-            match Url::parse(link) {
-                Ok(absolute) => {
-                    if absolute.domain() != self.response.unwrap().url().domain()
-                        || absolute.host() != self.response.unwrap().url().host()
-                    {
-                        // domains/ips are not the same, don't scan things that aren't part of the original
-                        // target url
-                        continue;
-                    }
-
-                    if self.add_all_sub_paths(absolute.path(), &mut links).is_err() {
-                        log::warn!("could not add sub-paths from {} to {:?}", absolute, links);
-                    }
-                }
-                Err(e) => {
-                    // this is the expected error that happens when we try to parse a url fragment
-                    //     ex: Url::parse("/login") -> Err("relative URL without a base")
-                    // while this is technically an error, these are good results for us
-                    if e.to_string().contains("relative URL without a base") {
-                        if self.add_all_sub_paths(link, &mut links).is_err() {
-                            log::warn!("could not add sub-paths from {} to {:?}", link, links);
-                        }
-                    } else {
-                        // unexpected error has occurred
-                        log::warn!("Could not parse given url: {}", e);
-                        self.handles.stats.send(AddError(Other)).unwrap_or_default();
-                    }
-                }
+            if self
+                .parse_url_and_add_subpaths(link, response_url, links)
+                .is_err()
+            {
+                // purposely not logging the error here, due to the frequency with which it gets hit
             }
         }
 
-        self.update_stats(links.len())?;
-
-        log::trace!("exit: get_links -> {:?}", links);
-
-        Ok(links)
+        log::trace!("exit: extract_all_links_from_javascript");
     }
 
     /// take a url fragment like homepage/assets/img/icons/handshake.svg and
     /// incrementally add
-    ///     - homepage/assets/img/icons/
-    ///     - homepage/assets/img/
-    ///     - homepage/assets/
-    ///     - homepage/
-    fn add_all_sub_paths(&self, url_path: &str, mut links: &mut HashSet<String>) -> Result<()> {
+    ///   - homepage/assets/img/icons/
+    ///   - homepage/assets/img/
+    ///   - homepage/assets/
+    ///   - homepage/
+    fn add_all_sub_paths(&self, url_path: &str, links: &mut HashSet<String>) -> Result<()> {
         log::trace!("enter: add_all_sub_paths({}, {:?})", url_path, links);
 
         for sub_path in self.get_sub_paths_from_path(url_path) {
-            self.add_link_to_set_of_links(&sub_path, &mut links)?;
+            self.add_link_to_set_of_links(&sub_path, links)?;
         }
 
         log::trace!("exit: add_all_sub_paths");
         Ok(())
     }
 
+    /// given a url path, trim whitespace, remove slashes, and queries/fragments; return the
+    /// normalized string
+    pub(super) fn normalize_url_path(&self, path: &str) -> String {
+        log::trace!("enter: normalize_url_path({})", path);
+
+        // remove whitespace and leading '/'
+        let path_str: String = path
+            .trim()
+            .trim_start_matches('/')
+            .chars()
+            .filter(|char| !char.is_whitespace())
+            .collect();
+
+        // snippets from rfc-3986:
+        //
+        //          foo://example.com:8042/over/there?name=ferret#nose
+        //          \_/   \______________/\_________/ \_________/ \__/
+        //           |           |            |            |        |
+        //        scheme     authority       path        query   fragment
+        //
+        // The path component is terminated
+        //    by the first question mark ("?") or number sign ("#") character, or
+        //    by the end of the URI.
+        //
+        // The query component is indicated by the first question
+        //    mark ("?") character and terminated by a number sign ("#") character
+        //    or by the end of the URI.
+        let (path_str, _discarded) = path_str
+            .split_once('?')
+            // if there isn't a '?', try to remove a fragment
+            .unwrap_or_else(|| {
+                // if there isn't a '#', return (original, empty)
+                path_str.split_once('#').unwrap_or((&path_str, ""))
+            });
+
+        log::trace!("exit: normalize_url_path -> {}", path_str);
+        path_str.into()
+    }
+
     /// Iterate over a given path, return a list of every sub-path found
     ///
     /// example: `path` contains a link fragment `homepage/assets/img/icons/handshake.svg`
@@ -214,8 +426,14 @@ impl<'a> Extractor<'a> {
         log::trace!("enter: get_sub_paths_from_path({})", path);
         let mut paths = vec![];
 
+        let normalized_path = self.normalize_url_path(path);
+
         // filter out any empty strings caused by .split
-        let mut parts: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();
+        let mut parts: Vec<Cow<_>> = normalized_path
+            .split('/')
+            .map(|s| self.url_regex.replace_all(s, ""))
+            .filter(|s| !s.is_empty())
+            .collect();
 
         let length = parts.len();
 
@@ -237,7 +455,7 @@ impl<'a> Extractor<'a> {
                 // this isn't the last index of the parts array
                 // ex: /buried/misc/stupidfile.php
                 // this block skips the file but sees all parent folders
-                possible_path = format!("{}/", possible_path);
+                possible_path = format!("{possible_path}/");
             }
 
             paths.push(possible_path); // good sub-path found
@@ -248,7 +466,7 @@ impl<'a> Extractor<'a> {
         paths
     }
 
-    /// simple helper to stay DRY, trys to join a url + fragment and add it to the `links` HashSet
+    /// simple helper to stay DRY, tries to join a url + fragment and add it to the `links` HashSet
     pub(super) fn add_link_to_set_of_links(
         &self,
         link: &str,
@@ -257,8 +475,10 @@ impl<'a> Extractor<'a> {
         log::trace!("enter: add_link_to_set_of_links({}, {:?})", link, links);
 
         let old_url = match self.target {
-            ExtractionTarget::ResponseBody => self.response.unwrap().url().clone(),
-            ExtractionTarget::RobotsTxt => match Url::parse(&self.url) {
+            ExtractionTarget::ResponseBody | ExtractionTarget::DirectoryListing => {
+                self.response.unwrap().url().clone()
+            }
+            ExtractionTarget::RobotsTxt => match parse_url_with_raw_path(&self.url) {
                 Ok(u) => u,
                 Err(e) => {
                     bail!("Could not parse {}: {}", self.url, e);
@@ -267,8 +487,19 @@ impl<'a> Extractor<'a> {
         };
 
         let new_url = old_url
-            .join(&link)
-            .with_context(|| format!("Could not join {} with {}", old_url, link))?;
+            .join(link)
+            .with_context(|| format!("Could not join {old_url} with {link}"))?;
+
+        if old_url.domain() != new_url.domain() || old_url.host() != new_url.host() {
+            // domains/ips are not the same, don't scan things that aren't part of the original
+            // target url
+            log::debug!(
+                "Skipping {} because it's not part of the original target",
+                new_url
+            );
+            log::trace!("exit: add_link_to_set_of_links");
+            return Ok(());
+        }
 
         links.insert(new_url.to_string());
 
@@ -277,42 +508,6 @@ impl<'a> Extractor<'a> {
         Ok(())
     }
 
-    /// Wrapper around link extraction logic
-    /// currently used in two places:
-    ///   - links from response bodies
-    ///   - links from robots.txt responses
-    ///
-    /// general steps taken:
-    ///   - create a new Url object based on cli options/args
-    ///   - check if the new Url has already been seen/scanned -> None
-    ///   - make a request to the new Url ? -> Some(response) : None
-    pub(super) async fn request_link(&self, url: &str) -> Result<FeroxResponse> {
-        log::trace!("enter: request_link({})", url);
-
-        let ferox_url = FeroxUrl::from_string(&url, self.handles.clone());
-
-        // create a url based on the given command line options
-        let new_url = ferox_url.format(&"", None)?;
-
-        let scanned_urls = self.handles.ferox_scans()?;
-
-        if scanned_urls.get_scan_by_url(&new_url.to_string()).is_some() {
-            //we've seen the url before and don't need to scan again
-            log::trace!("exit: request_link -> None");
-            bail!("previously seen url");
-        }
-
-        // make the request and store the response
-        let new_response = logged_request(&new_url, self.handles.clone()).await?;
-
-        let new_ferox_response =
-            FeroxResponse::from(new_response, true, self.handles.config.output_level).await;
-
-        log::trace!("exit: request_link -> {:?}", new_ferox_response);
-
-        Ok(new_ferox_response)
-    }
-
     /// Entry point to perform link extraction from robots.txt
     ///
     /// `base_url` can have paths and subpaths, however robots.txt will be requested from the
@@ -321,82 +516,195 @@ impl<'a> Extractor<'a> {
     ///     http://localhost/stuff/things
     /// this function requests:
     ///     http://localhost/robots.txt
-    pub(super) async fn extract_from_robots(&self) -> Result<HashSet<String>> {
+    pub(super) async fn extract_from_robots(&self) -> Result<ExtractionResult> {
         log::trace!("enter: extract_robots_txt");
 
-        let mut links: HashSet<String> = HashSet::new();
+        let mut result: HashSet<_> = ExtractionResult::new();
 
-        let response = self.request_robots_txt().await?;
+        // request
+        let response = self.make_extract_request("/robots.txt").await?;
+        let body = response.text();
 
-        for capture in self.robots_regex.captures_iter(response.text()) {
+        for capture in self.robots_regex.captures_iter(body) {
             if let Some(new_path) = capture.name("url_path") {
-                let mut new_url = Url::parse(&self.url)?;
+                let mut new_url = parse_url_with_raw_path(&self.url)?;
+
                 new_url.set_path(new_path.as_str());
-                if self.add_all_sub_paths(&new_url.path(), &mut links).is_err() {
-                    log::warn!("could not add sub-paths from {} to {:?}", new_url, links);
+
+                if self.add_all_sub_paths(new_url.path(), &mut result).is_err() {
+                    log::warn!("could not add sub-paths from {} to {:?}", new_url, result);
                 }
             }
         }
 
-        self.update_stats(links.len())?;
-
-        log::trace!("exit: extract_robots_txt -> {:?}", links);
-        Ok(links)
+        log::trace!("exit: extract_robots_txt -> {:?}", result);
+        Ok(result)
     }
 
-    /// helper function that simply requests /robots.txt on the given url's base url
+    /// outer-most wrapper for parsing html response bodies in search of additional content.
+    /// performs the following high-level steps:
+    /// - requests the page, if necessary
+    /// - checks the page to see if directory listing is enabled and sucks up all the links, if so
+    /// - uses the linkfinder regex to grab links from embedded javascript/javascript files
+    /// - extracts many different types of link sources from the html itself
+    pub(super) async fn extract_from_body(&self) -> Result<ExtractionResult> {
+        log::trace!("enter: extract_from_body");
+
+        let mut result = ExtractionResult::new();
+
+        let response = self.response.unwrap();
+        let resp_url = response.url();
+        let body = response.text();
+        let html = Html::parse_document(body);
+
+        // extract links from html tags/attributes and embedded javascript
+        self.extract_all_links_from_html_tags(resp_url, &mut result, &html);
+        self.extract_all_links_from_javascript(body, resp_url, &mut result);
+
+        log::trace!("exit: extract_from_body -> {:?}", result);
+        Ok(result)
+    }
+
+    /// parses html response bodies in search of <a> tags.
+    ///
+    /// the assumption is that directory listing is turned on and this extraction target simply
+    /// scoops up all the links for the given directory. The test to detect a directory listing
+    /// is located in `HeuristicTests`
+    pub async fn extract_from_dir_listing(&self) -> Result<ExtractionResult> {
+        log::trace!("enter: extract_from_dir_listing");
+
+        let mut result = ExtractionResult::new();
+
+        let response = self.response.unwrap();
+        let html = Html::parse_document(response.text());
+
+        self.extract_links_by_attr(response.url(), &mut result, &html, "a", "href");
+
+        log::trace!("exit: extract_from_dir_listing -> {:?}", result);
+        Ok(result)
+    }
+
+    /// simple helper to get html links by tag/attribute and add it to the `links` HashSet
+    fn extract_links_by_attr(
+        &self,
+        resp_url: &Url,
+        links: &mut HashSet<String>,
+        html: &Html,
+        html_tag: &str,
+        html_attr: &str,
+    ) {
+        log::trace!("enter: extract_links_by_attr");
+
+        let selector = Selector::parse(html_tag).unwrap();
+
+        let tags = html
+            .select(&selector)
+            .filter(|a| a.value().attrs().any(|attr| attr.0 == html_attr));
+
+        for tag in tags {
+            if let Some(link) = tag.value().attr(html_attr) {
+                log::debug!("Parsed link \"{}\" from {}", link, resp_url.as_str());
+
+                if self
+                    .parse_url_and_add_subpaths(link, resp_url, links)
+                    .is_err()
+                {
+                    log::debug!("link didn't belong to the target domain/host: {}", link);
+                }
+            }
+        }
+
+        log::trace!("exit: extract_links_by_attr");
+    }
+
+    /// helper function that simply requests at <location> on the given url's base url
     ///
     /// example:
-    ///     http://localhost/api/users -> http://localhost/robots.txt
-    ///     
-    /// The length of the given path has no effect on what's requested; it's always
-    /// base url + /robots.txt
-    pub(super) async fn request_robots_txt(&self) -> Result<FeroxResponse> {
-        log::trace!("enter: get_robots_file");
+    ///     http://localhost/api/users -> http://localhost/<location>
+    pub(super) async fn make_extract_request(&self, location: &str) -> Result<FeroxResponse> {
+        log::trace!("enter: make_extract_request");
 
-        // more often than not, domain/robots.txt will redirect to www.domain/robots.txt or something
-        // similar; to account for that, create a client that will follow redirects, regardless of
-        // what the user specified for the scanning client. Other than redirects, it will respect
-        // all other user specified settings
-        let follow_redirects = true;
+        // need late binding here to avoid 'creates a temporary which is freed...' in the
+        // `let ... if` below to avoid cloning the client out of config
+        let mut client = Client::new();
 
-        let proxy = if self.handles.config.proxy.is_empty() {
-            None
+        if location == "/robots.txt" {
+            // more often than not, domain/robots.txt will redirect to www.domain/robots.txt or something
+            // similar; to account for that, create a client that will follow redirects, regardless of
+            // what the user specified for the scanning client. Other than redirects, it will respect
+            // all other user specified settings
+            let follow_redirects = true;
+
+            let proxy = if self.handles.config.proxy.is_empty() {
+                None
+            } else {
+                Some(self.handles.config.proxy.as_str())
+            };
+
+            let server_certs = &self.handles.config.server_certs;
+
+            let client_cert = if self.handles.config.client_cert.is_empty() {
+                None
+            } else {
+                Some(self.handles.config.client_cert.as_str())
+            };
+
+            let client_key = if self.handles.config.client_key.is_empty() {
+                None
+            } else {
+                Some(self.handles.config.client_key.as_str())
+            };
+
+            client = client::initialize(
+                self.handles.config.timeout,
+                &self.handles.config.user_agent,
+                follow_redirects,
+                self.handles.config.insecure,
+                &self.handles.config.headers,
+                proxy,
+                server_certs,
+                client_cert,
+                client_key,
+            )?;
+        }
+
+        let client = if location != "/robots.txt" {
+            &self.handles.config.client
         } else {
-            Some(self.handles.config.proxy.as_str())
+            &client
         };
 
-        let client = client::initialize(
-            self.handles.config.timeout,
-            &self.handles.config.user_agent,
-            follow_redirects,
-            self.handles.config.insecure,
-            &self.handles.config.headers,
-            proxy,
-        )?;
-
-        let mut url = Url::parse(&self.url)?;
-        url.set_path("/robots.txt"); // overwrite existing path with /robots.txt
+        let mut url = parse_url_with_raw_path(&self.url)?;
+        url.set_path(location); // overwrite existing path
 
         // purposefully not using logged_request here due to using the special client
         let response = make_request(
-            &client,
+            client,
             &url,
+            DEFAULT_METHOD,
+            None,
             self.handles.config.output_level,
+            &self.handles.config,
             self.handles.stats.tx.clone(),
         )
         .await?;
 
-        let ferox_response =
-            FeroxResponse::from(response, true, self.handles.config.output_level).await;
+        let ferox_response = FeroxResponse::from(
+            response,
+            &self.url,
+            DEFAULT_METHOD,
+            self.handles.config.output_level,
+        )
+        .await;
+        // note: don't call parse_extension here. If we call it here, it gets called on robots.txt
 
-        log::trace!("exit: get_robots_file -> {}", ferox_response);
-        return Ok(ferox_response);
+        log::trace!("exit: make_extract_request -> {}", ferox_response);
+        Ok(ferox_response)
     }
 
     /// update total number of links extracted and expected responses
     fn update_stats(&self, num_links: usize) -> Result<()> {
-        let multiplier = self.handles.config.extensions.len().max(1);
+        let multiplier = self.handles.expected_num_requests_multiplier();
 
         self.handles
             .stats

src/extractor/tests.rs

@@ -1,9 +1,11 @@
-use super::builder::{LINKFINDER_REGEX, ROBOTS_TXT_REGEX};
+use super::builder::{LINKFINDER_REGEX, ROBOTS_TXT_REGEX, URL_CHARS_REGEX};
+use super::container::request_link;
 use super::*;
 use crate::config::{Configuration, OutputLevel};
 use crate::scan_manager::ScanOrder;
 use crate::{
     event_handlers::Handles, scan_manager::FeroxScans, utils::make_request, Command, FeroxChannel,
+    DEFAULT_METHOD,
 };
 use anyhow::Result;
 use httpmock::{Method::GET, MockServer};
@@ -19,6 +21,9 @@ lazy_static! {
     /// Extractor for testing response bodies
     static ref BODY_EXT: Extractor<'static> = setup_extractor(ExtractionTarget::ResponseBody, Arc::new(FeroxScans::default()));
 
+    /// Extractor for testing paring html
+    static ref PARSEHTML_EXT: Extractor<'static> = setup_extractor(ExtractionTarget::DirectoryListing, Arc::new(FeroxScans::default()));
+
     /// FeroxResponse for Extractor
     static ref RESPONSE: FeroxResponse = get_test_response();
 }
@@ -41,6 +46,9 @@ fn setup_extractor(target: ExtractionTarget, scanned_urls: Arc<FeroxScans>) -> E
         ExtractionTarget::RobotsTxt => builder
             .url("http://localhost")
             .target(ExtractionTarget::RobotsTxt),
+        ExtractionTarget::DirectoryListing => builder
+            .url("http://localhost")
+            .target(ExtractionTarget::DirectoryListing),
     };
 
     let config = Arc::new(Configuration::new().unwrap());
@@ -54,8 +62,8 @@ fn setup_extractor(target: ExtractionTarget, scanned_urls: Arc<FeroxScans>) -> E
 /// in the expected array
 fn extractor_get_sub_paths_from_path_with_multiple_paths() {
     let path = "homepage/assets/img/icons/handshake.svg";
-    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(&path);
-    let b_paths = BODY_EXT.get_sub_paths_from_path(&path);
+    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(path);
+    let b_paths = BODY_EXT.get_sub_paths_from_path(path);
     let expected = vec![
         "homepage/",
         "homepage/assets/",
@@ -67,8 +75,8 @@ fn extractor_get_sub_paths_from_path_with_multiple_paths() {
     assert_eq!(r_paths.len(), expected.len());
     assert_eq!(b_paths.len(), expected.len());
     for expected_path in expected {
-        assert_eq!(r_paths.contains(&expected_path.to_string()), true);
-        assert_eq!(b_paths.contains(&expected_path.to_string()), true);
+        assert!(r_paths.contains(&expected_path.to_string()));
+        assert!(b_paths.contains(&expected_path.to_string()));
     }
 }
 
@@ -78,15 +86,15 @@ fn extractor_get_sub_paths_from_path_with_multiple_paths() {
 /// returned
 fn extractor_get_sub_paths_from_path_with_enclosing_slashes() {
     let path = "/homepage/assets/";
-    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(&path);
-    let b_paths = BODY_EXT.get_sub_paths_from_path(&path);
+    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(path);
+    let b_paths = BODY_EXT.get_sub_paths_from_path(path);
     let expected = vec!["homepage/", "homepage/assets"];
 
     assert_eq!(r_paths.len(), expected.len());
     assert_eq!(b_paths.len(), expected.len());
     for expected_path in expected {
-        assert_eq!(r_paths.contains(&expected_path.to_string()), true);
-        assert_eq!(b_paths.contains(&expected_path.to_string()), true);
+        assert!(r_paths.contains(&expected_path.to_string()));
+        assert!(b_paths.contains(&expected_path.to_string()));
     }
 }
 
@@ -95,15 +103,15 @@ fn extractor_get_sub_paths_from_path_with_enclosing_slashes() {
 /// included
 fn extractor_get_sub_paths_from_path_with_only_a_word() {
     let path = "homepage";
-    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(&path);
-    let b_paths = BODY_EXT.get_sub_paths_from_path(&path);
+    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(path);
+    let b_paths = BODY_EXT.get_sub_paths_from_path(path);
     let expected = vec!["homepage"];
 
     assert_eq!(r_paths.len(), expected.len());
     assert_eq!(b_paths.len(), expected.len());
     for expected_path in expected {
-        assert_eq!(r_paths.contains(&expected_path.to_string()), true);
-        assert_eq!(b_paths.contains(&expected_path.to_string()), true);
+        assert!(r_paths.contains(&expected_path.to_string()));
+        assert!(b_paths.contains(&expected_path.to_string()));
     }
 }
 
@@ -111,15 +119,15 @@ fn extractor_get_sub_paths_from_path_with_only_a_word() {
 /// extract sub paths from the given url fragment; expect 1 sub path, forward slash removed
 fn extractor_get_sub_paths_from_path_with_an_absolute_word() {
     let path = "/homepage";
-    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(&path);
-    let b_paths = BODY_EXT.get_sub_paths_from_path(&path);
+    let r_paths = ROBOTS_EXT.get_sub_paths_from_path(path);
+    let b_paths = BODY_EXT.get_sub_paths_from_path(path);
     let expected = vec!["homepage"];
 
     assert_eq!(r_paths.len(), expected.len());
     assert_eq!(b_paths.len(), expected.len());
     for expected_path in expected {
-        assert_eq!(r_paths.contains(&expected_path.to_string()), true);
-        assert_eq!(b_paths.contains(&expected_path.to_string()), true);
+        assert!(r_paths.contains(&expected_path.to_string()));
+        assert!(b_paths.contains(&expected_path.to_string()));
     }
 }
 
@@ -188,7 +196,6 @@ fn extractor_add_link_to_set_of_links_happy_path() {
 fn extractor_add_link_to_set_of_links_with_non_base_url() {
     let mut links = HashSet::<String>::new();
     let link = "\\\\\\\\";
-
     assert_eq!(links.len(), 0);
     assert!(ROBOTS_EXT
         .add_link_to_set_of_links(link, &mut links)
@@ -199,6 +206,34 @@ fn extractor_add_link_to_set_of_links_with_non_base_url() {
     assert!(links.is_empty());
 }
 
+#[test]
+/// test for filtering queries and fragments
+fn normalize_url_path_filters_queries_and_fragments() {
+    let handles = Arc::new(Handles::for_testing(None, None).0);
+    let extractor = ExtractorBuilder::default()
+        .url("doesnt matter")
+        .target(ExtractionTarget::RobotsTxt)
+        .handles(handles)
+        .build()
+        .unwrap();
+
+    let test_strings = [
+        "over/there?name=ferret#nose",
+        "over/there?name=ferret",
+        "over/there#nose",
+        "over/there",
+        "over/there?name#nose",
+        "over/there?name",
+        "   over/there?name=ferret#nose  ",
+        "over/there?name=ferret   ",
+        "   over/there#nose",
+    ];
+    test_strings.iter().for_each(|&ts| {
+        let normed = extractor.normalize_url_path(ts);
+        assert_eq!(normed, "over/there");
+    });
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
 /// use make_request to generate a Response, and use the Response to test get_links;
 /// the response will contain an absolute path to a domain that is not part of the scanned
@@ -211,24 +246,35 @@ async fn extractor_get_links_with_absolute_url_that_differs_from_target_domain()
     let mock = srv.mock(|when, then| {
         when.method(GET).path("/some-path");
         then.status(200).body(
-            "\"http://defintely.not.a.thing.probably.com/homepage/assets/img/icons/handshake.svg\"",
+            "\"http://definitely.not.a.thing.probably.com/homepage/assets/img/icons/handshake.svg\"",
         );
     });
 
     let client = Client::new();
     let url = Url::parse(&srv.url("/some-path")).unwrap();
+    let config = Configuration::new().unwrap();
 
-    let response = make_request(&client, &url, OutputLevel::Default, tx_stats.clone())
-        .await
-        .unwrap();
+    let response = make_request(
+        &client,
+        &url,
+        DEFAULT_METHOD,
+        None,
+        OutputLevel::Default,
+        &config,
+        tx_stats.clone(),
+    )
+    .await
+    .unwrap();
     let (handles, _rx) = Handles::for_testing(None, None);
 
     let handles = Arc::new(handles);
-    let ferox_response = FeroxResponse::from(response, true, OutputLevel::Default).await;
+    let ferox_response =
+        FeroxResponse::from(response, &srv.url(""), DEFAULT_METHOD, OutputLevel::Default).await;
 
     let extractor = Extractor {
         links_regex: Regex::new(LINKFINDER_REGEX).unwrap(),
         robots_regex: Regex::new(ROBOTS_TXT_REGEX).unwrap(),
+        url_regex: Regex::new(URL_CHARS_REGEX).unwrap(),
         response: Some(&ferox_response),
         url: String::new(),
         target: ExtractionTarget::ResponseBody,
@@ -257,16 +303,17 @@ async fn request_robots_txt_without_proxy() -> Result<()> {
     let extractor = Extractor {
         links_regex: Regex::new(LINKFINDER_REGEX).unwrap(),
         robots_regex: Regex::new(ROBOTS_TXT_REGEX).unwrap(),
+        url_regex: Regex::new(URL_CHARS_REGEX).unwrap(),
         response: None,
         url: srv.url("/api/users/stuff/things"),
         target: ExtractionTarget::RobotsTxt,
         handles,
     };
 
-    let resp = extractor.request_robots_txt().await?;
+    let resp = extractor.make_extract_request("/robots.txt").await?;
 
     assert!(matches!(resp.status(), &StatusCode::OK));
-    println!("{}", resp);
+    println!("{resp}");
     assert_eq!(resp.content_length(), 14);
     assert_eq!(mock.hits(), 1);
     Ok(())
@@ -296,7 +343,7 @@ async fn request_robots_txt_with_proxy() -> Result<()> {
         .handles(handles)
         .build()?;
 
-    let resp = extractor.request_robots_txt().await?;
+    let resp = extractor.make_extract_request("/robots.txt").await?;
 
     assert!(matches!(resp.status(), &StatusCode::OK));
     assert_eq!(resp.content_length(), 19);
@@ -314,13 +361,13 @@ async fn request_link_happy_path() -> Result<()> {
         then.status(200).body("this is a test");
     });
 
-    let r_resp = ROBOTS_EXT.request_link(&srv.url("/login.php")).await?;
-    let b_resp = BODY_EXT.request_link(&srv.url("/login.php")).await?;
+    let r_resp = request_link(&srv.url("/login.php"), ROBOTS_EXT.handles.clone()).await?;
+    let b_resp = request_link(&srv.url("/login.php"), BODY_EXT.handles.clone()).await?;
 
-    assert!(matches!(r_resp.status(), &StatusCode::OK));
-    assert!(matches!(b_resp.status(), &StatusCode::OK));
-    assert_eq!(r_resp.content_length(), 14);
-    assert_eq!(b_resp.content_length(), 14);
+    assert!(matches!(r_resp.status(), StatusCode::OK));
+    assert!(matches!(b_resp.status(), StatusCode::OK));
+    assert_eq!(r_resp.content_length().unwrap(), 14);
+    assert_eq!(b_resp.content_length().unwrap(), 14);
     assert_eq!(mock.hits(), 2);
     Ok(())
 }
@@ -344,8 +391,8 @@ async fn request_link_bails_on_seen_url() -> Result<()> {
     let robots = setup_extractor(ExtractionTarget::RobotsTxt, scans.clone());
     let body = setup_extractor(ExtractionTarget::ResponseBody, scans);
 
-    let r_resp = robots.request_link(&served).await;
-    let b_resp = body.request_link(&served).await;
+    let r_resp = request_link(&served, robots.handles.clone()).await;
+    let b_resp = request_link(&served, body.handles.clone()).await;
 
     assert!(r_resp.is_err());
     assert!(b_resp.is_err());

src/filters/container.rs

@@ -1,27 +1,30 @@
-use std::sync::Mutex;
+use std::sync::RwLock;
 
 use anyhow::Result;
+use serde::{ser::SerializeSeq, Serialize, Serializer};
 
 use crate::response::FeroxResponse;
+
+use super::{
+    FeroxFilter, LinesFilter, RegexFilter, SimilarityFilter, SizeFilter, StatusCodeFilter,
+    WildcardFilter, WordsFilter,
+};
 use crate::{
     event_handlers::Command::AddToUsizeField, statistics::StatField::WildcardsFiltered,
     CommandSender,
 };
-
-use super::{FeroxFilter, WildcardFilter};
-
 /// Container around a collection of `FeroxFilters`s
 #[derive(Debug, Default)]
 pub struct FeroxFilters {
     /// collection of `FeroxFilters`
-    pub filters: Mutex<Vec<Box<dyn FeroxFilter>>>,
+    pub filters: RwLock<Vec<Box<dyn FeroxFilter>>>,
 }
 
 /// implementation of FeroxFilter collection
 impl FeroxFilters {
     /// add a single FeroxFilter to the collection
     pub fn push(&self, filter: Box<dyn FeroxFilter>) -> Result<()> {
-        if let Ok(mut guard) = self.filters.lock() {
+        if let Ok(mut guard) = self.filters.write() {
             if guard.contains(&filter) {
                 return Ok(());
             }
@@ -31,6 +34,37 @@ impl FeroxFilters {
         Ok(())
     }
 
+    /// remove items from the underlying collection by their index
+    ///
+    /// note: indexes passed in should be index-to-remove+1. This is built for the scan mgt menu
+    ///       so indexes aren't 0-based whehn the user enters them.
+    ///       
+    pub fn remove(&self, indices: &mut [usize]) {
+        // since we're removing by index, indices must be sorted and then reversed.
+        // this allows us to iterate over the collection from the rear, allowing any shifting
+        // of the vector to happen on sections that we no longer care about, as we're moving
+        // in the opposite direction
+        indices.sort_unstable();
+        indices.reverse();
+
+        if let Ok(mut guard) = self.filters.write() {
+            for index in indices {
+                // numbering of the menu starts at 1, so we'll need to reduce the index by 1
+                // to account for that. if they've provided 0 as an offset, we'll set the
+                // result to a gigantic number and skip it in the loop with a bounds check
+                let reduced_idx = index.checked_sub(1).unwrap_or(usize::MAX);
+
+                // check if number provided is out of range
+                if reduced_idx >= guard.len() {
+                    // usize can't be negative, just need to handle exceeding bounds
+                    continue;
+                }
+
+                guard.remove(reduced_idx);
+            }
+        }
+    }
+
     /// Simple helper to stay DRY; determines whether or not a given `FeroxResponse` should be reported
     /// to the user or not.
     pub fn should_filter_response(
@@ -38,10 +72,11 @@ impl FeroxFilters {
         response: &FeroxResponse,
         tx_stats: CommandSender,
     ) -> bool {
-        if let Ok(filters) = self.filters.lock() {
+        if let Ok(filters) = self.filters.read() {
             for filter in filters.iter() {
                 // wildcard.should_filter goes here
-                if filter.should_filter_response(&response) {
+                if filter.should_filter_response(response) {
+                    log::debug!("filtering response due to: {:?}", filter);
                     if filter.as_any().downcast_ref::<WildcardFilter>().is_some() {
                         tx_stats
                             .send(AddToUsizeField(WildcardsFiltered, 1))
@@ -54,3 +89,43 @@ impl FeroxFilters {
         false
     }
 }
+
+impl Serialize for FeroxFilters {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        if let Ok(guard) = self.filters.read() {
+            let mut seq = serializer.serialize_seq(Some(guard.len()))?;
+
+            for filter in &*guard {
+                if let Some(line_filter) = filter.as_any().downcast_ref::<LinesFilter>() {
+                    seq.serialize_element(line_filter).unwrap_or_default();
+                } else if let Some(word_filter) = filter.as_any().downcast_ref::<WordsFilter>() {
+                    seq.serialize_element(word_filter).unwrap_or_default();
+                } else if let Some(size_filter) = filter.as_any().downcast_ref::<SizeFilter>() {
+                    seq.serialize_element(size_filter).unwrap_or_default();
+                } else if let Some(wildcard_filter) =
+                    filter.as_any().downcast_ref::<WildcardFilter>()
+                {
+                    seq.serialize_element(wildcard_filter).unwrap_or_default();
+                } else if let Some(status_filter) =
+                    filter.as_any().downcast_ref::<StatusCodeFilter>()
+                {
+                    seq.serialize_element(status_filter).unwrap_or_default();
+                } else if let Some(regex_filter) = filter.as_any().downcast_ref::<RegexFilter>() {
+                    seq.serialize_element(regex_filter).unwrap_or_default();
+                } else if let Some(similarity_filter) =
+                    filter.as_any().downcast_ref::<SimilarityFilter>()
+                {
+                    seq.serialize_element(similarity_filter).unwrap_or_default();
+                }
+            }
+            seq.end()
+        } else {
+            // if for some reason we can't unlock the mutex, just write an empty list
+            let seq = serializer.serialize_seq(Some(0))?;
+            seq.end()
+        }
+    }
+}

src/filters/empty.rs

@@ -0,0 +1,22 @@
+use super::*;
+
+/// Dummy filter for internal shenanigans
+#[derive(Default, Debug, PartialEq, Eq)]
+pub struct EmptyFilter {}
+
+impl FeroxFilter for EmptyFilter {
+    /// `EmptyFilter` always returns false
+    fn should_filter_response(&self, _response: &FeroxResponse) -> bool {
+        false
+    }
+
+    /// Compare one EmptyFilter to another
+    fn box_eq(&self, other: &dyn Any) -> bool {
+        other.downcast_ref::<Self>().map_or(false, |a| self == a)
+    }
+
+    /// Return self as Any for dynamic dispatch purposes
+    fn as_any(&self) -> &dyn Any {
+        self
+    }
+}

src/filters/init.rs

@@ -1,18 +1,10 @@
 use super::{
-    LinesFilter, RegexFilter, SimilarityFilter, SizeFilter, StatusCodeFilter, WordsFilter,
-};
-use crate::{
-    event_handlers::Handles,
-    response::FeroxResponse,
-    skip_fail,
-    utils::{fmt_err, logged_request},
-    Command::AddFilter,
-    SIMILARITY_THRESHOLD,
+    utils::create_similarity_filter, LinesFilter, RegexFilter, SizeFilter, StatusCodeFilter,
+    WordsFilter,
 };
+use crate::{event_handlers::Handles, skip_fail, utils::fmt_err, Command::AddFilter};
 use anyhow::Result;
-use fuzzyhash::FuzzyHash;
 use regex::Regex;
-use reqwest::Url;
 use std::sync::Arc;
 
 /// add all user-supplied filters to the (already started) filters handler
@@ -56,7 +48,7 @@ pub async fn initialize(handles: Arc<Handles>) -> Result<()> {
     // add any regex filters to filters handler's FeroxFilters  (-X|--filter-regex)
     for regex_filter in &handles.config.filter_regex {
         let raw = regex_filter;
-        let compiled = skip_fail!(Regex::new(&raw));
+        let compiled = skip_fail!(Regex::new(raw));
 
         let filter = RegexFilter {
             raw_string: raw.to_owned(),
@@ -68,22 +60,7 @@ pub async fn initialize(handles: Arc<Handles>) -> Result<()> {
 
     // add any similarity filters to filters handler's FeroxFilters  (--filter-similar-to)
     for similarity_filter in &handles.config.filter_similar {
-        // url as-is based on input, ignores user-specified url manipulation options (add-slash etc)
-        let url = skip_fail!(Url::parse(&similarity_filter));
-
-        // attempt to request the given url
-        let resp = skip_fail!(logged_request(&url, handles.clone()).await);
-
-        // if successful, create a filter based on the response's body
-        let fr = FeroxResponse::from(resp, true, handles.config.output_level).await;
-
-        // hash the response body and store the resulting hash in the filter object
-        let hash = FuzzyHash::new(&fr.text()).to_string();
-
-        let filter = SimilarityFilter {
-            text: hash,
-            threshold: SIMILARITY_THRESHOLD,
-        };
+        let filter = skip_fail!(create_similarity_filter(similarity_filter, handles.clone()).await);
 
         let boxed_filter = Box::new(filter);
         skip_fail!(handles.filters.send(AddFilter(boxed_filter)));

src/filters/lines.rs

@@ -2,7 +2,7 @@ use super::*;
 
 /// Simple implementor of FeroxFilter; used to filter out responses based on the number of lines
 /// in a Response body; specified using -N|--filter-lines
-#[derive(Default, Debug, PartialEq)]
+#[derive(Default, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct LinesFilter {
     /// Number of lines in a Response's body that should be filtered
     pub line_count: usize,

src/filters/mod.rs

@@ -1,21 +1,23 @@
 //! contains all of feroxbuster's filters
+use serde::{Deserialize, Serialize};
 use std::any::Any;
 use std::fmt::Debug;
 
 use crate::response::FeroxResponse;
-use crate::traits::{FeroxFilter, FeroxSerialize};
+use crate::traits::FeroxFilter;
 
 pub use self::container::FeroxFilters;
+pub(crate) use self::empty::EmptyFilter;
 pub use self::init::initialize;
 pub use self::lines::LinesFilter;
 pub use self::regex::RegexFilter;
-pub use self::similarity::SimilarityFilter;
+pub use self::similarity::{SimilarityFilter, SIM_HASHER};
 pub use self::size::SizeFilter;
 pub use self::status_code::StatusCodeFilter;
+pub(crate) use self::utils::{create_similarity_filter, filter_lookup};
 pub use self::wildcard::WildcardFilter;
 pub use self::words::WordsFilter;
 
-mod wildcard;
 mod status_code;
 mod words;
 mod lines;
@@ -26,3 +28,6 @@ mod container;
 #[cfg(test)]
 mod tests;
 mod init;
+mod utils;
+mod wildcard;
+mod empty;

src/filters/regex.rs

@@ -3,15 +3,25 @@ use ::regex::Regex;
 
 /// Simple implementor of FeroxFilter; used to filter out responses based on a given regular
 /// expression; specified using -X|--filter-regex
-#[derive(Debug)]
+#[derive(Debug, Serialize, Deserialize)]
 pub struct RegexFilter {
     /// Regular expression to be applied to the response body for filtering, compiled
+    #[serde(with = "serde_regex")]
     pub compiled: Regex,
 
     /// Regular expression as passed in on the command line, not compiled
     pub raw_string: String,
 }
 
+impl Default for RegexFilter {
+    fn default() -> Self {
+        Self {
+            compiled: Regex::new("").unwrap(),
+            raw_string: String::new(),
+        }
+    }
+}
+
 /// implementation of FeroxFilter for RegexFilter
 impl FeroxFilter for RegexFilter {
     /// Check `expression` against the response body, if the expression matches, the response

src/filters/similarity.rs

@@ -1,15 +1,29 @@
 use super::*;
-use fuzzyhash::FuzzyHash;
+use crate::nlp::preprocess;
+use gaoya::simhash::{SimHash, SimHashBits, SimSipHasher64};
+use lazy_static::lazy_static;
+
+lazy_static! {
+    /// single instance of the sip hasher used in similarity filtering
+    pub static ref SIM_HASHER: SimHash<SimSipHasher64, u64, 64> =
+        SimHash::<SimSipHasher64, u64, 64>::new(SimSipHasher64::new(1, 2));
+}
+
+/// maximum hamming distance allowed between two signatures
+///
+/// ref: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33026.pdf
+/// section: 4.1 Choice of Parameters
+const MAX_HAMMING_DISTANCE: usize = 3;
 
 /// Simple implementor of FeroxFilter; used to filter out responses based on the similarity of a
 /// Response body with a known response; specified using --filter-similar-to
-#[derive(Default, Debug, PartialEq)]
+#[derive(Default, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct SimilarityFilter {
-    /// Response's body to be used for comparison for similarity
-    pub text: String,
+    /// Hash of Response's body to be used during similarity comparison
+    pub hash: u64,
 
-    /// Percentage of similarity at which a page is determined to be a near-duplicate of another
-    pub threshold: u32,
+    /// Url originally requested for the similarity filter
+    pub original_url: String,
 }
 
 /// implementation of FeroxFilter for SimilarityFilter
@@ -17,20 +31,15 @@ impl FeroxFilter for SimilarityFilter {
     /// Check `FeroxResponse::text` against what was requested from the site passed in via
     /// --filter-similar-to
     fn should_filter_response(&self, response: &FeroxResponse) -> bool {
-        let other = FuzzyHash::new(&response.text());
-
-        if let Ok(result) = FuzzyHash::compare(&self.text, &other.to_string()) {
-            return result >= self.threshold;
-        }
-
-        // couldn't hash the response, don't filter
-        log::warn!("Could not hash body from {}", response.as_str());
-        false
+        let other = SIM_HASHER.create_signature(preprocess(response.text()).iter());
+        self.hash.hamming_distance(&other) <= MAX_HAMMING_DISTANCE
     }
 
     /// Compare one SimilarityFilter to another
     fn box_eq(&self, other: &dyn Any) -> bool {
-        other.downcast_ref::<Self>().map_or(false, |a| self == a)
+        other
+            .downcast_ref::<Self>()
+            .map_or(false, |a| self.hash == a.hash)
     }
 
     /// Return self as Any for dynamic dispatch purposes

src/filters/size.rs

@@ -2,7 +2,7 @@ use super::*;
 
 /// Simple implementor of FeroxFilter; used to filter out responses based on the length of a
 /// Response body; specified using -S|--filter-size
-#[derive(Default, Debug, PartialEq)]
+#[derive(Default, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct SizeFilter {
     /// Overall length of a Response's body that should be filtered
     pub content_length: u64,

src/filters/status_code.rs

@@ -2,7 +2,7 @@ use super::*;
 
 /// Simple implementor of FeroxFilter; used to filter out status codes specified using
 /// -C|--filter-status
-#[derive(Default, Debug, PartialEq)]
+#[derive(Default, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct StatusCodeFilter {
     /// Status code that should not be displayed to the user
     pub filter_code: u16,

src/filters/tests.rs

@@ -1,26 +1,38 @@
 use super::*;
-use ::fuzzyhash::FuzzyHash;
+use crate::nlp::preprocess;
+use crate::DEFAULT_METHOD;
 use ::regex::Regex;
 
 #[test]
-/// simply test the default values for wildcardfilter, expect 0, 0
+/// simply test the default values for wildcardfilter
 fn wildcard_filter_default() {
     let wcf = WildcardFilter::default();
-    assert_eq!(wcf.size, u64::MAX);
-    assert_eq!(wcf.dynamic, u64::MAX);
+    assert_eq!(wcf.content_length, None);
+    assert_eq!(wcf.line_count, None);
+    assert_eq!(wcf.word_count, None);
+    assert_eq!(wcf.method, DEFAULT_METHOD.to_string());
+    assert_eq!(wcf.status_code, 0);
+    assert!(!wcf.dont_filter);
 }
 
 #[test]
 /// just a simple test to increase code coverage by hitting as_any and the inner value
 fn wildcard_filter_as_any() {
-    let filter = WildcardFilter::default();
+    let mut filter = WildcardFilter::default();
     let filter2 = WildcardFilter::default();
 
     assert!(filter.box_eq(filter2.as_any()));
 
     assert_eq!(
         *filter.as_any().downcast_ref::<WildcardFilter>().unwrap(),
-        filter
+        filter2
+    );
+
+    filter.content_length = Some(1);
+
+    assert_ne!(
+        *filter.as_any().downcast_ref::<WildcardFilter>().unwrap(),
+        filter2
     );
 }
 
@@ -111,16 +123,40 @@ fn regex_filter_as_any() {
 #[test]
 /// test should_filter on WilcardFilter where static logic matches
 fn wildcard_should_filter_when_static_wildcard_found() {
+    let body =
+        "pellentesque diam volutpat commodo sed egestas egestas fringilla phasellus faucibus";
+
     let mut resp = FeroxResponse::default();
     resp.set_wildcard(true);
     resp.set_url("http://localhost");
-    resp.set_text(
-        "pellentesque diam volutpat commodo sed egestas egestas fringilla phasellus faucibus",
-    );
+    resp.set_text(body);
 
     let filter = WildcardFilter {
-        size: 83,
-        dynamic: 0,
+        content_length: Some(body.len() as u64),
+        line_count: Some(1),
+        word_count: Some(10),
+        method: DEFAULT_METHOD.to_string(),
+        status_code: 200,
+        dont_filter: false,
+    };
+
+    assert!(filter.should_filter_response(&resp));
+}
+
+#[test]
+/// test should_filter on WilcardFilter where static logic matches but response length is 0
+fn wildcard_should_filter_when_static_wildcard_len_is_zero() {
+    let mut resp = FeroxResponse::default();
+    resp.set_wildcard(true);
+    resp.set_url("http://localhost");
+
+    // default WildcardFilter is used in the code that executes when response.content_length() == 0
+    let filter = WildcardFilter {
+        content_length: Some(0),
+        line_count: Some(0),
+        word_count: Some(0),
+        method: DEFAULT_METHOD.to_string(),
+        status_code: 200,
         dont_filter: false,
     };
 
@@ -136,16 +172,16 @@ fn wildcard_should_filter_when_dynamic_wildcard_found() {
     resp.set_text("pellentesque diam volutpat commodo sed egestas egestas fringilla");
 
     let filter = WildcardFilter {
-        size: 0,
-        dynamic: 59, // content-length - 5 (len('stuff'))
+        content_length: None,
+        line_count: None,
+        word_count: Some(8),
+        method: DEFAULT_METHOD.to_string(),
+        status_code: 200,
         dont_filter: false,
     };
 
-    println!("resp: {:?}: filter: {:?}", resp, filter);
-
     assert!(filter.should_filter_response(&resp));
 }
-
 #[test]
 /// test should_filter on RegexFilter where regex matches body
 fn regexfilter_should_filter_when_regex_matches_on_response_body() {
@@ -171,23 +207,23 @@ fn similarity_filter_is_accurate() {
     resp.set_text("sitting");
 
     let mut filter = SimilarityFilter {
-        text: FuzzyHash::new("kitten").to_string(),
-        threshold: 95,
+        hash: SIM_HASHER.create_signature(["kitten"].iter()),
+        original_url: "".to_string(),
     };
 
     // kitten/sitting is 57% similar, so a threshold of 95 should not be filtered
     assert!(!filter.should_filter_response(&resp));
 
     resp.set_text("");
-    filter.text = String::new();
-    filter.threshold = 100;
+    filter.hash = SIM_HASHER.create_signature([""].iter());
 
-    // two empty strings are the same, however ssdeep doesn't accept empty strings, expect false
+    // two empty strings are the same
     assert!(!filter.should_filter_response(&resp));
 
-    resp.set_text("some data to hash for the purposes of running a test");
-    filter.text = FuzzyHash::new("some data to hash for the purposes of running a te").to_string();
-    filter.threshold = 17;
+    resp.set_text("some data hash purposes running test");
+    filter.hash = SIM_HASHER.create_signature(
+        preprocess("some data to hash for the purposes of running a test").iter(),
+    );
 
     assert!(filter.should_filter_response(&resp));
 }
@@ -196,20 +232,55 @@ fn similarity_filter_is_accurate() {
 /// just a simple test to increase code coverage by hitting as_any and the inner value
 fn similarity_filter_as_any() {
     let filter = SimilarityFilter {
-        text: String::from("stuff"),
-        threshold: 95,
+        hash: 1,
+        original_url: "".to_string(),
     };
 
     let filter2 = SimilarityFilter {
-        text: String::from("stuff"),
-        threshold: 95,
+        hash: 1,
+        original_url: "".to_string(),
     };
 
     assert!(filter.box_eq(filter2.as_any()));
 
-    assert_eq!(filter.text, "stuff");
     assert_eq!(
         *filter.as_any().downcast_ref::<SimilarityFilter>().unwrap(),
         filter
     );
 }
+
+#[test]
+/// test correctness of FeroxFilters::remove
+fn remove_function_works_as_expected() {
+    let data = FeroxFilters::default();
+    assert!(data.filters.read().unwrap().is_empty());
+
+    (0..8).for_each(|i| {
+        data.push(Box::new(WordsFilter { word_count: i })).unwrap();
+    });
+
+    // remove removes index-1 from the vec, zero is skipped, and out-of-bounds indices are skipped
+    data.remove(&mut [0]);
+    assert_eq!(data.filters.read().unwrap().len(), 8);
+
+    data.remove(&mut [10000]);
+    assert_eq!(data.filters.read().unwrap().len(), 8);
+
+    // removing 0, 2, 4
+    data.remove(&mut [1, 3, 5]);
+
+    assert_eq!(data.filters.read().unwrap().len(), 5);
+
+    let expected = vec![
+        WordsFilter { word_count: 1 },
+        WordsFilter { word_count: 3 },
+        WordsFilter { word_count: 5 },
+        WordsFilter { word_count: 6 },
+        WordsFilter { word_count: 7 },
+    ];
+
+    for filter in data.filters.read().unwrap().iter() {
+        let downcast = filter.as_any().downcast_ref::<WordsFilter>().unwrap();
+        assert!(expected.contains(downcast));
+    }
+}

src/filters/utils.rs

@@ -0,0 +1,199 @@
+use super::FeroxFilter;
+use super::SimilarityFilter;
+use crate::event_handlers::Handles;
+use crate::filters::similarity::SIM_HASHER;
+use crate::nlp::preprocess;
+use crate::response::FeroxResponse;
+use crate::utils::{logged_request, parse_url_with_raw_path};
+use crate::DEFAULT_METHOD;
+use anyhow::Result;
+use regex::Regex;
+use std::sync::Arc;
+
+/// wrapper around logic necessary to create a SimilarityFilter
+///
+/// - parses given url
+/// - makes request to the parsed url
+/// - gathers extensions from the url, if configured to do so
+/// - computes hash of response body
+/// - creates filter with hash
+pub(crate) async fn create_similarity_filter(
+    similarity_filter: &str,
+    handles: Arc<Handles>,
+) -> Result<SimilarityFilter> {
+    // url as-is based on input, ignores user-specified url manipulation options (add-slash etc)
+    let url = parse_url_with_raw_path(similarity_filter)?;
+
+    // attempt to request the given url
+    let resp = logged_request(&url, DEFAULT_METHOD, None, handles.clone()).await?;
+
+    // if successful, create a filter based on the response's body
+    let mut fr = FeroxResponse::from(
+        resp,
+        similarity_filter,
+        DEFAULT_METHOD,
+        handles.config.output_level,
+    )
+    .await;
+
+    if handles.config.collect_extensions {
+        fr.parse_extension(handles.clone())?;
+    }
+
+    let hash = SIM_HASHER.create_signature(preprocess(fr.text()).iter());
+
+    Ok(SimilarityFilter {
+        hash,
+        original_url: similarity_filter.to_string(),
+    })
+}
+
+/// used in conjunction with the Scan Management Menu
+///
+/// when a user uses the n[ew-filter] command in the menu, the two params are passed here for
+/// processing.
+///
+/// an example command may be `new-filter lines 40`. `lines` and `40` are passed here as &str's
+///
+/// once here, the type and value are used to create an appropriate FeroxFilter. If anything
+/// goes wrong during creation, None is returned.
+pub(crate) fn filter_lookup(filter_type: &str, filter_value: &str) -> Option<Box<dyn FeroxFilter>> {
+    match filter_type {
+        "status" => {
+            if let Ok(parsed) = filter_value.parse() {
+                return Some(Box::new(super::StatusCodeFilter {
+                    filter_code: parsed,
+                }));
+            }
+        }
+        "lines" => {
+            if let Ok(parsed) = filter_value.parse() {
+                return Some(Box::new(super::LinesFilter { line_count: parsed }));
+            }
+        }
+        "size" => {
+            if let Ok(parsed) = filter_value.parse() {
+                return Some(Box::new(super::SizeFilter {
+                    content_length: parsed,
+                }));
+            }
+        }
+        "words" => {
+            if let Ok(parsed) = filter_value.parse() {
+                return Some(Box::new(super::WordsFilter { word_count: parsed }));
+            }
+        }
+        "regex" => {
+            if let Ok(parsed) = Regex::new(filter_value) {
+                return Some(Box::new(super::RegexFilter {
+                    compiled: parsed,
+                    raw_string: filter_value.to_string(),
+                }));
+            }
+        }
+        "similarity" => {
+            return Some(Box::new(SimilarityFilter {
+                hash: 0,
+                original_url: filter_value.to_string(),
+            }));
+        }
+        _ => (),
+    }
+
+    None
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::config::Configuration;
+    use crate::filters::{LinesFilter, RegexFilter, SizeFilter, StatusCodeFilter, WordsFilter};
+    use crate::scan_manager::FeroxScans;
+    use httpmock::Method::GET;
+    use httpmock::MockServer;
+
+    #[test]
+    /// filter_lookup returns correct filters
+    fn filter_lookup_returns_correct_filters() {
+        let filter = filter_lookup("status", "200").unwrap();
+        assert_eq!(
+            filter.as_any().downcast_ref::<StatusCodeFilter>().unwrap(),
+            &StatusCodeFilter { filter_code: 200 }
+        );
+
+        let filter = filter_lookup("lines", "10").unwrap();
+        assert_eq!(
+            filter.as_any().downcast_ref::<LinesFilter>().unwrap(),
+            &LinesFilter { line_count: 10 }
+        );
+
+        let filter = filter_lookup("size", "20").unwrap();
+        assert_eq!(
+            filter.as_any().downcast_ref::<SizeFilter>().unwrap(),
+            &SizeFilter { content_length: 20 }
+        );
+
+        let filter = filter_lookup("words", "30").unwrap();
+        assert_eq!(
+            filter.as_any().downcast_ref::<WordsFilter>().unwrap(),
+            &WordsFilter { word_count: 30 }
+        );
+
+        let filter = filter_lookup("regex", "stuff.*").unwrap();
+        let compiled = Regex::new("stuff.*").unwrap();
+        let raw_string = String::from("stuff.*");
+        assert_eq!(
+            filter.as_any().downcast_ref::<RegexFilter>().unwrap(),
+            &RegexFilter {
+                compiled,
+                raw_string
+            }
+        );
+
+        let filter = filter_lookup("similarity", "http://localhost").unwrap();
+        assert_eq!(
+            filter.as_any().downcast_ref::<SimilarityFilter>().unwrap(),
+            &SimilarityFilter {
+                hash: 0,
+                original_url: "http://localhost".to_string()
+            }
+        );
+
+        assert!(filter_lookup("non-existent", "").is_none());
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    /// ensure create_similarity_filter correctness of return value and side-effects
+    async fn create_similarity_filter_is_correct() {
+        let srv = MockServer::start();
+
+        let mock = srv.mock(|when, then| {
+            when.method(GET).path("/");
+            then.status(200).body("this is a test");
+        });
+
+        let scans = FeroxScans::default();
+        let config = Configuration {
+            collect_extensions: true,
+            ..Default::default()
+        };
+
+        let (test_handles, _) = Handles::for_testing(Some(Arc::new(scans)), Some(Arc::new(config)));
+
+        let handles = Arc::new(test_handles);
+
+        let filter = create_similarity_filter(&srv.url("/"), handles.clone())
+            .await
+            .unwrap();
+
+        assert_eq!(mock.hits(), 1);
+
+        assert_eq!(
+            filter,
+            SimilarityFilter {
+                hash: 14897447612059286329,
+                original_url: srv.url("/")
+            }
+        );
+    }
+}

src/filters/wildcard.rs

@@ -1,25 +1,29 @@
+use console::style;
+
 use super::*;
-use crate::url::FeroxUrl;
+use crate::utils::create_report_string;
+use crate::{config::OutputLevel, DEFAULT_METHOD};
 
-/// Data holder for two pieces of data needed when auto-filtering out wildcard responses
-///
-/// `dynamic` is the size of the response that will later be combined with the length
-/// of the path of the url requested and used to determine interesting pages from custom
-/// 404s where the requested url is reflected back in the response
-///
-/// `size` is size of the response that should be included with filters passed via runtime
-/// configuration and any static wildcard lengths.
-#[derive(Debug, Clone, PartialEq)]
+/// Data holder for all relevant data needed when auto-filtering out wildcard responses
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct WildcardFilter {
-    /// size of the response that will later be combined with the length of the path of the url
-    /// requested
-    pub dynamic: u64,
+    /// The content-length of this response, if known
+    pub content_length: Option<u64>,
 
-    /// size of the response that should be included with filters passed via runtime configuration
-    pub size: u64,
+    /// The number of lines contained in the body of this response, if known
+    pub line_count: Option<usize>,
+
+    /// The number of words contained in the body of this response, if known
+    pub word_count: Option<usize>,
+
+    /// method used in request that should be included with filters passed via runtime configuration
+    pub method: String,
+
+    /// the status code returned in the response
+    pub status_code: u16,
 
     /// whether or not the user passed -D on the command line
-    pub(super) dont_filter: bool,
+    pub dont_filter: bool,
 }
 
 /// implementation of WildcardFilter
@@ -33,21 +37,23 @@ impl WildcardFilter {
     }
 }
 
-/// implement default that populates both values with u64::MAX
+/// implement default that populates `method` with its default value
 impl Default for WildcardFilter {
-    /// populate both values with u64::MAX
     fn default() -> Self {
         Self {
+            content_length: None,
+            line_count: None,
+            word_count: None,
+            method: DEFAULT_METHOD.to_string(),
+            status_code: 0,
             dont_filter: false,
-            size: u64::MAX,
-            dynamic: u64::MAX,
         }
     }
 }
 
 /// implementation of FeroxFilter for WildcardFilter
 impl FeroxFilter for WildcardFilter {
-    /// Examine size, dynamic, and content_len to determine whether or not the response received
+    /// Examine size/words/lines and method to determine whether or not the response received
     /// is a wildcard response and therefore should be filtered out
     fn should_filter_response(&self, response: &FeroxResponse) -> bool {
         log::trace!("enter: should_filter_response({:?} {})", self, response);
@@ -60,30 +66,78 @@ impl FeroxFilter for WildcardFilter {
             return false;
         }
 
-        if self.size != u64::MAX && self.size == response.content_length() {
-            // static wildcard size found during testing
-            // size isn't default, size equals response length, and auto-filter is on
-            log::debug!("static wildcard: filtered out {}", response.url());
-            log::trace!("exit: should_filter_response -> true");
-            return true;
+        if self.method != response.method().as_str() {
+            // method's don't match, so this response should not be filtered out
+            log::trace!("exit: should_filter_response -> false");
+            return false;
         }
 
-        if self.dynamic != u64::MAX {
-            // dynamic wildcard offset found during testing
+        if self.status_code != response.status().as_u16() {
+            // status codes don't match, so this response should not be filtered out
+            log::trace!("exit: should_filter_response -> false");
+            return false;
+        }
 
-            // I'm about to manually split this url path instead of using reqwest::Url's
-            // builtin parsing. The reason is that they call .split() on the url path
-            // except that I don't want an empty string taking up the last index in the
-            // event that the url ends with a forward slash.  It's ugly enough to be split
-            // into its own function for readability.
-            let url_len = FeroxUrl::path_length_of_url(&response.url());
+        // methods and status codes match at this point, just need to check the other fields
 
-            if url_len + self.dynamic == response.content_length() {
-                log::debug!("dynamic wildcard: filtered out {}", response.url());
-                log::trace!("exit: should_filter_response -> true");
-                return true;
+        match (self.content_length, self.word_count, self.line_count) {
+            (Some(cl), Some(wc), Some(lc)) => {
+                if cl == response.content_length()
+                    && wc == response.word_count()
+                    && lc == response.line_count()
+                {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (Some(cl), Some(wc), None) => {
+                if cl == response.content_length() && wc == response.word_count() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (Some(cl), None, Some(lc)) => {
+                if cl == response.content_length() && lc == response.line_count() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (None, Some(wc), Some(lc)) => {
+                if wc == response.word_count() && lc == response.line_count() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (Some(cl), None, None) => {
+                if cl == response.content_length() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (None, Some(wc), None) => {
+                if wc == response.word_count() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (None, None, Some(lc)) => {
+                if lc == response.line_count() {
+                    log::debug!("filtered out {}", response.url());
+                    log::trace!("exit: should_filter_response -> true");
+                    return true;
+                }
+            }
+            (None, None, None) => {
+                unreachable!("wildcard filter without any filters set");
             }
         }
+
         log::trace!("exit: should_filter_response -> false");
         false
     }
@@ -98,3 +152,29 @@ impl FeroxFilter for WildcardFilter {
         self
     }
 }
+
+impl std::fmt::Display for WildcardFilter {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let msg = create_report_string(
+            self.status_code.to_string().as_str(),
+            self.method.as_str(),
+            &self
+                .line_count
+                .map_or_else(|| "-".to_string(), |x| x.to_string()),
+            &self
+                .word_count
+                .map_or_else(|| "-".to_string(), |x| x.to_string()),
+            &self
+                .content_length
+                .map_or_else(|| "-".to_string(), |x| x.to_string()),
+            &format!(
+                "{} found {}-like response and created new filter; toggle off with {}",
+                style("Auto-filtering").bright().green(),
+                style("404").red(),
+                style("--dont-filter").yellow()
+            ),
+            OutputLevel::Default,
+        );
+        write!(f, "{}", msg)
+    }
+}

src/filters/words.rs

@@ -2,7 +2,7 @@ use super::*;
 
 /// Simple implementor of FeroxFilter; used to filter out responses based on the number of words
 /// in a Response body; specified using -W|--filter-words
-#[derive(Default, Debug, PartialEq)]
+#[derive(Default, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct WordsFilter {
     /// Number of words in a Response's body that should be filtered
     pub word_count: usize,

src/heuristics.rs

@@ -1,37 +1,64 @@
+use std::collections::HashMap;
 use std::sync::Arc;
 
 use anyhow::{bail, Result};
-use console::style;
+use futures::future;
+use scraper::{Html, Selector};
 use uuid::Uuid;
 
+use crate::filters::{SimilarityFilter, WildcardFilter, SIM_HASHER};
+use crate::message::FeroxMessage;
+use crate::nlp::preprocess;
+use crate::scanner::RESPONSES;
 use crate::{
     config::OutputLevel,
     event_handlers::{Command, Handles},
-    filters::WildcardFilter,
     progress::PROGRESS_PRINTER,
     response::FeroxResponse,
     skip_fail,
     url::FeroxUrl,
-    utils::{ferox_print, fmt_err, logged_request, status_colorizer},
+    utils::{ferox_print, fmt_err, logged_request},
+    DEFAULT_METHOD,
 };
 
-/// length of a standard UUID, used when determining wildcard responses
-const UUID_LENGTH: u64 = 32;
+/// enum representing the different servers that `parse_html` can detect when directory listing is
+/// enabled
+#[derive(Copy, Debug, Clone)]
+pub enum DirListingType {
+    /// apache server, detected by `Index of /`
+    Apache,
 
-/// wrapper around ugly string formatting
-macro_rules! format_template {
-    ($template:expr, $length:expr) => {
-        format!(
-            $template,
-            status_colorizer("WLD"),
-            "-",
-            "-",
-            "-",
-            style("auto-filtering").yellow(),
-            style($length).cyan(),
-            style("--dont-filter").yellow()
-        )
-    };
+    /// tomcat/python server, detected by `Directory Listing for /`
+    TomCatOrPython,
+
+    /// ASP.NET server, detected by `Directory Listing -- /`
+    AspDotNet,
+
+    // /// IIS/Azure server, detected by `HOST_NAME - /` (not currently used)
+    // IIS_AZURE,
+    /// variant that represents the absence of directory listing
+    None,
+}
+
+/// Wrapper around the results of running a directory listing detection against a target web page
+#[derive(Debug, Clone)]
+pub struct DirListingResult {
+    /// type of server where directory listing was detected
+    /// i.e. https://portswigger.net/kb/issues/00600100_directory-listing
+    pub dir_list_type: Option<DirListingType>,
+
+    /// the `FeroxResponse` generated during detection
+    pub response: FeroxResponse,
+}
+
+/// wrapper around the results of running a wildcard detection against a target web page
+#[derive(Copy, Debug, Clone)]
+pub enum WildcardResult {
+    /// variant that represents a wildcard directory
+    WildcardDirectory(usize),
+
+    /// variant that represents the presence of a 404-like response
+    FourOhFourLike(usize),
 }
 
 /// container for heuristics related info
@@ -57,7 +84,7 @@ impl HeuristicTests {
         let mut ids = vec![];
 
         for _ in 0..length {
-            ids.push(Uuid::new_v4().to_simple().to_string());
+            ids.push(Uuid::new_v4().as_simple().to_string());
         }
 
         let unique_id = ids.join("");
@@ -66,136 +93,6 @@ impl HeuristicTests {
         unique_id
     }
 
-    /// wrapper for sending a filter to the filters event handler
-    fn send_filter(&self, filter: WildcardFilter) -> Result<()> {
-        self.handles
-            .filters
-            .send(Command::AddFilter(Box::new(filter)))
-    }
-
-    /// Tests the given url to see if it issues a wildcard response
-    ///
-    /// In the event that url returns a wildcard response, a
-    /// [WildcardFilter](struct.WildcardFilter.html) is created and sent to the filters event
-    /// handler.
-    ///
-    /// Returns the number of times to increment the caller's progress bar
-    pub async fn wildcard(&self, target_url: &str) -> Result<u64> {
-        log::trace!("enter: wildcard_test({:?})", target_url);
-
-        if self.handles.config.dont_filter {
-            // early return, dont_filter scans don't need tested
-            log::trace!("exit: wildcard_test -> 0");
-            return Ok(0);
-        }
-
-        let ferox_url = FeroxUrl::from_string(target_url, self.handles.clone());
-
-        let ferox_response = self.make_wildcard_request(&ferox_url, 1).await?;
-
-        // found a wildcard response
-        let mut wildcard = WildcardFilter::new(self.handles.config.dont_filter);
-
-        let wc_length = ferox_response.content_length();
-
-        if wc_length == 0 {
-            log::trace!("exit: wildcard_test -> 1");
-            self.send_filter(wildcard)?;
-            return Ok(1);
-        }
-
-        // content length of wildcard is non-zero, perform additional tests:
-        //   make a second request, with a known-sized (64) longer request
-        let resp_two = self.make_wildcard_request(&ferox_url, 3).await?;
-
-        let wc2_length = resp_two.content_length();
-
-        if wc2_length == wc_length + (UUID_LENGTH * 2) {
-            // second length is what we'd expect to see if the requested url is
-            // reflected in the response along with some static content; aka custom 404
-            let url_len = ferox_url.path_length()?;
-
-            wildcard.dynamic = wc_length - url_len;
-
-            if matches!(
-                self.handles.config.output_level,
-                OutputLevel::Default | OutputLevel::Quiet
-            ) {
-                let msg = format_template!("{} {:>9} {:>9} {:>9} Wildcard response is dynamic; {} ({} + url length) responses; toggle this behavior by using {}\n", wildcard.dynamic);
-                ferox_print(&msg, &PROGRESS_PRINTER);
-            }
-        } else if wc_length == wc2_length {
-            wildcard.size = wc_length;
-
-            if matches!(
-                self.handles.config.output_level,
-                OutputLevel::Default | OutputLevel::Quiet
-            ) {
-                let msg = format_template!("{} {:>9} {:>9} {:>9} Wildcard response is static; {} {} responses; toggle this behavior by using {}\n", wildcard.size);
-                ferox_print(&msg, &PROGRESS_PRINTER);
-            }
-        }
-
-        self.send_filter(wildcard)?;
-
-        log::trace!("exit: wildcard_test");
-        Ok(2)
-    }
-
-    /// Generates a uuid and appends it to the given target url. The reasoning is that the randomly
-    /// generated unique string should not exist on and be served by the target web server.
-    ///
-    /// Once the unique url is created, the request is sent to the server. If the server responds
-    /// back with a valid status code, the response is considered to be a wildcard response. If that
-    /// wildcard response has a 3xx status code, that redirection location is displayed to the user.
-    async fn make_wildcard_request(
-        &self,
-        target: &FeroxUrl,
-        length: usize,
-    ) -> Result<FeroxResponse> {
-        log::trace!("enter: make_wildcard_request({}, {})", target, length);
-
-        let unique_str = self.unique_string(length);
-        let nonexistent_url = target.format(&unique_str, None)?;
-
-        let response = logged_request(&nonexistent_url.to_owned(), self.handles.clone()).await?;
-
-        if self
-            .handles
-            .config
-            .status_codes
-            .contains(&response.status().as_u16())
-        {
-            // found a wildcard response
-            let mut ferox_response =
-                FeroxResponse::from(response, true, self.handles.config.output_level).await;
-            ferox_response.set_wildcard(true);
-
-            if self
-                .handles
-                .filters
-                .data
-                .should_filter_response(&ferox_response, self.handles.stats.tx.clone())
-            {
-                bail!("filtered response")
-            }
-
-            if matches!(
-                self.handles.config.output_level,
-                OutputLevel::Default | OutputLevel::Quiet
-            ) {
-                let boxed = Box::new(ferox_response.clone());
-                self.handles.output.send(Command::Report(boxed))?;
-            }
-
-            log::trace!("exit: make_wildcard_request -> {}", ferox_response);
-            return Ok(ferox_response);
-        }
-
-        log::trace!("exit: make_wildcard_request -> Err");
-        bail!("uninteresting status code")
-    }
-
     /// Simply tries to connect to all given sites before starting to scan
     ///
     /// In the event that no sites can be reached, the program will exit.
@@ -207,10 +104,10 @@ impl HeuristicTests {
         let mut good_urls = vec![];
 
         for target_url in target_urls {
-            let url = FeroxUrl::from_string(&target_url, self.handles.clone());
+            let url = FeroxUrl::from_string(target_url, self.handles.clone());
             let request = skip_fail!(url.format("", None));
 
-            let result = logged_request(&request, self.handles.clone()).await;
+            let result = logged_request(&request, DEFAULT_METHOD, None, self.handles.clone()).await;
 
             match result {
                 Ok(_) => {
@@ -223,12 +120,15 @@ impl HeuristicTests {
                     ) {
                         if e.to_string().contains(":SSL") {
                             ferox_print(
-                                &format!("Could not connect to {} due to SSL errors (run with -k to ignore), skipping...", target_url),
+                                &format!("Could not connect to {target_url} due to SSL errors (run with -k to ignore), skipping...\n  => {}\n", e.root_cause()),
                                 &PROGRESS_PRINTER,
                             );
                         } else {
                             ferox_print(
-                                &format!("Could not connect to {}, skipping...", target_url),
+                                &format!(
+                                    "Could not connect to {target_url}, skipping...\n  => {}\n",
+                                    e.root_cause()
+                                ),
                                 &PROGRESS_PRINTER,
                             );
                         }
@@ -245,6 +145,464 @@ impl HeuristicTests {
         log::trace!("exit: connectivity_test -> {:?}", good_urls);
         Ok(good_urls)
     }
+
+    /// heuristic designed to detect when a server has directory listing enabled
+    pub async fn directory_listing(&self, target_url: &str) -> Result<Option<DirListingResult>> {
+        log::trace!("enter: directory_listing({})", target_url);
+
+        let tgt = if !target_url.ends_with('/') {
+            // if left unchanged, this function would be called against redirects that point to
+            // valid directories for most, if not all, directories beyond the initial urls.
+            // so, instead of `directory_listing("http://localhost") -> None` we get
+            // `directory_listing("http://localhost/") -> Some(DirListingResult)` if there is
+            // directory listing beyond the redirect
+            format!("{target_url}/")
+        } else {
+            target_url.to_string()
+        };
+
+        let url = FeroxUrl::from_string(&tgt, self.handles.clone());
+        let request = url.format("", None)?;
+
+        let result = logged_request(&request, DEFAULT_METHOD, None, self.handles.clone()).await?;
+
+        let ferox_response = FeroxResponse::from(
+            result,
+            &url.target,
+            DEFAULT_METHOD,
+            self.handles.config.output_level,
+        )
+        .await;
+
+        let body = ferox_response.text();
+        let html = Html::parse_document(body);
+
+        let dirlist_type = self.detect_directory_listing(&html);
+
+        if dirlist_type.is_some() {
+            // folks that run things and step away/rely on logs need to be notified of directory
+            // listing, since they won't see the message on the bar; bastardizing FeroxMessage
+            // for ease of implementation. This could use a bit of polish at some point.
+            let msg = format!(
+                "detected directory listing: {} ({:?})",
+                target_url,
+                dirlist_type.unwrap()
+            );
+            let ferox_msg = FeroxMessage {
+                kind: "log".to_string(),
+                message: msg.clone(),
+                level: "MSG".to_string(),
+                time_offset: 0.0,
+                module: "feroxbuster::heuristics".to_string(),
+            };
+            self.handles
+                .output
+                .tx_file
+                .send(Command::WriteToDisk(Box::new(ferox_msg)))
+                .unwrap_or_default();
+
+            log::info!("{}", msg);
+
+            let result = DirListingResult {
+                dir_list_type: dirlist_type,
+                response: ferox_response,
+            };
+
+            log::trace!("exit: directory_listing -> {:?}", result);
+            return Ok(Some(result));
+        }
+
+        log::trace!("exit: directory_listing -> None");
+        Ok(None)
+    }
+
+    /// Directory listing heuristic detection, uses <title> tag to make its determination. When
+    /// the inner html of <title> matches one of the following, a `DirListingType` is returned.
+    /// - apache: `Index of /`
+    /// - tomcat/python: `Directory Listing for /`
+    /// - ASP.NET: `Directory Listing -- /`
+    /// - <host> - /: iis, azure, skipping due to loose heuristic
+    fn detect_directory_listing(&self, html: &Html) -> Option<DirListingType> {
+        log::trace!("enter: detect_directory_listing(html body...)");
+
+        let title_selector = Selector::parse("title").expect("couldn't parse title selector");
+
+        for t in html.select(&title_selector) {
+            let title = t.inner_html().to_lowercase();
+
+            let dirlist_type = if title.contains("directory listing for /") {
+                Some(DirListingType::TomCatOrPython)
+            } else if title.contains("index of /") {
+                Some(DirListingType::Apache)
+            } else if title.contains("directory listing -- /") {
+                Some(DirListingType::AspDotNet)
+            } else {
+                // IIS_AZURE purposely skipped for now
+                None
+            };
+
+            if dirlist_type.is_some() {
+                log::trace!("exit: detect_directory_listing -> {:?}", dirlist_type);
+                return dirlist_type;
+            }
+        }
+
+        log::trace!("exit: detect_directory_listing -> None");
+        None
+    }
+
+    /// given a target's base url, attempt to automatically detect its 404 response
+    /// pattern(s), and then set filters that will exclude those patterns from future
+    /// responses
+    pub async fn detect_404_like_responses(
+        &self,
+        target_url: &str,
+    ) -> Result<Option<WildcardResult>> {
+        log::trace!("enter: detect_404_like_responses({:?})", target_url);
+
+        if self.handles.config.dont_filter {
+            // early return, dont_filter scans don't need tested
+            log::trace!("exit: detect_404_like_responses -> dont_filter is true");
+            return Ok(None);
+        }
+
+        let mut req_counter = 0;
+
+        let data = if self.handles.config.data.is_empty() {
+            None
+        } else {
+            Some(self.handles.config.data.as_slice())
+        };
+
+        // To take care of slash when needed
+        let slash = if self.handles.config.add_slash {
+            Some("/")
+        } else {
+            None
+        };
+
+        // no matter what, we want an empty extension for the base case
+        let mut extensions = vec!["".to_string()];
+
+        // and then we want to add any extensions that was specified
+        // or has since been added to the running config
+        for ext in &self.handles.config.extensions {
+            extensions.push(format!(".{}", ext));
+        }
+
+        // for every method, attempt to id its 404 response
+        //
+        // a good example of one where the GET/POST differ is on hackthebox:
+        // - http://prd.m.rendering-api.interface.htb/api
+        //
+        // a good example of one where the heuristics return a 403 and a 404 (apache)
+        // as well as return two different types of 404s based on the file extension
+        // - http://10.10.11.198 (Encoding box in normal labs)
+        //
+        // both methods and extensions can elicit different responses from a given
+        // server, so both are considered when building auto-filter rules
+        for method in self.handles.config.methods.iter() {
+            for extension in extensions.iter() {
+                // build out the 6 paths we'll use
+                let paths = [
+                    ("", 1),
+                    ("", 3),
+                    (".htaccess", 1),
+                    (".htaccess", 3),
+                    ("admin", 1),
+                    ("admin", 3),
+                ]
+                .map(|(prefix, length)| {
+                    format!("{prefix}{}{extension}", self.unique_string(length))
+                });
+
+                // allow all 6 requests to fly asynchronously
+                let responses = future::join_all(paths.into_iter().map(|path| async move {
+                    let ferox_url = FeroxUrl::from_string(target_url, self.handles.clone());
+
+                    let Ok(nonexistent_url) = ferox_url.format(&path, slash) else {
+                        return None;
+                    };
+
+                    // example requests:
+                    // - http://localhost/2fc1077836ad43ab98b7a31c2ca28fea
+                    // - http://localhost/92969beae6bf4beb855d1622406d87e395c87387a9ad432e8a11245002b709b03cf609d471004154b83bcc1c6ec49f6f
+                    // - http://localhost/.htaccessa005a2131e68449aa26e99029c914c09
+                    // - http://localhost/.htaccess92969beae6bf4beb855d1622406d87e395c87387a9ad432e8a11245002b709b03cf609d471004154b83bcc1c6ec49f6f
+                    // - http://localhost/adminf1d2541e73c44dcb9d1fb7d93334b280
+                    // - http://localhost/admin92969beae6bf4beb855d1622406d87e395c87387a9ad432e8a11245002b709b03cf609d471004154b83bcc1c6ec49f6f
+                    let Ok(response) =
+                        logged_request(&nonexistent_url, method, data, self.handles.clone()).await
+                    else {
+                        return None;
+                    };
+
+                    if !self
+                        .handles
+                        .config
+                        .status_codes
+                        .contains(&response.status().as_u16())
+                    {
+                        // if the response code isn't one that's accepted via -s values, then skip to the next
+                        //
+                        // the default value for -s is all status codes, so unless the user says otherwise
+                        // this won't fire
+                        return None;
+                    }
+
+                    Some(
+                        FeroxResponse::from(
+                            response,
+                            &ferox_url.target,
+                            method,
+                            self.handles.config.output_level,
+                        )
+                        .await,
+                    )
+                }))
+                .await // await gives vector of options containing feroxresponses
+                .into_iter()
+                .flatten() // strip out the none values
+                .collect::<Vec<_>>();
+
+                if responses.len() < 2 {
+                    // don't have enough responses to make a determination, continue to next method
+                    log::debug!("not enough responses to make a determination");
+                    continue;
+                }
+
+                // check the responses for similarities on which we can filter, multiple may be returned
+                let Some((wildcard_filters, wildcard_responses)) =
+                    self.examine_404_like_responses(&responses)
+                else {
+                    // no match was found during analysis of responses
+                    log::warn!("no match found for 404 responses");
+                    continue;
+                };
+
+                // report to the user, if appropriate
+                if matches!(
+                    self.handles.config.output_level,
+                    OutputLevel::Default | OutputLevel::Quiet
+                ) {
+                    // sentry value to control whether or not to print the filter
+                    // used because we only want to print the same filter once
+                    let mut print_sentry;
+
+                    if let Ok(filters) = self.handles.filters.data.filters.read() {
+                        for new_wildcard in &wildcard_filters {
+                            // reset the sentry for every new wildcard produced by examine_404_like_responses
+                            print_sentry = true;
+
+                            for other in filters.iter() {
+                                if let Some(other_wildcard) =
+                                    other.as_any().downcast_ref::<WildcardFilter>()
+                                {
+                                    // check the new wildcard against all existing wildcards, if it was added
+                                    // on the cli or by a previous directory, don't print it
+                                    if new_wildcard.as_ref() == other_wildcard {
+                                        print_sentry = false;
+                                        break;
+                                    }
+                                }
+                            }
+
+                            // if we're here, we've found a new wildcard that we didn't previously display, print it
+                            if print_sentry {
+                                ferox_print(&format!("{}", new_wildcard), &PROGRESS_PRINTER);
+                            }
+                        }
+                    }
+                }
+
+                // create the new filter
+                for wildcard in wildcard_filters {
+                    self.handles.filters.send(Command::AddFilter(wildcard))?;
+                }
+
+                // if we're here, we've detected a 404-like response pattern, and we're already filtering for size/word/line
+                //
+                // in addition, we'll create a similarity filter as a fallback
+                for resp in wildcard_responses {
+                    let hash = SIM_HASHER.create_signature(preprocess(resp.text()).iter());
+
+                    let sim_filter = SimilarityFilter {
+                        hash,
+                        original_url: resp.url().to_string(),
+                    };
+
+                    self.handles
+                        .filters
+                        .send(Command::AddFilter(Box::new(sim_filter)))?;
+
+                    if resp.is_directory() {
+                        // response is either a 3XX with a Location header that matches url + '/'
+                        // or it's a 2XX that ends with a '/'
+                        // or it's a 403 that ends with a '/'
+
+                        // set the wildcard flag to true, so we can check it when preventing
+                        // recursion in event_handlers/scans.rs
+
+                        // we'd need to clone the response to give ownership to the global list anyway
+                        // so we'll also use that clone to set the wildcard flag
+                        let mut cloned_resp = resp.clone();
+
+                        cloned_resp.set_wildcard(true);
+
+                        // add the response to the global list of responses
+                        RESPONSES.insert(cloned_resp);
+
+                        // function-internal magic number, indicates that we've detected a wildcard directory
+                        req_counter += 100;
+                    }
+                }
+            }
+        }
+
+        log::trace!("exit: detect_404_like_responses");
+
+        let retval = if req_counter >= 100 {
+            WildcardResult::WildcardDirectory(req_counter)
+        } else {
+            WildcardResult::FourOhFourLike(req_counter)
+        };
+
+        Ok(Some(retval))
+    }
+
+    /// for all responses, group them by status code, then examine chars/words/lines.
+    /// if all responses' respective lengths within a status code grouping match
+    /// each other, we can assume that will remain true for subsequent non-existent urls
+    ///
+    /// within a status code grouping, values are examined from most to
+    /// least specific (content length, word count, line count)
+    #[allow(clippy::vec_box)] // the box is needed in the caller and i dont feel like changing it
+    fn examine_404_like_responses<'a>(
+        &self,
+        responses: &'a [FeroxResponse],
+    ) -> Option<(Vec<Box<WildcardFilter>>, Vec<&'a FeroxResponse>)> {
+        // aside from word/line/byte counts, additional discriminators are status code
+        // extension, and request method. The request method and extension are handled by
+        // the caller, since they're part of the request and make up the nested for loops
+        // in detect_404_like_responses.
+        //
+        // The status code is handled here, since it's part of the response to catch cases
+        // where we have something like a 403 and a 404
+
+        let mut size_sentry = true;
+        let mut word_sentry = true;
+        let mut line_sentry = true;
+
+        // returned vec of boxed wildcard filters
+        let mut wildcards = Vec::new();
+
+        // returned vec of ferox responses that are needed for additional
+        // analysis
+        let mut wild_responses = Vec::new();
+
+        // mapping of grouped responses to status code
+        let mut grouped_responses = HashMap::new();
+
+        // iterate over all responses and add each response to its
+        // corresponding status code group
+        for response in responses {
+            grouped_responses
+                .entry(response.status())
+                .or_insert_with(Vec::new)
+                .push(response);
+        }
+
+        // iterate over each grouped response and determine the most specific
+        // filter that can be applied to all responses in the group, i.e.
+        // start from byte count and work 'out' to line count
+        for response_group in grouped_responses.values() {
+            if response_group.len() < 2 {
+                // not enough responses to make a determination
+                continue;
+            }
+
+            let method = response_group[0].method();
+            let status_code = response_group[0].status();
+            let content_length = response_group[0].content_length();
+            let word_count = response_group[0].word_count();
+            let line_count = response_group[0].line_count();
+
+            for response in &response_group[1..] {
+                // if any of the responses differ in length, that particular
+                // response length type is no longer a candidate for filtering
+                if response.content_length() != content_length {
+                    size_sentry = false;
+                }
+
+                if response.word_count() != word_count {
+                    word_sentry = false;
+                }
+
+                if response.line_count() != line_count {
+                    line_sentry = false;
+                }
+            }
+
+            if !size_sentry && !word_sentry && !line_sentry {
+                // none of the response lengths match, so we can't filter on any of them
+                continue;
+            }
+
+            let mut wildcard = WildcardFilter {
+                content_length: None,
+                line_count: None,
+                word_count: None,
+                method: method.to_string(),
+                status_code: status_code.as_u16(),
+                dont_filter: self.handles.config.dont_filter,
+            };
+
+            match (size_sentry, word_sentry, line_sentry) {
+                (true, true, true) => {
+                    // all three types of length match, so we can't filter on any of them
+                    wildcard.content_length = Some(content_length);
+                    wildcard.word_count = Some(word_count);
+                    wildcard.line_count = Some(line_count);
+                }
+                (true, true, false) => {
+                    // content length and word count match, so we can filter on either
+                    wildcard.content_length = Some(content_length);
+                    wildcard.word_count = Some(word_count);
+                }
+                (true, false, true) => {
+                    // content length and line count match, so we can filter on either
+                    wildcard.content_length = Some(content_length);
+                    wildcard.line_count = Some(line_count);
+                }
+                (false, true, true) => {
+                    // word count and line count match, so we can filter on either
+                    wildcard.word_count = Some(word_count);
+                    wildcard.line_count = Some(line_count);
+                }
+                (true, false, false) => {
+                    // content length matches, so we can filter on that
+                    wildcard.content_length = Some(content_length);
+                }
+                (false, true, false) => {
+                    // word count matches, so we can filter on that
+                    wildcard.word_count = Some(word_count);
+                }
+                (false, false, true) => {
+                    // line count matches, so we can filter on that
+                    wildcard.line_count = Some(line_count);
+                }
+                (false, false, false) => {
+                    // none of the length types match, so we can't filter on any of them
+                    unreachable!("no wildcard size matches; handled by the if statement above");
+                }
+            };
+
+            wild_responses.push(response_group[0]);
+            wildcards.push(Box::new(wildcard));
+        }
+
+        Some((wildcards, wild_responses))
+    }
 }
 
 #[cfg(test)]
@@ -260,4 +618,51 @@ mod tests {
             assert_eq!(tester.unique_string(i).len(), i * 32);
         }
     }
+
+    #[test]
+    /// `detect_directory_listing` correctly identifies tomcat/python instances
+    fn detect_directory_listing_finds_tomcat_python() {
+        let html = "<title>directory listing for /</title>";
+        let parsed = Html::parse_document(html);
+        let handles = Handles::for_testing(None, None);
+        let heuristics = HeuristicTests::new(Arc::new(handles.0));
+        let dirlist_type = heuristics.detect_directory_listing(&parsed);
+        assert!(matches!(
+            dirlist_type.unwrap(),
+            DirListingType::TomCatOrPython
+        ));
+    }
+
+    #[test]
+    /// `detect_directory_listing` correctly identifies apache instances
+    fn detect_directory_listing_finds_apache() {
+        let html = "<title>index of /</title>";
+        let parsed = Html::parse_document(html);
+        let handles = Handles::for_testing(None, None);
+        let heuristics = HeuristicTests::new(Arc::new(handles.0));
+        let dirlist_type = heuristics.detect_directory_listing(&parsed);
+        assert!(matches!(dirlist_type.unwrap(), DirListingType::Apache));
+    }
+
+    #[test]
+    /// `detect_directory_listing` correctly identifies ASP.NET instances
+    fn detect_directory_listing_finds_asp_dot_net() {
+        let html = "<title>directory listing -- /</title>";
+        let parsed = Html::parse_document(html);
+        let handles = Handles::for_testing(None, None);
+        let heuristics = HeuristicTests::new(Arc::new(handles.0));
+        let dirlist_type = heuristics.detect_directory_listing(&parsed);
+        assert!(matches!(dirlist_type.unwrap(), DirListingType::AspDotNet));
+    }
+
+    #[test]
+    /// `detect_directory_listing` returns None when heuristic doesn't match
+    fn detect_directory_listing_returns_none_as_default() {
+        let html = "<title>derp listing -- /</title>";
+        let parsed = Html::parse_document(html);
+        let handles = Handles::for_testing(None, None);
+        let heuristics = HeuristicTests::new(Arc::new(handles.0));
+        let dirlist_type = heuristics.detect_directory_listing(&parsed);
+        assert!(dirlist_type.is_none());
+    }
 }

src/lib.rs

@@ -1,5 +1,8 @@
+#![deny(clippy::all)]
+#![allow(clippy::mutex_atomic)]
 use anyhow::Result;
 use reqwest::StatusCode;
+use std::collections::HashSet;
 use tokio::{
     sync::mpsc::{UnboundedReceiver, UnboundedSender},
     task::JoinHandle,
@@ -26,6 +29,7 @@ mod macros;
 mod url;
 mod response;
 mod message;
+mod nlp;
 
 /// Alias for tokio::sync::mpsc::UnboundedSender<Command>
 pub(crate) type CommandSender = UnboundedSender<Command>;
@@ -39,22 +43,41 @@ pub(crate) type Joiner = JoinHandle<Result<()>>;
 /// Generic mpsc::unbounded_channel type to tidy up some code
 pub(crate) type FeroxChannel<T> = (UnboundedSender<T>, UnboundedReceiver<T>);
 
+/// Wrapper around the results of performing any kind of extraction against a target web page
+pub(crate) type ExtractionResult = HashSet<String>;
+
 /// Version pulled from Cargo.toml at compile time
 pub(crate) const VERSION: &str = env!("CARGO_PKG_VERSION");
 
 /// Maximum number of file descriptors that can be opened during a scan
-pub const DEFAULT_OPEN_FILE_LIMIT: usize = 8192;
+pub const DEFAULT_OPEN_FILE_LIMIT: u64 = 8192;
 
-/// Default value used to determine near-duplicate web pages (equivalent to 95%)
-pub const SIMILARITY_THRESHOLD: u32 = 95;
+/// Default set of extensions to Ignore when auto-collecting extensions during scans
+pub(crate) const DEFAULT_IGNORED_EXTENSIONS: [&str; 38] = [
+    "tif", "tiff", "ico", "cur", "bmp", "webp", "svg", "png", "jpg", "jpeg", "jfif", "gif", "avif",
+    "apng", "pjpeg", "pjp", "mov", "wav", "mpg", "mpeg", "mp3", "mp4", "m4a", "m4p", "m4v", "ogg",
+    "webm", "ogv", "oga", "flac", "aac", "3gp", "css", "zip", "xls", "xml", "gz", "tgz",
+];
+
+/// Default set of extensions to search for when auto-collecting backups during scans
+pub(crate) const DEFAULT_BACKUP_EXTENSIONS: [&str; 5] = ["~", ".bak", ".bak2", ".old", ".1"];
 
 /// Default wordlist to use when `-w|--wordlist` isn't specified and not `wordlist` isn't set
 /// in a [ferox-config.toml](constant.DEFAULT_CONFIG_NAME.html) config file.
 ///
-/// defaults to kali's default install location:
+/// defaults to kali's default install location on linux:
 /// - `/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt`
+///
+/// and to the current directory on windows
+/// - `.\seclists\Discovery\Web-Content\raft-medium-directories.txt`
+#[cfg(not(target_os = "windows"))]
 pub const DEFAULT_WORDLIST: &str =
     "/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt";
+#[cfg(target_os = "windows")]
+pub const DEFAULT_WORDLIST: &str =
+    ".\\SecLists\\Discovery\\Web-Content\\raft-medium-directories.txt";
+pub const SECONDARY_WORDLIST: &str =
+    "/usr/local/share/seclists/Discovery/Web-Content/raft-medium-directories.txt";
 
 /// Number of milliseconds to wait between polls of `PAUSE_SCAN` when user pauses a scan
 pub(crate) const SLEEP_DURATION: u64 = 500;
@@ -62,33 +85,97 @@ pub(crate) const SLEEP_DURATION: u64 = 500;
 /// The percentage of requests as errors it takes to be deemed too high
 pub const HIGH_ERROR_RATIO: f64 = 0.90;
 
-/// Default list of status codes to report
-///
-/// * 200 Ok
-/// * 204 No Content
-/// * 301 Moved Permanently
-/// * 302 Found
-/// * 307 Temporary Redirect
-/// * 308 Permanent Redirect
-/// * 401 Unauthorized
-/// * 403 Forbidden
-/// * 405 Method Not Allowed
-pub const DEFAULT_STATUS_CODES: [StatusCode; 9] = [
+/// Default list of status codes to report (all of them)
+pub const DEFAULT_STATUS_CODES: [StatusCode; 60] = [
+    // all 1XX response codes
+    StatusCode::CONTINUE,
+    StatusCode::SWITCHING_PROTOCOLS,
+    StatusCode::PROCESSING,
+    // all 2XX response codes
     StatusCode::OK,
+    StatusCode::CREATED,
+    StatusCode::ACCEPTED,
+    StatusCode::NON_AUTHORITATIVE_INFORMATION,
     StatusCode::NO_CONTENT,
+    StatusCode::RESET_CONTENT,
+    StatusCode::PARTIAL_CONTENT,
+    StatusCode::MULTI_STATUS,
+    StatusCode::ALREADY_REPORTED,
+    StatusCode::IM_USED,
+    // all 3XX response codes
+    StatusCode::MULTIPLE_CHOICES,
     StatusCode::MOVED_PERMANENTLY,
     StatusCode::FOUND,
+    StatusCode::SEE_OTHER,
+    StatusCode::NOT_MODIFIED,
+    StatusCode::USE_PROXY,
     StatusCode::TEMPORARY_REDIRECT,
     StatusCode::PERMANENT_REDIRECT,
+    // all 4XX response codes
+    StatusCode::BAD_REQUEST,
     StatusCode::UNAUTHORIZED,
+    StatusCode::PAYMENT_REQUIRED,
     StatusCode::FORBIDDEN,
+    StatusCode::NOT_FOUND,
     StatusCode::METHOD_NOT_ALLOWED,
+    StatusCode::NOT_ACCEPTABLE,
+    StatusCode::PROXY_AUTHENTICATION_REQUIRED,
+    StatusCode::REQUEST_TIMEOUT,
+    StatusCode::CONFLICT,
+    StatusCode::GONE,
+    StatusCode::LENGTH_REQUIRED,
+    StatusCode::PRECONDITION_FAILED,
+    StatusCode::PAYLOAD_TOO_LARGE,
+    StatusCode::URI_TOO_LONG,
+    StatusCode::UNSUPPORTED_MEDIA_TYPE,
+    StatusCode::RANGE_NOT_SATISFIABLE,
+    StatusCode::EXPECTATION_FAILED,
+    StatusCode::IM_A_TEAPOT,
+    StatusCode::MISDIRECTED_REQUEST,
+    StatusCode::UNPROCESSABLE_ENTITY,
+    StatusCode::LOCKED,
+    StatusCode::FAILED_DEPENDENCY,
+    StatusCode::UPGRADE_REQUIRED,
+    StatusCode::PRECONDITION_REQUIRED,
+    StatusCode::TOO_MANY_REQUESTS,
+    StatusCode::REQUEST_HEADER_FIELDS_TOO_LARGE,
+    StatusCode::UNAVAILABLE_FOR_LEGAL_REASONS,
+    // all 5XX response codes
+    StatusCode::INTERNAL_SERVER_ERROR,
+    StatusCode::NOT_IMPLEMENTED,
+    StatusCode::BAD_GATEWAY,
+    StatusCode::SERVICE_UNAVAILABLE,
+    StatusCode::GATEWAY_TIMEOUT,
+    StatusCode::HTTP_VERSION_NOT_SUPPORTED,
+    StatusCode::VARIANT_ALSO_NEGOTIATES,
+    StatusCode::INSUFFICIENT_STORAGE,
+    StatusCode::LOOP_DETECTED,
+    StatusCode::NOT_EXTENDED,
+    StatusCode::NETWORK_AUTHENTICATION_REQUIRED,
 ];
 
+/// Default method for requests
+pub(crate) const DEFAULT_METHOD: &str = "GET";
+
 /// Default filename for config file settings
 ///
 /// Expected location is in the same directory as the feroxbuster binary.
 pub const DEFAULT_CONFIG_NAME: &str = "ferox-config.toml";
+/// User agents to select from when random agent is being used
+pub const USER_AGENTS: [&str; 12] = [
+    "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+    "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
+    "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15254",
+    "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
+    "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
+    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1",
+    "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
+    "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
+    "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
+];
 
 #[cfg(test)]
 mod tests {

src/logger.rs

@@ -65,7 +65,7 @@ pub fn initialize(config: Arc<Configuration>) -> Result<()> {
                 kind: "log".to_string(),
             };
 
-            PROGRESS_PRINTER.println(&log_entry.as_str());
+            PROGRESS_PRINTER.println(log_entry.as_str());
 
             if let Some(buffered_file) = file.clone() {
                 if let Ok(mut unlocked) = buffered_file.write() {

src/main.rs

@@ -1,10 +1,14 @@
+use std::io::stdin;
 use std::{
-    collections::HashSet,
-    env::args,
-    fs::File,
+    env::{
+        args,
+        consts::{ARCH, OS},
+    },
+    fs::{create_dir, remove_file, File},
     io::{stderr, BufRead, BufReader},
     ops::Index,
-    process::Command,
+    path::Path,
+    process::{exit, Command},
     sync::{atomic::Ordering, Arc},
 };
 
@@ -20,47 +24,61 @@ use feroxbuster::{
     banner::{Banner, UPDATE_URL},
     config::{Configuration, OutputLevel},
     event_handlers::{
-        Command::{CreateBar, Exit, JoinTasks, LoadStats, ScanInitialUrls, UpdateWordlist},
+        Command::{
+            AddHandles, CreateBar, Exit, JoinTasks, LoadStats, ScanInitialUrls, UpdateWordlist,
+        },
         FiltersHandler, Handles, ScanHandler, StatsHandler, Tasks, TermInputHandler,
         TermOutHandler, SCAN_COMPLETE,
     },
     filters, heuristics, logger,
-    progress::{PROGRESS_BAR, PROGRESS_PRINTER},
-    scan_manager::{self},
+    progress::PROGRESS_PRINTER,
+    scan_manager::{self, ScanType},
     scanner,
-    utils::fmt_err,
+    utils::{fmt_err, slugify_filename},
+    SECONDARY_WORDLIST,
 };
 #[cfg(not(target_os = "windows"))]
 use feroxbuster::{utils::set_open_file_limit, DEFAULT_OPEN_FILE_LIMIT};
 use lazy_static::lazy_static;
 use regex::Regex;
+use self_update::cargo_crate_version;
 
 lazy_static! {
     /// Limits the number of parallel scans active at any given time when using --parallel
     static ref PARALLEL_LIMITER: Semaphore = Semaphore::new(0);
 }
 
-/// Create a HashSet of Strings from the given wordlist then stores it inside an Arc
-fn get_unique_words_from_wordlist(path: &str) -> Result<Arc<HashSet<String>>> {
+/// Create a Vec of Strings from the given wordlist then stores it inside an Arc
+fn get_unique_words_from_wordlist(path: &str) -> Result<Arc<Vec<String>>> {
     log::trace!("enter: get_unique_words_from_wordlist({})", path);
+    let mut trimmed_word = false;
 
-    let file = File::open(&path).with_context(|| format!("Could not open {}", path))?;
+    let file = File::open(path).with_context(|| format!("Could not open {path}"))?;
 
     let reader = BufReader::new(file);
 
-    let mut words = HashSet::new();
+    // this empty string ensures that we call Requester::request with the base url, i.e.
+    // `http://localhost/` instead of going straight into `http://localhost/WORD.EXT`.
+    // for vanilla scans, it doesn't matter all that much, but it can be a significant difference
+    // when `-e` is used, depending on the content at the base url.
+    let mut words = vec![String::from("")];
 
     for line in reader.lines() {
-        let result = match line {
-            Ok(read_line) => read_line,
-            Err(_) => continue,
-        };
+        line.map(|result| {
+            if !result.starts_with('#') && !result.is_empty() {
+                if result.starts_with('/') {
+                    words.push(result.trim_start_matches('/').to_string());
+                    trimmed_word = true;
+                } else {
+                    words.push(result);
+                }
+            }
+        })
+        .ok();
+    }
 
-        if result.starts_with('#') || result.is_empty() {
-            continue;
-        }
-
-        words.insert(result);
+    if trimmed_word {
+        log::warn!("Some words in the wordlist started with a leading forward-slash; those words were trimmed (i.e. /word -> word)");
     }
 
     log::trace!(
@@ -74,25 +92,12 @@ fn get_unique_words_from_wordlist(path: &str) -> Result<Arc<HashSet<String>>> {
 /// Determine whether it's a single url scan or urls are coming from stdin, then scan as needed
 async fn scan(targets: Vec<String>, handles: Arc<Handles>) -> Result<()> {
     log::trace!("enter: scan({:?}, {:?})", targets, handles);
-    // cloning an Arc is cheap (it's basically a pointer into the heap)
-    // so that will allow for cheap/safe sharing of a single wordlist across multi-target scans
-    // as well as additional directories found as part of recursion
-
-    let words = {
-        let words_handles = handles.clone();
-        tokio::spawn(async move { get_unique_words_from_wordlist(&words_handles.config.wordlist) })
-            .await??
-    };
-
-    if words.len() == 0 {
-        bail!("Did not find any words in {}", handles.config.wordlist);
-    }
 
     let scanned_urls = handles.ferox_scans()?;
 
-    handles.send_scan_command(UpdateWordlist(words.clone()))?;
+    handles.send_scan_command(UpdateWordlist(handles.wordlist.clone()))?;
 
-    scanner::initialize(words.len(), handles.clone()).await?;
+    scanner::initialize(handles.wordlist.len(), handles.clone()).await?;
 
     // at this point, the stat thread's progress bar can be created; things that needed to happen
     // first:
@@ -101,8 +106,20 @@ async fn scan(targets: Vec<String>, handles: Arc<Handles>) -> Result<()> {
     //   having been set, makes it so the progress bar doesn't flash as full before anything has
     //   even happened
     if matches!(handles.config.output_level, OutputLevel::Default) {
+        let mut total_offset = 0;
+
+        if let Ok(guard) = handles.scans.read() {
+            if let Some(handle) = &*guard {
+                if let Ok(scans) = handle.data.scans.read() {
+                    for scan in scans.iter() {
+                        total_offset += scan.requests_made_so_far();
+                    }
+                }
+            }
+        }
+
         // only create the bar if no --silent|--quiet
-        handles.stats.send(CreateBar)?;
+        handles.stats.send(CreateBar(total_offset))?;
 
         // blocks until the bar is created / avoids race condition in first two bars
         handles.stats.sync().await?;
@@ -111,7 +128,7 @@ async fn scan(targets: Vec<String>, handles: Arc<Handles>) -> Result<()> {
     if handles.config.resumed {
         // display what has already been completed
         scanned_urls.print_known_responses();
-        scanned_urls.print_completed_bars(words.len())?;
+        scanned_urls.print_completed_bars(handles.wordlist.len())?;
     }
 
     log::debug!("sending {:?} to be scanned as initial targets", targets);
@@ -146,8 +163,8 @@ async fn get_targets(handles: Arc<Handles>) -> Result<Vec<String>> {
             for scan in scans.iter() {
                 // ferox_scans gets deserialized scans added to it at program start if --resume-from
                 // is used, so scans that aren't marked complete still need to be scanned
-                if scan.is_complete() {
-                    // this one's already done, ignore it
+                if scan.is_complete() || matches!(scan.scan_type, ScanType::File) {
+                    // this one's already done, or it's not a directory, ignore it
                     continue;
                 }
 
@@ -158,6 +175,33 @@ async fn get_targets(handles: Arc<Handles>) -> Result<Vec<String>> {
         targets.push(handles.config.target_url.clone());
     }
 
+    // remove footgun that arises if a --dont-scan value matches on a base url
+    for target in targets.iter_mut() {
+        for denier in &handles.config.regex_denylist {
+            if denier.is_match(target) {
+                bail!(
+                    "The regex '{}' matches {}; the scan will never start",
+                    denier,
+                    target
+                );
+            }
+        }
+        for denier in &handles.config.url_denylist {
+            if denier.as_str().trim_end_matches('/') == target.trim_end_matches('/') {
+                bail!(
+                    "The url '{}' matches {}; the scan will never start",
+                    denier,
+                    target
+                );
+            }
+        }
+
+        if !target.starts_with("http") && !target.starts_with("https") {
+            // --url hackerone.com
+            *target = format!("https://{target}");
+        }
+    }
+
     log::trace!("exit: get_targets -> {:?}", targets);
 
     Ok(targets)
@@ -176,9 +220,86 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         // PROGRESS_PRINTER and PROGRESS_BAR have been used at least once.  This call satisfies
         // that constraint
         PROGRESS_PRINTER.println("");
-        PROGRESS_BAR.join().unwrap();
     });
 
+    // check if update_app is true
+    if config.update_app {
+        match update_app().await {
+            Err(e) => eprintln!("\n[ERROR] {}", e),
+            Ok(self_update::Status::UpToDate(version)) => {
+                eprintln!("\nFeroxbuster {} is up to date", version)
+            }
+            Ok(self_update::Status::Updated(version)) => {
+                eprintln!("\nFeroxbuster updated to {} version", version)
+            }
+        }
+        exit(0);
+    }
+
+    let words = if config.wordlist.starts_with("http") {
+        // found a url scheme, attempt to download the wordlist
+        let response = config
+            .client
+            .get(&config.wordlist)
+            .send()
+            .await
+            .context(format!(
+                "Unable to download wordlist from remote url: {}",
+                config.wordlist
+            ))?;
+
+        if !response.status().is_success() {
+            // status code isn't a 200, bail
+            bail!(
+                "[{}] Unable to download wordlist from url: {}",
+                response.status().as_str(),
+                config.wordlist
+            );
+        }
+
+        // attempt to get the filename from the url's path
+        let Some(path_segments) = response.url().path_segments() else {
+            bail!("Unable to parse path from url: {}", response.url());
+        };
+
+        let Some(filename) = path_segments.last() else {
+            bail!(
+                "Unable to parse filename from url's path: {}",
+                response.url().path()
+            );
+        };
+
+        let filename = filename.to_string();
+
+        // read the body and write it to disk, then use existing code to read the wordlist
+        let body = response.text().await?;
+
+        std::fs::write(&filename, body)?;
+
+        get_unique_words_from_wordlist(&filename)?
+    } else {
+        match get_unique_words_from_wordlist(&config.wordlist) {
+            Ok(w) => w,
+            Err(err) => {
+                let secondary = Path::new(SECONDARY_WORDLIST);
+
+                if secondary.exists() {
+                    eprintln!("Found wordlist in secondary location");
+                    get_unique_words_from_wordlist(SECONDARY_WORDLIST)?
+                } else {
+                    return Err(err);
+                }
+            }
+        }
+    };
+
+    if words.len() <= 1 {
+        // the check is now <= 1 due to the initial empty string added in 2.6.0
+        // 1 -> empty wordlist
+        // 0 -> error
+        bail!("Did not find any words in {}", config.wordlist);
+    }
+
     // spawn all event handlers, expect back a JoinHandle and a *Handle to the specific event
     let (stats_task, stats_handle) = StatsHandler::initialize(config.clone());
     let (filters_task, filters_handle) = FiltersHandler::initialize();
@@ -191,11 +312,13 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         filters_handle,
         out_handle,
         config.clone(),
+        words,
     ));
 
     let (scan_task, scan_handle) = ScanHandler::initialize(handles.clone());
 
     handles.set_scan_handle(scan_handle); // must be done after Handles initialization
+    handles.output.send(AddHandles(handles.clone()))?;
 
     filters::initialize(handles.clone()).await?; // send user-supplied filters to the handler
 
@@ -223,7 +346,7 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         let from_here = config.resume_from.clone();
 
         // populate FeroxScans object with previously seen scans
-        scanned_urls.add_serialized_scans(&from_here)?;
+        scanned_urls.add_serialized_scans(&from_here, handles.clone())?;
 
         // populate Stats object with previously known statistics
         handles.stats.send(LoadStats(from_here))?;
@@ -235,7 +358,7 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         Err(e) => {
             // should only happen in the event that there was an error reading from stdin
             clean_up(handles, tasks).await?;
-            bail!("Could not get determine initial targets: {}", e);
+            bail!("Could not determine initial targets: {}", e);
         }
     };
 
@@ -272,10 +395,56 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         // from removing --parallel)
         original.remove(parallel_index);
 
+        // to log unique files to a shared folder, we need to first check for the presence
+        // of -o|--output.
+        let out_dir = if !config.output.is_empty() {
+            // -o|--output was used, so we'll attempt to create a directory to store the files
+            let output_path = Path::new(&handles.config.output);
+
+            // this only returns None if the path terminates in `..`. Since I don't want to
+            // hand-hold to that degree, we'll unwrap and fail if the output path ends in `..`
+            let base_name = output_path.file_name().unwrap();
+
+            let new_folder = slugify_filename(&base_name.to_string_lossy(), "", "logs");
+
+            let final_path = output_path.with_file_name(new_folder);
+
+            // create the directory or fail silently, assuming the reason for failure is that
+            // the path exists already
+            create_dir(&final_path).unwrap_or(());
+
+            final_path.to_string_lossy().to_string()
+        } else {
+            String::new()
+        };
+
         // unvalidated targets fresh from stdin, just spawn children and let them do all checks
         for target in targets {
             // add the current target to the provided command
             let mut cloned = original.clone();
+
+            if !out_dir.is_empty() {
+                // output directory value is not empty, need to join output directory with
+                // unique scan filename
+
+                // unwrap is ok, we already know -o was used
+                let out_idx = original
+                    .iter()
+                    .position(|s| *s == "--output" || *s == "-o")
+                    .unwrap();
+
+                let filename = slugify_filename(&target, "ferox", "log");
+
+                let full_path = Path::new(&out_dir)
+                    .join(filename)
+                    .to_string_lossy()
+                    .to_string();
+
+                // a +1 to the index is fine here, as clap has already validated that
+                // -o|--output has a value associated with it
+                cloned[out_idx + 1] = full_path;
+            }
+
             cloned.push("-u".to_string());
             cloned.push(target);
 
@@ -299,8 +468,22 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
             });
         }
 
+        // the output handler creates an empty file to which it will try to write, because
+        // this happens before we enter the --parallel branch, we need to remove that file
+        // if it's empty
+        let output = handles.config.output.to_owned();
+
         clean_up(handles, tasks).await?;
 
+        let file = Path::new(&output);
+        if file.exists() {
+            // expectation is that this is always true for the first ferox process
+            if file.metadata()?.len() == 0 {
+                // empty file, attempt to remove it
+                remove_file(file)?;
+            }
+        }
+
         log::trace!("exit: parallel branch && wrapped main");
         return Ok(());
     }
@@ -355,7 +538,7 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         Ok(_) => {}
         Err(e) => {
             clean_up(handles, tasks).await?;
-            bail!(fmt_err(&format!("Failed while scanning: {}", e)));
+            bail!(fmt_err(&format!("Failed while scanning: {e}")));
         }
     }
 
@@ -400,6 +583,24 @@ async fn clean_up(handles: Arc<Handles>, tasks: Tasks) -> Result<()> {
     Ok(())
 }
 
+async fn update_app() -> Result<self_update::Status, Box<dyn ::std::error::Error>> {
+    let target_os = format!("{}-{}", ARCH, OS);
+    let status = tokio::task::spawn_blocking(move || {
+        self_update::backends::github::Update::configure()
+            .repo_owner("epi052")
+            .repo_name("feroxbuster")
+            .bin_name("feroxbuster")
+            .target(target_os.as_str())
+            .show_download_progress(true)
+            .current_version(cargo_crate_version!())
+            .build()?
+            .update()
+    })
+    .await??;
+
+    Ok(status)
+}
+
 fn main() -> Result<()> {
     let config = Arc::new(Configuration::new().with_context(|| "Could not create Configuration")?);
 
@@ -420,9 +621,39 @@ fn main() -> Result<()> {
         .enable_all()
         .build()
     {
-        let future = wrapped_main(config);
+        let future = wrapped_main(config.clone());
         if let Err(e) = runtime.block_on(future) {
-            eprintln!("{}", e);
+            eprintln!("{e}");
+
+            // the code below is to facilitate testing tests/test_banner entries. Since it's an
+            // integration test, normal test detection (cfg!(test), etc...) won't work. So, in
+            // the tests themselves, we pass
+            // `--wordlist /definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676`
+            // and look for that here to print the banner.
+            //
+            // this change became a necessity once we moved wordlist parsing out of `scan` and into
+            // `wrapped_main`.
+            if e.to_string()
+                .contains("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+            {
+                // support the handful of tests that use `--stdin`
+                let targets: Vec<_> = if config.stdin {
+                    stdin().lock().lines().map(|tgt| tgt.unwrap()).collect()
+                } else {
+                    vec!["http://localhost".to_string()]
+                };
+
+                // print the banner to stderr
+                let std_stderr = stderr(); // std::io::stderr
+                let banner = Banner::new(&targets, &config);
+                if !config.quiet && !config.silent {
+                    banner.print_to(std_stderr, config).unwrap();
+                }
+            }
+
+            // if we've encountered an error before clean_up can be called (i.e. a wordlist error)
+            // we need to at least spin-down the progress bar
+            PROGRESS_PRINTER.finish();
         };
     }
 

src/message.rs

@@ -5,7 +5,7 @@ use serde::{Deserialize, Serialize};
 use crate::traits::FeroxSerialize;
 use crate::utils::fmt_err;
 
-#[derive(Serialize, Deserialize, Default)]
+#[derive(Serialize, Deserialize, Default, Debug)]
 /// Representation of a log entry, can be represented as a human readable string or JSON
 pub struct FeroxMessage {
     #[serde(rename = "type")]
@@ -38,7 +38,7 @@ impl FeroxSerialize for FeroxMessage {
             "DEBUG" => ("DBG", Color::Yellow),
             "TRACE" => ("TRC", Color::Magenta),
             "WILDCARD" => ("WLD", Color::Cyan),
-            _ => ("UNK", Color::White),
+            _ => ("MSG", Color::White),
         };
 
         format!(
@@ -143,6 +143,6 @@ mod tests {
         assert!(console::strip_ansi_codes(&msg.as_str()).starts_with("WLD"));
 
         msg.level = "UNKNOWN".to_string();
-        assert!(console::strip_ansi_codes(&msg.as_str()).starts_with("UNK"));
+        assert!(console::strip_ansi_codes(&msg.as_str()).starts_with("MSG"));
     }
 }

src/nlp/constants.rs

@@ -0,0 +1,334 @@
+use lazy_static::lazy_static;
+use regex::Regex;
+
+lazy_static! {
+    /// regular expression to match on words with numbers, underscores, and hyphens
+    pub(super) static ref BOUNDED_WORD_REGEX: Regex = Regex::new(r"\b[a-zA-Z0-9_-]+\b").unwrap();
+}
+
+/// collection of stop words from spaCy with small modifications
+pub(super) static STOP_WORDS: [&str; 323] = [
+    "'d",
+    "'ll",
+    "'m",
+    "'re",
+    "'s",
+    "'ve",
+    "a",
+    "about",
+    "above",
+    "across",
+    "after",
+    "afterwards",
+    "again",
+    "against",
+    "almost",
+    "alone",
+    "along",
+    "already",
+    "also",
+    "although",
+    "always",
+    "am",
+    "among",
+    "amongst",
+    "amount",
+    "an",
+    "and",
+    "another",
+    "any",
+    "anyhow",
+    "anyone",
+    "anything",
+    "anyway",
+    "anywhere",
+    "are",
+    "around",
+    "as",
+    "at",
+    "back",
+    "be",
+    "became",
+    "because",
+    "become",
+    "becomes",
+    "becoming",
+    "been",
+    "before",
+    "beforehand",
+    "behind",
+    "being",
+    "below",
+    "beside",
+    "besides",
+    "between",
+    "beyond",
+    "both",
+    "bottom",
+    "but",
+    "by",
+    "ca",
+    "call",
+    "can",
+    "cannot",
+    "could",
+    "did",
+    "do",
+    "does",
+    "doing",
+    "done",
+    "down",
+    "due",
+    "during",
+    "each",
+    "eight",
+    "either",
+    "eleven",
+    "else",
+    "elsewhere",
+    "empty",
+    "enough",
+    "even",
+    "ever",
+    "every",
+    "everyone",
+    "everything",
+    "everywhere",
+    "except",
+    "few",
+    "fifteen",
+    "fifty",
+    "first",
+    "five",
+    "for",
+    "former",
+    "formerly",
+    "forty",
+    "four",
+    "from",
+    "front",
+    "full",
+    "further",
+    "get",
+    "got",
+    "give",
+    "go",
+    "had",
+    "has",
+    "have",
+    "he",
+    "hence",
+    "her",
+    "here",
+    "hereafter",
+    "hereby",
+    "herein",
+    "hereupon",
+    "hers",
+    "herself",
+    "him",
+    "himself",
+    "his",
+    "how",
+    "however",
+    "hundred",
+    "i",
+    "if",
+    "in",
+    "indeed",
+    "into",
+    "is",
+    "it",
+    "its",
+    "itself",
+    "just",
+    "keep",
+    "last",
+    "latter",
+    "latterly",
+    "least",
+    "less",
+    "made",
+    "make",
+    "many",
+    "may",
+    "me",
+    "meanwhile",
+    "might",
+    "mine",
+    "more",
+    "moreover",
+    "most",
+    "mostly",
+    "move",
+    "much",
+    "must",
+    "my",
+    "myself",
+    "n't",
+    "name",
+    "namely",
+    "neither",
+    "never",
+    "nevertheless",
+    "next",
+    "nine",
+    "no",
+    "nobody",
+    "none",
+    "noone",
+    "nor",
+    "not",
+    "nothing",
+    "now",
+    "nowhere",
+    "n\u{2018}t",
+    "n\u{2019}t",
+    "of",
+    "off",
+    "often",
+    "on",
+    "once",
+    "one",
+    "only",
+    "onto",
+    "or",
+    "other",
+    "others",
+    "otherwise",
+    "our",
+    "ours",
+    "ourselves",
+    "out",
+    "over",
+    "own",
+    "part",
+    "per",
+    "perhaps",
+    "please",
+    "put",
+    "quite",
+    "rather",
+    "re",
+    "really",
+    "regarding",
+    "same",
+    "say",
+    "see",
+    "seem",
+    "seemed",
+    "seeming",
+    "seems",
+    "serious",
+    "several",
+    "she",
+    "should",
+    "side",
+    "since",
+    "six",
+    "sixty",
+    "so",
+    "some",
+    "somehow",
+    "someone",
+    "something",
+    "sometime",
+    "sometimes",
+    "somewhere",
+    "still",
+    "such",
+    "take",
+    "ten",
+    "than",
+    "that",
+    "the",
+    "their",
+    "them",
+    "themselves",
+    "then",
+    "thence",
+    "there",
+    "thereafter",
+    "thereby",
+    "therefore",
+    "therein",
+    "thereupon",
+    "these",
+    "they",
+    "third",
+    "this",
+    "those",
+    "though",
+    "three",
+    "through",
+    "throughout",
+    "thru",
+    "thus",
+    "to",
+    "together",
+    "too",
+    "toward",
+    "towards",
+    "twelve",
+    "twenty",
+    "two",
+    "under",
+    "unless",
+    "until",
+    "up",
+    "upon",
+    "used",
+    "using",
+    "various",
+    "very",
+    "via",
+    "was",
+    "we",
+    "well",
+    "were",
+    "what",
+    "whatever",
+    "when",
+    "whence",
+    "whenever",
+    "where",
+    "whereafter",
+    "whereas",
+    "whereby",
+    "wherein",
+    "whereupon",
+    "wherever",
+    "whether",
+    "which",
+    "while",
+    "whither",
+    "who",
+    "whoever",
+    "whole",
+    "whom",
+    "whose",
+    "why",
+    "will",
+    "with",
+    "within",
+    "without",
+    "would",
+    "yet",
+    "you",
+    "your",
+    "yours",
+    "yourself",
+    "yourselves",
+    "\u{2018}d",
+    "\u{2018}ll",
+    "\u{2018}m",
+    "\u{2018}re",
+    "\u{2018}s",
+    "\u{2018}ve",
+    "\u{2019}d",
+    "\u{2019}ll",
+    "\u{2019}m",
+    "\u{2019}re",
+    "\u{2019}s",
+    "\u{2019}ve",
+];

src/nlp/document.rs

@@ -0,0 +1,225 @@
+use super::term::{Term, TermMetaData};
+use super::utils::preprocess;
+use scraper::{Html, Node, Selector};
+use std::collections::HashMap;
+
+/// data container representing a single document, in the nlp sense
+#[derive(Debug, Default)]
+pub(crate) struct Document {
+    /// collection of `Term`s and their associated metadata
+    terms: HashMap<Term, TermMetaData>,
+
+    /// number of terms contained within the document
+    number_of_terms: usize,
+}
+
+impl Document {
+    /// create a new `Document` from the given string
+    pub(super) fn new(text: &str) -> Self {
+        let mut document = Self::default();
+
+        let processed = preprocess(text);
+
+        document.number_of_terms += processed.len();
+
+        for normalized in processed {
+            if normalized.len() >= 2 {
+                document.add_term(&normalized)
+            }
+        }
+        document
+    }
+
+    /// add a `Term` to the document if it's not already tracked, otherwise increment the number
+    /// of times the term has been seen
+    fn add_term(&mut self, word: &str) {
+        let term = Term::new(word);
+
+        let metadata = self.terms.entry(term).or_default();
+        *metadata.count_mut() += 1;
+    }
+
+    /// create a new `Document` from the given HTML string
+    pub(crate) fn from_html(raw_html: &str) -> Option<Self> {
+        let selector = Selector::parse("body").unwrap();
+
+        let html = Html::parse_document(raw_html);
+
+        let Some(element) = html.select(&selector).next() else {
+            return None;
+        };
+
+        let text = element
+            .descendants()
+            .filter_map(|node| {
+                if !node.value().is_text() && !node.value().is_comment() {
+                    return None;
+                }
+
+                // have a Text||Comment node, trim whitespace to test for all whitespace stuff
+                let trimmed = if node.value().is_text() {
+                    node.value().as_text().unwrap().text.trim()
+                } else {
+                    node.value().as_comment().unwrap().comment.trim()
+                };
+
+                if trimmed.is_empty() {
+                    return None;
+                }
+
+                // found a non-empty Text||Comment node, need to check its parent to determine if
+                // it's a <script>||<style> tag. We're assuming text within a script||style tag is
+                // uninteresting
+
+                let parent = node.parent().unwrap().value();
+
+                if !parent.is_element() {
+                    return None;
+                }
+
+                // parent is an Element node, see if it's a <script> or <style>
+
+                if let Node::Element(element) = parent {
+                    if element.name() == "script" || element.name() == "style" {
+                        return None;
+                    }
+
+                    // at this point, we have a non-empty Text element with a non-script|style parent;
+                    // now we can return the trimmed up string
+                    return Some(format!("{trimmed} "));
+                }
+
+                // not an Element node
+                None
+            })
+            .collect::<String>();
+
+        // call `new` to push the parsed html through the pre-processing pipeline and process all
+        // the words
+        Some(Self::new(&text))
+    }
+
+    /// Log normalized weighting scheme for term frequency
+    pub(super) fn term_frequency(&self, term: &Term) -> f32 {
+        if let Some(metadata) = self.terms.get(term) {
+            metadata.count() as f32 / self.number_of_terms() as f32
+        } else {
+            0.0
+        }
+    }
+
+    /// immutable reference to the collection of terms and their metadata
+    pub(super) fn terms(&self) -> &HashMap<Term, TermMetaData> {
+        &self.terms
+    }
+
+    /// number of terms the current document knows about
+    fn number_of_terms(&self) -> usize {
+        self.number_of_terms
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    /// `Document::new` should preprocess text and generate a hashmap of `Term, TermMetadata`
+    fn nlp_document_creation_from_text() {
+        let doc = Document::new("The air quality in Singapore got worse on Wednesday.");
+
+        let expected_terms = ["air", "quality", "singapore", "worse", "wednesday"];
+
+        for expected in expected_terms {
+            let term = Term::new(expected);
+            assert!(doc.terms().contains_key(&term));
+            assert_eq!(doc.number_of_terms, 5);
+            assert_eq!(doc.terms().get(&term).unwrap().count(), 1);
+
+            // since term frequencies aren't calculated on `new`, document frequency is zero in
+            // addition to the empty term_frequencies slice
+            let empty: &[f32] = &[];
+            assert_eq!(doc.terms().get(&term).unwrap().term_frequencies(), empty);
+            assert_eq!(doc.terms().get(&term).unwrap().document_frequency(), 0);
+        }
+    }
+
+    #[test]
+    /// `Document::new` should preprocess html and generate a hashmap of `Term, TermMetadata`
+    fn nlp_document_creation_from_html() {
+        let empty = Document::from_html("<html></html>").unwrap();
+        assert_eq!(empty.number_of_terms, 0);
+
+        let other_empty = Document::from_html("<html><body><p></p></body></html>").unwrap();
+        assert_eq!(other_empty.number_of_terms, 0);
+
+        let third_empty =
+            Document::from_html("<!DOCTYPE html><html><!DOCTYPE html><p></p></html>").unwrap();
+        assert_eq!(third_empty.number_of_terms, 0);
+
+        // p tag for is_text check and comment for is_comment
+        let doc = Document::from_html(
+            "<html><body><p>The air quality in Singapore.</p><!--got worse on Wednesday--></body></html>",
+        ).unwrap();
+
+        let expected_terms = ["air", "quality", "singapore", "worse", "wednesday"];
+
+        for expected in expected_terms {
+            let term = Term::new(expected);
+            assert_eq!(doc.number_of_terms, 5);
+            assert!(doc.terms().contains_key(&term));
+            assert_eq!(doc.terms().get(&term).unwrap().count(), 1);
+
+            // since term frequencies aren't calculated on `new`, document frequency is zero in
+            // addition to the empty term_frequencies slice
+            let empty: &[f32] = &[];
+            assert_eq!(doc.terms().get(&term).unwrap().term_frequencies(), empty);
+            assert_eq!(doc.terms().get(&term).unwrap().document_frequency(), 0);
+        }
+    }
+
+    #[test]
+    /// simple check of the `term_frequency` function's return value
+    fn term_frequency_validation() {
+        let doc = Document::new("The air quality in Singapore got worse on Wednesday. Air Jordan.");
+
+        let air_freq = doc.term_frequency(&Term::new("air"));
+
+        let abs_diff = (air_freq - 0.2857143).abs();
+        assert!(abs_diff <= f32::EPSILON);
+
+        let non_existent = doc.term_frequency(&Term::new("derpatronic"));
+        assert_eq!(non_existent, 0.0);
+    }
+
+    #[test]
+    /// test accessors for correctness
+    fn document_accessor_test() {
+        let doc = Document::new("The air quality in Singapore got worse on Wednesday.");
+        let keys = doc.terms().keys().map(|key| key.raw()).collect::<Vec<_>>();
+
+        let expected = ["air", "quality", "singapore", "worse", "wednesday"];
+
+        assert_eq!(doc.number_of_terms(), 5);
+
+        for key in keys {
+            assert!(expected.contains(&key));
+        }
+    }
+
+    #[test]
+    /// ensure words in script/style tags aren't processed
+    fn document_creation_skips_script_and_style_tags() {
+        let html = "<body><script>The air quality</script><style>in Singapore</style><p>got worse on Wednesday.</p></body>";
+        let doc = Document::from_html(html).unwrap();
+        let keys = doc.terms().keys().map(|key| key.raw()).collect::<Vec<_>>();
+
+        let expected = ["worse", "wednesday"];
+
+        assert_eq!(doc.number_of_terms(), 2);
+
+        for key in keys {
+            assert!(expected.contains(&key));
+        }
+    }
+}

src/nlp/mod.rs

@@ -0,0 +1,11 @@
+//! small stand-alone tf-idf library, specifically designed for use in feroxbuster
+
+mod constants;
+mod document;
+mod model;
+mod term;
+mod utils;
+
+pub(crate) use self::document::Document;
+pub(crate) use self::model::TfIdf;
+pub(crate) use self::utils::preprocess;

src/nlp/model.rs

@@ -0,0 +1,185 @@
+use super::document::Document;
+use super::term::{Term, TermMetaData};
+use super::utils::{inverse_document_frequency, tf_idf_score};
+use std::borrow::{Borrow, BorrowMut};
+use std::collections::HashMap;
+
+/// data container for the TF-IDF model
+#[derive(Debug, Default)]
+pub(crate) struct TfIdf {
+    /// collection of `Term`s and their associated metadata
+    terms: HashMap<Term, TermMetaData>,
+
+    /// number of documents processed by the model
+    num_documents: usize,
+}
+
+impl TfIdf {
+    /// create an empty TF-IDF model; must be populated with `add_document` prior to use
+    pub(crate) fn new() -> Self {
+        Self::default()
+    }
+
+    /// accessor method for the collection of `Term`s and `TermMetaData`
+    fn terms(&self) -> &HashMap<Term, TermMetaData> {
+        self.terms.borrow()
+    }
+
+    /// accessor method for the number of `Document`s the model has processed
+    pub(crate) fn num_documents(&self) -> usize {
+        self.num_documents
+    }
+
+    /// add a `Document` to the model
+    pub(crate) fn add_document(&mut self, document: Document) {
+        // increment number of docs seen, since we don't preserve the document itself; this needs
+        // to happen before calls to `self.inverse_document_frequency`, as it relies on the count
+        // being up to date
+        self.num_documents += 1;
+
+        for (term, doc_metadata) in document.terms().iter() {
+            // an incoming `Term` from a `Document` only has a valid `count` for that particular
+            // document; need to get the term frequency while both are known/valid
+            let term_frequency = document.term_frequency(term);
+
+            let metadata = self
+                .terms
+                .entry(term.clone())
+                .or_insert_with(|| doc_metadata.to_owned());
+
+            metadata.term_frequencies_mut().push(term_frequency);
+        }
+    }
+
+    /// (re)-calculate tf-idf scores for all terms, given the current number of documents
+    ///
+    /// # Notes
+    ///
+    /// old tf-idf scores are removed during calculations to keep new `Term`s at the same relative
+    /// level as new ones WRT corpus size
+    pub(crate) fn calculate_tf_idf_scores(&mut self) {
+        for metadata in self.terms.borrow_mut().values_mut() {
+            let num_frequencies = metadata.term_frequencies().len();
+
+            let mut to_add = Vec::with_capacity(num_frequencies);
+
+            for frequency in metadata.term_frequencies() {
+                let idf = inverse_document_frequency(
+                    self.num_documents as f32,
+                    metadata.document_frequency() as f32,
+                );
+
+                let score = tf_idf_score(*frequency, idf);
+                to_add.push(score);
+            }
+
+            let average: f32 = to_add.iter().sum::<f32>() / to_add.len() as f32;
+
+            *metadata.tf_idf_score_mut() = average;
+        }
+    }
+
+    /// select all terms with a non-zero tf-idf score
+    pub(crate) fn all_words(&self) -> Vec<String> {
+        self.terms()
+            .iter()
+            .filter(|(_, metadata)| metadata.tf_idf_score() > 0.0)
+            .map(|(term, _)| term.raw().to_owned())
+            .collect()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// helper for this test suite
+    fn get_score(word: &str, model: &TfIdf) -> f32 {
+        model.terms().get(&Term::new(word)).unwrap().tf_idf_score()
+    }
+
+    #[test]
+    /// given the example data at https://remykarem.github.io/tfidf-demo/, ensure the model
+    /// produces the same results
+    fn model_generates_expected_tf_idf_scores() {
+        let one = "Air quality in the sunny island improved gradually throughout Wednesday.";
+        let two =
+            "Air quality in Singapore on Wednesday continued to get worse as haze hit the island.";
+        let three = "The air quality in Singapore is monitored through a network of air monitoring stations located in different parts of the island";
+        let four = "The air quality in Singapore got worse on Wednesday.";
+
+        let docs = [one, two, three, four];
+        let mut model = TfIdf::new();
+
+        for doc in docs.iter() {
+            let d = Document::new(doc);
+            model.add_document(d);
+        }
+
+        assert_eq!(model.terms().len(), 19);
+
+        model.calculate_tf_idf_scores();
+
+        assert_eq!(get_score("quality", &model), 0.0);
+        assert_eq!(get_score("air", &model), 0.0);
+        assert_eq!(get_score("wednesday", &model), 0.018906077);
+        assert_eq!(get_score("island", &model), 0.014047348);
+        assert_eq!(get_score("singapore", &model), 0.016427131);
+        assert_eq!(get_score("sunny", &model), 0.08600858);
+        assert_eq!(get_score("monitoring", &model), 0.05017167);
+        assert_eq!(get_score("stations", &model), 0.05017167);
+        assert_eq!(get_score("parts", &model), 0.05017167);
+        assert_eq!(get_score("haze", &model), 0.06689556);
+        assert_eq!(get_score("hit", &model), 0.06689556);
+        assert_eq!(get_score("worse", &model), 0.04682689);
+    }
+
+    #[test]
+    /// given the example data at https://remykarem.github.io/tfidf-demo/, ensure the model
+    /// produces the same results
+    fn select_n_words_grabs_correct_words() {
+        let one = "Air quality in the sunny island improved gradually throughout Wednesday.";
+        let two =
+            "Air quality in Singapore on Wednesday continued to get worse as haze hit the island.";
+        let three = "The air quality in Singapore is monitored through a network of air monitoring stations located in different parts of the island";
+        let four = "The air quality in Singapore got worse on Wednesday.";
+
+        let docs = [one, two, three, four];
+        let mut model = TfIdf::new();
+
+        for doc in docs.iter() {
+            let d = Document::new(doc);
+            model.add_document(d);
+        }
+
+        assert_eq!(model.num_documents(), 4);
+
+        model.calculate_tf_idf_scores();
+
+        let non_zero_words = model.all_words();
+
+        [
+            "gradually",
+            "network",
+            "hit",
+            "located",
+            "continued",
+            "island",
+            "worse",
+            "monitored",
+            "monitoring",
+            "haze",
+            "different",
+            "stations",
+            "sunny",
+            "singapore",
+            "improved",
+            "parts",
+            "wednesday",
+        ]
+        .iter()
+        .for_each(|word| {
+            assert!(non_zero_words.contains(&word.to_string()));
+        });
+    }
+}

src/nlp/term.rs

@@ -0,0 +1,100 @@
+use std::borrow::BorrowMut;
+
+/// single word term for text processing
+#[derive(Debug, Hash, Eq, PartialEq, Default, Clone)]
+pub(crate) struct Term {
+    /// underlying string that the term represents
+    raw: String,
+}
+
+impl Term {
+    /// given a word, create a new `Term`
+    pub(super) fn new(word: &str) -> Self {
+        Self {
+            raw: word.to_owned(),
+        }
+    }
+
+    /// return a reference to the underlying string
+    pub(super) fn raw(&self) -> &str {
+        &self.raw
+    }
+}
+
+/// metadata to be associated with a `Term`
+#[derive(Debug, Clone, Default)]
+pub(super) struct TermMetaData {
+    /// number of times the associated `Term` was seen in a single document
+    count: u32,
+
+    /// collection of term frequencies for the associated `Term`
+    term_frequencies: Vec<f32>,
+
+    /// tf-idf score for the associated `Term`
+    tf_idf_score: f32,
+}
+
+impl TermMetaData {
+    /// number of times a `Term` has appeared in any `Document` within the corpus
+    pub(super) fn document_frequency(&self) -> usize {
+        self.term_frequencies().len()
+    }
+
+    /// mutable reference to the collection of term frequencies
+    pub(super) fn term_frequencies_mut(&mut self) -> &mut Vec<f32> {
+        self.term_frequencies.borrow_mut()
+    }
+
+    /// immutable reference to the collection of term frequencies
+    pub(super) fn term_frequencies(&self) -> &[f32] {
+        &self.term_frequencies
+    }
+
+    /// mutable reference to the number of times a `Term` was seen in a particular `Document`
+    pub(super) fn count_mut(&mut self) -> &mut u32 {
+        self.count.borrow_mut()
+    }
+
+    /// number of times a `Term` was seen in a particular `Document`
+    pub(super) fn count(&self) -> u32 {
+        self.count
+    }
+
+    /// mutable reference to the term's tf-idf score
+    pub(super) fn tf_idf_score_mut(&mut self) -> &mut f32 {
+        self.tf_idf_score.borrow_mut()
+    }
+
+    /// immutable reference to the term's tf-idf score
+    pub(super) fn tf_idf_score(&self) -> f32 {
+        self.tf_idf_score
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    /// test accessors for correctness
+    fn nlp_term_accessor_test() {
+        let term = Term::new("stuff");
+        assert_eq!(term.raw(), "stuff");
+    }
+
+    #[test]
+    /// test accessors for correctness
+    fn nlp_term_metadata_accessor_test() {
+        let mut metadata = TermMetaData::default();
+
+        *metadata.count_mut() += 1;
+        assert_eq!(metadata.count(), 1);
+
+        metadata.term_frequencies_mut().push(1.0);
+        assert_eq!(metadata.document_frequency(), 1);
+        assert_eq!(metadata.term_frequencies().first().unwrap(), &1.0);
+
+        *metadata.tf_idf_score_mut() = 1.0_f32;
+        assert_eq!(metadata.tf_idf_score(), 1.0);
+    }
+}

src/nlp/utils.rs

@@ -0,0 +1,158 @@
+use super::constants::{BOUNDED_WORD_REGEX, STOP_WORDS};
+use regex::Captures;
+use std::borrow::Cow;
+
+/// pre-processing pipeline wrapper that removes punctuation, normalizes word case (utf-8 included)
+/// to lowercase, and remove stop words
+pub(crate) fn preprocess(text: &str) -> Vec<String> {
+    let text = remove_punctuation(text);
+    let text = normalize_case(text);
+    let text = remove_stop_words(&text);
+
+    text.split_whitespace()
+        .map(|word| word.to_string())
+        .collect::<Vec<_>>()
+}
+
+/// optimized version of `str::to_lowercase`
+fn normalize_case<'a, S: Into<Cow<'a, str>>>(input: S) -> Cow<'a, str> {
+    let input = input.into();
+
+    let first = input.find(char::is_uppercase);
+
+    if let Some(first_idx) = first {
+        let mut output = String::from(&input[..first_idx]);
+        output.reserve(input.len() - first_idx);
+
+        for c in input[first_idx..].chars() {
+            if c.is_uppercase() {
+                output.push(c.to_lowercase().next().unwrap())
+            } else {
+                output.push(c)
+            }
+        }
+
+        Cow::Owned(output)
+    } else {
+        input
+    }
+}
+
+/// replace ascii and some utf-8 punctuation characters with ' ' (space) in the given string
+fn remove_punctuation(text: &str) -> String {
+    text.replace(
+        [
+            '!', '\\', '"', '#', '$', '%', '&', '(', ')', '*', '+', ':', ';', '<', '=', '>', '?',
+            '@', '[', ']', '^', '{', '}', '|', '~', ',', '\'', '“', '”', '’', '‘', '’', '‘', '/',
+            '–', '—', '.',
+        ],
+        " ",
+    )
+}
+
+/// remove stop words from the given string
+fn remove_stop_words(text: &str) -> String {
+    BOUNDED_WORD_REGEX
+        .replace_all(text, |caps: &Captures| {
+            let word = &caps[0];
+            if !STOP_WORDS.contains(&word) {
+                word.to_owned()
+            } else {
+                String::new()
+            }
+        })
+        .into()
+}
+
+/// calculate inverse document frequency
+pub(super) fn inverse_document_frequency(num_docs: f32, doc_frequency: f32) -> f32 {
+    f32::log10(num_docs / doc_frequency)
+}
+
+/// calculate term frequency-inverse document frequency (tf-idf)
+pub(super) fn tf_idf_score(term_frequency: f32, idf: f32) -> f32 {
+    term_frequency * idf
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    /// ensure all expected punctuation characters are removed
+    fn test_remove_punctuation() {
+        let tester = "!\\\"#$%&()*+/:;<=>?@[]^{}|~,.'“”’‘–—\n‘’";
+        // the `"    \n"` is because of the things like / getting replaced with a space
+        assert_eq!(
+            remove_punctuation(tester),
+            "                                   \n  "
+        );
+    }
+
+    #[test]
+    /// ensure uppercase characters are swapped to lowercase
+    fn test_normalize_case() {
+        let tester = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        assert_eq!(normalize_case(tester), "abcdefghijklmnopqrstuvwxyz");
+    }
+
+    #[test]
+    /// ensure all stop words are removed from the list of stopwords ... intestuous
+    fn test_remove_stopwords() {
+        let all_words = STOP_WORDS
+            .iter()
+            .map(|&word| word.to_string())
+            .collect::<Vec<_>>()
+            .join(" ");
+
+        let removed = remove_stop_words(&all_words).replace(' ', "");
+
+        // the remaining chars are from the contraction-based stop words
+        assert_eq!(removed, "'d'll'm''s'ven'tn‘tn’t‘d‘ll‘m‘‘s‘ve’d’ll’m’’s’ve");
+    }
+
+    #[test]
+    /// ensure preprocess
+    fn test_preprocess_results() {
+        let tester = "WHY are Y'all YELLing?";
+        assert_eq!(&preprocess(tester), &["y", "all", "yelling"]);
+    }
+
+    #[test]
+    /// ensure our calculations conform to the example provided at the link below
+    ///
+    /// https://www.kaggle.com/paulrohan2020/tf-idf-tutorial/notebook#TF-IDF-Model
+    ///
+    /// Consider a document containing 100 words wherein the word cat appears 3 times.
+    /// The term frequency (i.e., tf) for cat is then (3 / 100) = 0.03. Now, assume we have 10
+    /// million documents and the word cat appears in one thousand of these. Then, the inverse
+    /// document frequency (i.e., idf) is calculated as log(10,000,000 / 1,000) = 4. Thus, the
+    /// Tf-idf weight is the product of these quantities: 0.03 * 4 = 0.12.
+    fn idf_returns_expected_value() {
+        let num_docs = 10_000_000_f32;
+        let num_occurrences = 1_000_f32;
+        let abs_diff = (inverse_document_frequency(num_docs, num_occurrences) - 4.0).abs();
+
+        assert!(abs_diff <= f32::EPSILON);
+    }
+
+    #[test]
+    /// ensure our calculations conform to the example provided at the link below
+    ///
+    /// https://www.kaggle.com/paulrohan2020/tf-idf-tutorial/notebook#TF-IDF-Model
+    ///
+    /// Consider a document containing 100 words wherein the word cat appears 3 times.
+    /// The term frequency (i.e., tf) for cat is then (3 / 100) = 0.03. Now, assume we have 10
+    /// million documents and the word cat appears in one thousand of these. Then, the inverse
+    /// document frequency (i.e., idf) is calculated as log(10,000,000 / 1,000) = 4. Thus, the
+    /// Tf-idf weight is the product of these quantities: 0.03 * 4 = 0.12.
+    fn tf_idf_returns_expected_value() {
+        let term_freq = 0.03_f32;
+        let num_docs = 10_000_000_f32;
+        let num_occurrences = 1_000_f32;
+        let idf = inverse_document_frequency(num_docs, num_occurrences);
+        let abs_diff = (tf_idf_score(term_freq, idf) - 0.12).abs();
+
+        assert!(abs_diff <= f32::EPSILON);
+    }
+}

src/progress.rs

@@ -1,4 +1,6 @@
-use indicatif::{MultiProgress, ProgressBar, ProgressDrawTarget, ProgressStyle};
+use std::time::Duration;
+
+use indicatif::{HumanDuration, MultiProgress, ProgressBar, ProgressDrawTarget, ProgressStyle};
 use lazy_static::lazy_static;
 
 lazy_static! {
@@ -31,29 +33,68 @@ pub enum BarType {
 /// Add an [indicatif::ProgressBar](https://docs.rs/indicatif/latest/indicatif/struct.ProgressBar.html)
 /// to the global [PROGRESS_BAR](../config/struct.PROGRESS_BAR.html)
 pub fn add_bar(prefix: &str, length: u64, bar_type: BarType) -> ProgressBar {
-    let mut style = ProgressStyle::default_bar().progress_chars("#>-");
+    let mut style = ProgressStyle::default_bar()
+        .progress_chars("#>-")
+        .with_key(
+            "smoothed_per_sec",
+            |state: &indicatif::ProgressState, w: &mut dyn std::fmt::Write| match (
+                state.pos(),
+                state.elapsed().as_millis(),
+            ) {
+                // https://github.com/console-rs/indicatif/issues/394#issuecomment-1309971049
+                //
+                // indicatif released a change to how they reported eta/per_sec
+                // and the results looked really weird based on how we use the progress
+                // bars. this fixes that
+                (pos, elapsed_ms) if elapsed_ms > 0 => {
+                    write!(w, "{:.0}/s", pos as f64 * 1000_f64 / elapsed_ms as f64).unwrap()
+                }
+                _ => write!(w, "-").unwrap(),
+            },
+        )
+        .with_key(
+            "smoothed_eta",
+            |state: &indicatif::ProgressState, w: &mut dyn std::fmt::Write| match (
+                state.pos(),
+                state.len(),
+            ) {
+                (pos, Some(len)) => write!(
+                    w,
+                    "{:#}",
+                    HumanDuration(Duration::from_millis(
+                        (state.elapsed().as_millis()
+                            * ((len as u128).checked_sub(pos as u128).unwrap_or(1))
+                                .checked_div(pos as u128)
+                                .unwrap_or(1)) as u64
+                    ))
+                )
+                .unwrap(),
+                _ => write!(w, "-").unwrap(),
+            },
+        );
 
     style = match bar_type {
-        BarType::Hidden => style.template(""),
+        BarType::Hidden => style.template("").unwrap(),
         BarType::Default => style
-            .template("[{bar:.cyan/blue}] - {elapsed:<4} {pos:>7}/{len:7} {per_sec:7} {prefix}"),
-        BarType::Message => style.template(&format!(
-            "[{{bar:.cyan/blue}}] - {{elapsed:<4}} {{pos:>7}}/{{len:7}} {:7} {{prefix}}",
+            .template("[{bar:.cyan/blue}] - {elapsed:<4} {pos:>7}/{len:7} {smoothed_per_sec:7} {prefix} {msg}")
+            .unwrap(),
+        BarType::Message => style
+            .template(&format!(
+            "[{{bar:.cyan/blue}}] - {{elapsed:<4}} {{pos:>7}}/{{len:7}} {:7} {{prefix}} {{msg}}",
             "-"
-        )),
-        BarType::Total => {
-            style.template("[{bar:.yellow/blue}] - {elapsed:<4} {pos:>7}/{len:7} {eta:7} {msg}")
-        }
-        BarType::Quiet => style.template("Scanning: {prefix}"),
+        ))
+            .unwrap(),
+        BarType::Total => style
+            .template("[{bar:.yellow/blue}] - {elapsed:<4} {pos:>7}/{len:7} {smoothed_eta:7} {msg}")
+            .unwrap(),
+        BarType::Quiet => style.template("Scanning: {prefix}").unwrap(),
     };
 
-    let progress_bar = PROGRESS_BAR.add(ProgressBar::new(length));
-
-    progress_bar.set_style(style);
-
-    progress_bar.set_prefix(&prefix);
-
-    progress_bar
+    PROGRESS_BAR.add(
+        ProgressBar::new(length)
+            .with_style(style)
+            .with_prefix(prefix.to_string()),
+    )
 }
 
 #[cfg(test)]

src/response.rs

@@ -7,9 +7,10 @@ use std::{
 };
 
 use anyhow::{Context, Result};
+use console::style;
 use reqwest::{
     header::{HeaderMap, HeaderName, HeaderValue},
-    Response, StatusCode, Url,
+    Method, Response, StatusCode, Url,
 };
 use serde::ser::SerializeStruct;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
@@ -20,7 +21,7 @@ use crate::{
     event_handlers::{Command, Handles},
     traits::FeroxSerialize,
     url::FeroxUrl,
-    utils::{self, fmt_err, status_colorizer},
+    utils::{self, fmt_err, parse_url_with_raw_path, status_colorizer},
     CommandSender,
 };
 
@@ -30,9 +31,15 @@ pub struct FeroxResponse {
     /// The final `Url` of this `FeroxResponse`
     url: Url,
 
+    /// The original url from which the final `Url` was derived
+    original_url: String,
+
     /// The `StatusCode` of this `FeroxResponse`
     status: StatusCode,
 
+    /// The HTTP Request `Method` of this `FeroxResponse`
+    method: Method,
+
     /// The full response text
     text: String,
 
@@ -53,6 +60,9 @@ pub struct FeroxResponse {
 
     /// whether the user passed --quiet|--silent on the command line
     pub(crate) output_level: OutputLevel,
+
+    /// Url's file extension, if one exists
+    pub(crate) extension: Option<String>,
 }
 
 /// implement Default trait for FeroxResponse
@@ -61,7 +71,9 @@ impl Default for FeroxResponse {
     fn default() -> Self {
         Self {
             url: Url::parse("http://localhost").unwrap(),
+            original_url: "".to_string(),
             status: Default::default(),
+            method: Method::default(),
             text: "".to_string(),
             content_length: 0,
             line_count: 0,
@@ -69,6 +81,7 @@ impl Default for FeroxResponse {
             headers: Default::default(),
             wildcard: false,
             output_level: Default::default(),
+            extension: None,
         }
     }
 }
@@ -79,8 +92,9 @@ impl fmt::Display for FeroxResponse {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(
             f,
-            "FeroxResponse {{ url: {}, status: {}, content-length: {} }}",
+            "FeroxResponse {{ url: {}, method: {}, status: {}, content-length: {} }}",
             self.url(),
+            self.method(),
             self.status(),
             self.content_length()
         )
@@ -94,6 +108,11 @@ impl FeroxResponse {
         &self.status
     }
 
+    /// Get the `Method` of this `FeroxResponse`
+    pub fn method(&self) -> &Method {
+        &self.method
+    }
+
     /// Get the `wildcard` of this `FeroxResponse`
     pub fn wildcard(&self) -> bool {
         self.wildcard
@@ -121,7 +140,7 @@ impl FeroxResponse {
 
     /// Set `FeroxResponse`'s `url` attribute, has no affect if an error occurs
     pub fn set_url(&mut self, url: &str) {
-        match Url::parse(&url) {
+        match parse_url_with_raw_path(url) {
             Ok(url) => {
                 self.url = url;
             }
@@ -151,7 +170,8 @@ impl FeroxResponse {
 
     /// free the `text` data, reducing memory usage
     pub fn drop_text(&mut self) {
-        self.text = String::new();
+        self.text.clear(); // length is set to 0
+        self.text.shrink_to_fit(); // allocated capacity shrinks to reflect the new size
     }
 
     /// Make a reasonable guess at whether the response is a file or not
@@ -186,34 +206,40 @@ impl FeroxResponse {
     }
 
     /// Create a new `FeroxResponse` from the given `Response`
-    pub async fn from(response: Response, read_body: bool, output_level: OutputLevel) -> Self {
+    pub async fn from(
+        response: Response,
+        original_url: &str,
+        method: &str,
+        output_level: OutputLevel,
+    ) -> Self {
         let url = response.url().clone();
         let status = response.status();
         let headers = response.headers().clone();
         let content_length = response.content_length().unwrap_or(0);
 
-        let text = if read_body {
-            // .text() consumes the response, must be called last
-            // additionally, --extract-links is currently the only place we use the body of the
-            // response, so we forego the processing if not performing extraction
-            match response.text().await {
-                // await the response's body
-                Ok(text) => text,
-                Err(e) => {
-                    log::warn!("Could not parse body from response: {}", e);
-                    String::new()
-                }
-            }
-        } else {
-            String::new()
-        };
+        // .text() consumes the response, must be called last
+        let text = response
+            .text()
+            .await
+            .with_context(|| "Could not parse body from response")
+            .unwrap_or_default();
+
+        // in the event that the content_length was 0, we can try to get the length
+        // of the body we just parsed. At worst, it's still 0; at best we've accounted
+        // for sites that reply without a content-length header and yet still have
+        // contents in the body.
+        //
+        // thanks to twitter use @f3rn0s for pointing out the possibility
+        let content_length = content_length.max(text.len() as u64);
 
         let line_count = text.lines().count();
         let word_count = text.lines().map(|s| s.split_whitespace().count()).sum();
 
         FeroxResponse {
             url,
+            original_url: original_url.to_string(),
             status,
+            method: Method::from_bytes(method.as_bytes()).unwrap_or(Method::GET),
             content_length,
             text,
             headers,
@@ -221,9 +247,67 @@ impl FeroxResponse {
             word_count,
             output_level,
             wildcard: false,
+            extension: None,
         }
     }
 
+    /// if --collect-extensions is used, examine the response's url and grab the file's extension
+    /// if one is available to be grabbed. If an extension is found, send it to the ScanHandler
+    /// for further processing
+    pub(crate) fn parse_extension(&mut self, handles: Arc<Handles>) -> Result<()> {
+        log::trace!("enter: parse_extension");
+
+        if !handles.config.collect_extensions {
+            // early return, --collect-extensions not used
+            return Ok(());
+        }
+
+        // path_segments:
+        //   Return None for cannot-be-a-base URLs.
+        //   When Some is returned, the iterator always contains at least one string
+        //     (which may be empty).
+        //
+        // meaning: the two unwraps here are fine, the worst outcome is an empty string
+        let filename = self.url.path_segments().unwrap().last().unwrap();
+
+        if !filename.is_empty() {
+            // non-empty string, try to get extension
+            let parts: Vec<_> = filename
+                .split('.')
+                // keep things like /.bash_history from becoming an extension
+                .filter(|part| !part.is_empty())
+                .collect();
+
+            if parts.len() > 1 {
+                // filename + at least one extension, i.e. whatever.js becomes ["whatever", "js"]
+                self.extension = Some(parts.last().unwrap().to_string())
+            }
+        }
+
+        if let Some(extension) = &self.extension {
+            if handles
+                .config
+                .status_codes
+                .contains(&self.status().as_u16())  // in -s list
+                // or -C was used, and -s should be all responses that aren't filtered
+                || !handles.config.filter_status.is_empty()
+            {
+                // only add extensions to those responses that pass our checks; filtered out
+                // status codes are handled by should_filter, but we need to still check against
+                // the allow list for what we want to keep
+                #[cfg(test)]
+                handles
+                    .send_scan_command(Command::AddDiscoveredExtension(extension.to_owned()))
+                    .unwrap_or_default();
+                #[cfg(not(test))]
+                handles.send_scan_command(Command::AddDiscoveredExtension(extension.to_owned()))?;
+            }
+        }
+
+        log::trace!("exit: parse_extension");
+        Ok(())
+    }
+
     /// Helper function that determines if the configured maximum recursion depth has been reached
     ///
     /// Essentially looks at the Url path and determines how many directories are present in the
@@ -311,7 +395,14 @@ impl FeroxResponse {
     pub fn send_report(self, report_sender: CommandSender) -> Result<()> {
         log::trace!("enter: send_report({:?}", report_sender);
 
-        report_sender.send(Command::Report(Box::new(self)))?;
+        // there's no reason to send the response body across the mpsc
+        //
+        // the only possible reason is for filtering on the body, but both `send_report`
+        // calls are gated behind checks for `should_filter_response`
+        let mut me = self;
+        me.drop_text();
+
+        report_sender.send(Command::Report(Box::new(me)))?;
 
         log::trace!("exit: send_report");
         Ok(())
@@ -326,55 +417,87 @@ impl FeroxSerialize for FeroxResponse {
         let words = self.word_count().to_string();
         let chars = self.content_length().to_string();
         let status = self.status().as_str();
+        let method = self.method().as_str();
         let wild_status = status_colorizer("WLD");
 
+        let mut url_with_redirect = match (
+            self.status().is_redirection(),
+            self.headers().get("Location").is_some(),
+        ) {
+            (true, true) => {
+                // redirect with Location header, show where it goes if possible
+                let loc = self
+                    .headers()
+                    .get("Location")
+                    .unwrap() // known Some() already
+                    .to_str()
+                    .unwrap_or("Unknown")
+                    .to_string();
+
+                let loc = if loc.starts_with('/') {
+                    if let Ok(joined) = self.url().join(&loc) {
+                        joined.to_string()
+                    } else {
+                        loc
+                    }
+                } else {
+                    loc
+                };
+
+                // prettify the redirect target
+                let loc = style(loc).yellow();
+
+                format!("{} => {loc}", self.url())
+            }
+            _ => {
+                // no redirect, just use the normal url
+                self.url().to_string()
+            }
+        };
+
         if self.wildcard && matches!(self.output_level, OutputLevel::Default | OutputLevel::Quiet) {
             // --silent was not used and response is a wildcard, special messages abound when
             // this is the case...
 
             // create the base message
             let mut message = format!(
-                "{} {:>8}l {:>8}w {:>8}c Got {} for {} (url length: {})\n",
+                "{} {:>8} {:>8}l {:>8}w {:>8}c Got {} for {}\n",
                 wild_status,
+                method,
                 lines,
                 words,
                 chars,
-                status_colorizer(&status),
+                status_colorizer(status),
                 self.url(),
-                FeroxUrl::path_length_of_url(&self.url)
             );
 
             if self.status().is_redirection() {
-                // when it's a redirect, show where it goes, if possible
-                if let Some(next_loc) = self.headers().get("Location") {
-                    let next_loc_str = next_loc.to_str().unwrap_or("Unknown");
+                // initial wildcard messages are wordy enough, put the redirect by itself
+                url_with_redirect = format!(
+                    "{} {:>9} {:>9} {:>9} {}\n",
+                    wild_status, "-", "-", "-", url_with_redirect
+                );
 
-                    let redirect_msg = format!(
-                        "{} {:>9} {:>9} {:>9} {} redirects to => {}\n",
-                        wild_status,
-                        "-",
-                        "-",
-                        "-",
-                        self.url(),
-                        next_loc_str
-                    );
-
-                    message.push_str(&redirect_msg);
-                }
+                // base message + redirection message (either empty string or redir msg)
+                message.push_str(&url_with_redirect);
             }
 
-            // base message + redirection message (if appropriate)
             message
         } else {
             // not a wildcard, just create a normal entry
-            utils::create_report_string(
-                self.status.as_str(),
-                &lines,
-                &words,
-                &chars,
-                self.url().as_str(),
-                self.output_level,
-            )
+            if matches!(self.output_level, OutputLevel::SilentJSON) {
+                self.as_json().unwrap_or_default()
+            } else {
+                utils::create_report_string(
+                    self.status.as_str(),
+                    method,
+                    &lines,
+                    &words,
+                    &chars,
+                    &url_with_redirect,
+                    self.output_level,
+                )
+            }
         }
     }
 
@@ -423,7 +546,7 @@ impl Serialize for FeroxResponse {
         S: Serializer,
     {
         let mut headers = HashMap::new();
-        let mut state = serializer.serialize_struct("FeroxResponse", 7)?;
+        let mut state = serializer.serialize_struct("FeroxResponse", 8)?;
 
         // need to convert the HeaderMap to a HashMap in order to pass it to the serializer
         for (key, value) in &self.headers {
@@ -434,13 +557,19 @@ impl Serialize for FeroxResponse {
 
         state.serialize_field("type", "response")?;
         state.serialize_field("url", self.url.as_str())?;
+        state.serialize_field("original_url", self.original_url.as_str())?;
         state.serialize_field("path", self.url.path())?;
         state.serialize_field("wildcard", &self.wildcard)?;
         state.serialize_field("status", &self.status.as_u16())?;
+        state.serialize_field("method", &self.method.as_str())?;
         state.serialize_field("content_length", &self.content_length)?;
         state.serialize_field("line_count", &self.line_count)?;
         state.serialize_field("word_count", &self.word_count)?;
         state.serialize_field("headers", &headers)?;
+        state.serialize_field(
+            "extension",
+            self.extension.as_ref().unwrap_or(&String::new()),
+        )?;
 
         state.end()
     }
@@ -455,7 +584,9 @@ impl<'de> Deserialize<'de> for FeroxResponse {
     {
         let mut response = Self {
             url: Url::parse("http://localhost").unwrap(),
+            original_url: String::new(),
             status: StatusCode::OK,
+            method: Method::GET,
             text: String::new(),
             content_length: 0,
             headers: HeaderMap::new(),
@@ -463,6 +594,7 @@ impl<'de> Deserialize<'de> for FeroxResponse {
             output_level: Default::default(),
             line_count: 0,
             word_count: 0,
+            extension: None,
         };
 
         let map: HashMap<String, Value> = HashMap::deserialize(deserializer)?;
@@ -471,11 +603,16 @@ impl<'de> Deserialize<'de> for FeroxResponse {
             match key.as_str() {
                 "url" => {
                     if let Some(url) = value.as_str() {
-                        if let Ok(parsed) = Url::parse(url) {
+                        if let Ok(parsed) = parse_url_with_raw_path(url) {
                             response.url = parsed;
                         }
                     }
                 }
+                "original_url" => {
+                    if let Some(og_url) = value.as_str() {
+                        response.original_url = String::from(og_url);
+                    }
+                }
                 "status" => {
                     if let Some(num) = value.as_u64() {
                         if let Ok(smaller) = u16::try_from(num) {
@@ -485,6 +622,11 @@ impl<'de> Deserialize<'de> for FeroxResponse {
                         }
                     }
                 }
+                "method" => {
+                    if let Some(method) = value.as_str() {
+                        response.method = Method::from_bytes(method.as_bytes()).unwrap_or_default();
+                    }
+                }
                 "content_length" => {
                     if let Some(num) = value.as_u64() {
                         response.content_length = num;
@@ -521,6 +663,11 @@ impl<'de> Deserialize<'de> for FeroxResponse {
                         response.wildcard = result;
                     }
                 }
+                "extension" => {
+                    if let Some(result) = value.as_str() {
+                        response.extension = Some(result.to_string());
+                    }
+                }
                 _ => {}
             }
         }
@@ -532,6 +679,8 @@ impl<'de> Deserialize<'de> for FeroxResponse {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::config::Configuration;
+    use std::default::Default;
 
     #[test]
     /// call reached_max_depth with max depth of zero, which is infinite recursion, expect false
@@ -540,14 +689,7 @@ mod tests {
         let url = Url::parse("http://localhost").unwrap();
         let response = FeroxResponse {
             url,
-            status: Default::default(),
-            text: "".to_string(),
-            content_length: 0,
-            line_count: 0,
-            word_count: 0,
-            headers: Default::default(),
-            wildcard: false,
-            output_level: Default::default(),
+            ..Default::default()
         };
         let result = response.reached_max_depth(0, 0, handles);
         assert!(!result);
@@ -561,14 +703,7 @@ mod tests {
         let url = Url::parse("http://localhost/one/two").unwrap();
         let response = FeroxResponse {
             url,
-            status: Default::default(),
-            text: "".to_string(),
-            content_length: 0,
-            line_count: 0,
-            word_count: 0,
-            headers: Default::default(),
-            wildcard: false,
-            output_level: Default::default(),
+            ..Default::default()
         };
 
         let result = response.reached_max_depth(0, 2, handles);
@@ -582,14 +717,7 @@ mod tests {
         let url = Url::parse("http://localhost").unwrap();
         let response = FeroxResponse {
             url,
-            status: Default::default(),
-            text: "".to_string(),
-            content_length: 0,
-            line_count: 0,
-            word_count: 0,
-            headers: Default::default(),
-            wildcard: false,
-            output_level: Default::default(),
+            ..Default::default()
         };
 
         let result = response.reached_max_depth(0, 2, handles);
@@ -603,14 +731,7 @@ mod tests {
         let url = Url::parse("http://localhost/one/two").unwrap();
         let response = FeroxResponse {
             url,
-            status: Default::default(),
-            text: "".to_string(),
-            content_length: 0,
-            line_count: 0,
-            word_count: 0,
-            headers: Default::default(),
-            wildcard: false,
-            output_level: Default::default(),
+            ..Default::default()
         };
 
         let result = response.reached_max_depth(2, 2, handles);
@@ -624,17 +745,71 @@ mod tests {
         let url = Url::parse("http://localhost/one/two/three").unwrap();
         let response = FeroxResponse {
             url,
-            status: Default::default(),
-            text: "".to_string(),
-            content_length: 0,
-            line_count: 0,
-            word_count: 0,
-            headers: Default::default(),
-            wildcard: false,
-            output_level: Default::default(),
+            ..Default::default()
         };
 
         let result = response.reached_max_depth(0, 2, handles);
         assert!(result);
     }
+
+    #[test]
+    /// simple case of a single extension gets parsed correctly and stored on the `FeroxResponse`
+    fn parse_extension_finds_simple_extension() {
+        let config = Configuration {
+            collect_extensions: true,
+            ..Default::default()
+        };
+
+        let (handles, _) = Handles::for_testing(None, Some(Arc::new(config)));
+
+        let url = Url::parse("http://localhost/derp.js").unwrap();
+
+        let mut response = FeroxResponse {
+            url,
+            ..Default::default()
+        };
+
+        response.parse_extension(Arc::new(handles)).unwrap();
+
+        assert_eq!(response.extension, Some(String::from("js")));
+    }
+
+    #[test]
+    /// hidden files shouldn't be parsed as extensions, i.e. `/.bash_history`
+    fn parse_extension_ignores_hidden_files() {
+        let config = Configuration {
+            collect_extensions: true,
+            ..Default::default()
+        };
+
+        let (handles, _) = Handles::for_testing(None, Some(Arc::new(config)));
+
+        let url = Url::parse("http://localhost/.bash_history").unwrap();
+
+        let mut response = FeroxResponse {
+            url,
+            ..Default::default()
+        };
+
+        response.parse_extension(Arc::new(handles)).unwrap();
+
+        assert_eq!(response.extension, None);
+    }
+
+    #[test]
+    /// `parse_extension` should return immediately if `--collect-extensions` isn't used
+    fn parse_extension_early_returns_based_on_config() {
+        let (handles, _) = Handles::for_testing(None, None);
+
+        let url = Url::parse("http://localhost/derp.js").unwrap();
+
+        let mut response = FeroxResponse {
+            url,
+            ..Default::default()
+        };
+
+        response.parse_extension(Arc::new(handles)).unwrap();
+
+        assert_eq!(response.extension, None);
+    }
 }

src/scan_manager/menu.rs

@@ -1,27 +1,53 @@
+use crate::filters::filter_lookup;
 use crate::progress::PROGRESS_BAR;
+use crate::traits::FeroxFilter;
 use console::{measure_text_width, pad_str, style, Alignment, Term};
 use indicatif::ProgressDrawTarget;
+use regex::Regex;
+
+/// Data container for a command entered by the user interactively
+#[derive(Debug)]
+pub enum MenuCmd {
+    /// user wants to add a url to be scanned
+    AddUrl(String),
+
+    /// user wants to cancel one or more active scans
+    Cancel(Vec<usize>, bool),
+
+    /// user wants to create a new filter
+    AddFilter(Box<dyn FeroxFilter>),
+
+    /// user wants to remove one or more active filters
+    RemoveFilter(Vec<usize>),
+}
+
+/// Data container for a command result to be used internally by the ferox_scanner
+#[derive(Debug)]
+pub enum MenuCmdResult {
+    /// Url to be added to the scan queue
+    Url(String),
+
+    /// Number of scans that were actually cancelled, can be 0
+    NumCancelled(usize),
+
+    /// Filter to be added to current list of `FeroxFilters`
+    Filter(Box<dyn FeroxFilter>),
+}
 
 /// Interactive scan cancellation menu
 #[derive(Debug)]
 pub(super) struct Menu {
-    /// character to use as visual separator of lines
-    separator: String,
-
-    /// name of menu
-    name: String,
-
     /// header: name surrounded by separators
     header: String,
 
-    /// instructions
-    instructions: String,
-
     /// footer: instructions surrounded by separators
     footer: String,
 
+    /// unicode line border, matched to longest displayed line
+    border: String,
+
     /// target for output
-    term: Term,
+    pub(super) term: Term,
 }
 
 /// Implementation of Menu
@@ -30,34 +56,73 @@ impl Menu {
     pub(super) fn new() -> Self {
         let separator = "─".to_string();
 
-        let instructions = format!(
-            "Enter a {} list of indexes to {} (ex: 2,3)",
-            style("comma-separated").yellow(),
-            style("cancel").red(),
-        );
-
         let name = format!(
             "{} {} {}",
             "💀",
-            style("Scan Cancel Menu").bright().yellow(),
+            style("Scan Management Menu").bright().yellow(),
             "💀"
         );
 
-        let longest = measure_text_width(&instructions).max(measure_text_width(&name));
+        let add_cmd = format!(
+            "  {}[{}] NEW_URL (ex: {} http://localhost)\n",
+            style("a").green(),
+            style("dd").green(),
+            style("add").green()
+        );
+
+        let canx_cmd = format!(
+            "  {}[{}] [-f] SCAN_ID[-SCAN_ID[,...]] (ex: {} 1-4,8,9-13 or {} -f 3)\n",
+            style("c").red(),
+            style("ancel").red(),
+            style("cancel").red(),
+            style("c").red(),
+        );
+
+        let new_filter_cmd = format!(
+            "  {}[{}] FILTER_TYPE FILTER_VALUE (ex: {} lines 40)\n",
+            style("n").green(),
+            style("ew-filter").green(),
+            style("n").green(),
+        );
+
+        let valid_filters = format!(
+            "    FILTER_TYPEs: {}, {}, {}, {}, {}, {}\n",
+            style("status").yellow(),
+            style("lines").yellow(),
+            style("size").yellow(),
+            style("words").yellow(),
+            style("regex").yellow(),
+            style("similarity").yellow()
+        );
+
+        let rm_filter_cmd = format!(
+            "  {}[{}] FILTER_ID[-FILTER_ID[,...]] (ex: {} 1-4,8,9-13 or {} 3)",
+            style("r").red(),
+            style("m-filter").red(),
+            style("rm-filter").red(),
+            style("r").red(),
+        );
+
+        let mut commands = format!("{}:\n", style("Commands").bright().blue());
+        commands.push_str(&add_cmd);
+        commands.push_str(&canx_cmd);
+        commands.push_str(&new_filter_cmd);
+        commands.push_str(&valid_filters);
+        commands.push_str(&rm_filter_cmd);
+
+        let longest = measure_text_width(&canx_cmd).max(measure_text_width(&name));
 
         let border = separator.repeat(longest);
 
         let padded_name = pad_str(&name, longest, Alignment::Center, None);
 
-        let header = format!("{}\n{}\n{}", border, padded_name, border);
-        let footer = format!("{}\n{}\n{}", border, instructions, border);
+        let header = format!("{border}\n{padded_name}\n{border}");
+        let footer = format!("{commands}\n{border}");
 
         Self {
-            separator,
-            name,
             header,
-            instructions,
             footer,
+            border,
             term: Term::stderr(),
         }
     }
@@ -67,6 +132,11 @@ impl Menu {
         self.println(&self.header);
     }
 
+    /// print menu unicode border line
+    pub(super) fn print_border(&self) {
+        self.println(&self.border);
+    }
+
     /// print menu footer
     pub(super) fn print_footer(&self) {
         self.println(&self.footer);
@@ -93,33 +163,138 @@ impl Menu {
         self.term.write_line(msg).unwrap_or_default();
     }
 
-    /// split a string into vec of usizes
-    pub(super) fn split_to_nums(&self, line: &str) -> Vec<usize> {
-        line.split(',')
-            .map(|s| {
-                s.trim().to_string().parse::<usize>().unwrap_or_else(|e| {
-                    self.println(&format!("Found non-numeric input: {}", e));
-                    0
-                })
+    /// Helper for parsing a usize from a str
+    fn str_to_usize(&self, value: &str) -> usize {
+        if value.is_empty() {
+            return 0;
+        }
+
+        value
+            .trim()
+            .to_string()
+            .parse::<usize>()
+            .unwrap_or_else(|e| {
+                self.println(&format!("Found non-numeric input: {e}: {value:?}"));
+                0
             })
-            .filter(|m| *m != 0)
-            .collect()
     }
 
-    /// get comma-separated list of scan indexes from the user
-    pub(super) fn get_scans_from_user(&self) -> Option<Vec<usize>> {
-        if let Ok(line) = self.term.read_line() {
-            Some(self.split_to_nums(&line))
-        } else {
-            None
+    /// split a comma delimited string into vec of usizes
+    pub(super) fn split_to_nums(&self, line: &str) -> Vec<usize> {
+        let mut nums = Vec::new();
+        let values = line.split(',');
+
+        for mut value in values {
+            value = value.trim();
+
+            if value.contains('-') {
+                // range of two values, needs further processing
+
+                let range: Vec<usize> = value
+                    .split('-')
+                    .map(|s| self.str_to_usize(s))
+                    .filter(|m| *m != 0)
+                    .collect();
+
+                if range.len() != 2 {
+                    // expecting [1, 4] or similar, if a 0 was used, we'd be left with a vec of size 1
+                    self.println(&format!("Found invalid range of scans: {value}"));
+                    continue;
+                }
+
+                (range[0]..=range[1]).for_each(|n| {
+                    // iterate from lower to upper bound and add all interim values, skipping
+                    // any already known
+                    if !nums.contains(&n) {
+                        nums.push(n)
+                    }
+                });
+            } else {
+                if value.is_empty() {
+                    continue;
+                }
+
+                let value = self.str_to_usize(value);
+
+                if !nums.contains(&value) {
+                    // skip already known values
+                    nums.push(value);
+                }
+            }
+        }
+
+        nums
+    }
+
+    /// get input from the user and translate it to a `MenuCmd`
+    pub(super) fn get_command_input_from_user(&self, line: &str) -> Option<MenuCmd> {
+        let line = line.trim(); // normalize input if there are leading spaces
+
+        match line.chars().next().unwrap_or('_').to_ascii_lowercase() {
+            'c' => {
+                // cancel command; start by determining if -f was used
+                let force = line.contains("-f");
+
+                // then remove c[ancel] from the command so it can be passed to the number
+                // splitter
+                let re = Regex::new(r"^[cC][ancelANCEL]*").unwrap();
+                let line = line.replace("-f", "");
+                let line = re.replace(&line, "").to_string();
+
+                Some(MenuCmd::Cancel(self.split_to_nums(&line), force))
+            }
+            'a' => {
+                // add command
+                // similar to cancel, we need to remove the a[dd] substring, the rest should be
+                // a url
+                let re = Regex::new(r"^[aA][dD]*").unwrap();
+                let line = re.replace(line, "").to_string().trim().to_string();
+
+                Some(MenuCmd::AddUrl(line))
+            }
+            'n' => {
+                // new filter command
+                let mut line = line.split_whitespace();
+                line.next(); // 'n' or 'new-filter'
+
+                if let Some(filter_type) = line.next() {
+                    // have a string in the filter_type position
+                    if let Some(filter_value) = line.next() {
+                        // have a string in the filter_value position
+                        if let Some(result) = filter_lookup(filter_type, filter_value) {
+                            // lookup was successful, return the new filter
+                            return Some(MenuCmd::AddFilter(result));
+                        }
+                    }
+                }
+                None
+            }
+            'r' => {
+                // remove filter command
+
+                // remove r[m-filter] from the command so it can be passed to the number
+                // splitter
+                let re = Regex::new(r"^[rR][mfilterMFILTER-]*").unwrap();
+                // we don't respect a -f or lack thereof in this command, but in case the user
+                // doesn't realize / thinks its the same as cancel -f, just remove it
+                let line = line.replace("-f", "");
+                let line = re.replace(&line, "").to_string();
+
+                let indices = self.split_to_nums(&line);
+
+                Some(MenuCmd::RemoveFilter(indices))
+            }
+            _ => {
+                // invalid input
+                None
+            }
         }
     }
 
     /// Given a url, confirm with user that we should cancel
     pub(super) fn confirm_cancellation(&self, url: &str) -> char {
         self.println(&format!(
-            "You sure you wanna cancel this scan: {}? [Y/n]",
-            url
+            "You sure you wanna cancel this scan: {url}? [Y/n]"
         ));
 
         self.term.read_char().unwrap_or('n')

src/scan_manager/mod.rs

@@ -8,7 +8,8 @@ mod state;
 #[cfg(test)]
 mod tests;
 
-pub(self) use menu::Menu;
+use menu::Menu;
+pub use menu::{MenuCmd, MenuCmdResult};
 pub use order::ScanOrder;
 pub use response_container::FeroxResponses;
 pub use scan::{FeroxScan, ScanStatus, ScanType};

src/scan_manager/response_container.rs

@@ -45,7 +45,7 @@ impl FeroxResponses {
     pub fn contains(&self, other: &FeroxResponse) -> bool {
         if let Ok(responses) = self.responses.read() {
             for response in responses.iter() {
-                if response.url() == other.url() {
+                if response.url() == other.url() && response.method() == other.method() {
                     return true;
                 }
             }

src/scan_manager/scan.rs

@@ -32,17 +32,27 @@ pub struct FeroxScan {
     /// The URL that to be scanned
     pub(super) url: String,
 
+    /// A url used solely for comparison to other URLs
+    pub(super) normalized_url: String,
+
     /// The type of scan
-    pub(super) scan_type: ScanType,
+    pub scan_type: ScanType,
 
     /// The order in which the scan was received
-    pub(super) scan_order: ScanOrder,
+    #[allow(dead_code)] // not entirely sure this isn't used somewhere
+    pub(crate) scan_order: ScanOrder,
 
     /// Number of requests to populate the progress bar with
     pub(super) num_requests: u64,
 
+    /// Number of requests made so far, only used during deserialization
+    ///
+    /// serialization: saves self.requests() to this field
+    /// deserialization: sets self.requests_made_so_far to this field
+    pub(super) requests_made_so_far: u64,
+
     /// Status of this scan
-    pub(super) status: Mutex<ScanStatus>,
+    pub status: Mutex<ScanStatus>,
 
     /// The spawned tokio task performing this scan (uses tokio::sync::Mutex)
     pub(super) task: sync::Mutex<Option<JoinHandle<()>>>,
@@ -70,15 +80,17 @@ pub struct FeroxScan {
 impl Default for FeroxScan {
     /// Create a default FeroxScan, populates ID with a new UUID
     fn default() -> Self {
-        let new_id = Uuid::new_v4().to_simple().to_string();
+        let new_id = Uuid::new_v4().as_simple().to_string();
 
         FeroxScan {
             id: new_id,
             task: sync::Mutex::new(None), // tokio mutex
             status: Mutex::new(ScanStatus::default()),
             num_requests: 0,
+            requests_made_so_far: 0,
             scan_order: ScanOrder::Latest,
             url: String::new(),
+            normalized_url: String::new(),
             progress_bar: Mutex::new(None),
             scan_type: ScanType::File,
             output_level: Default::default(),
@@ -98,7 +110,7 @@ impl FeroxScan {
 
         match self.task.try_lock() {
             Ok(mut guard) => {
-                if let Some(task) = std::mem::replace(&mut *guard, None) {
+                if let Some(task) = guard.take() {
                     log::trace!("aborting {:?}", self);
                     task.abort();
                     self.set_status(ScanStatus::Cancelled)?;
@@ -118,6 +130,11 @@ impl FeroxScan {
         &self.url
     }
 
+    /// getter for number of requests made during previously saved scans (i.e. --resume-from used)
+    pub fn requests_made_so_far(&self) -> u64 {
+        self.requests_made_so_far
+    }
+
     /// small wrapper to set the JoinHandle
     pub async fn set_task(&self, task: JoinHandle<()>) -> Result<()> {
         let mut guard = self.task.lock().await;
@@ -137,7 +154,13 @@ impl FeroxScan {
     pub(super) fn stop_progress_bar(&self) {
         if let Ok(guard) = self.progress_bar.lock() {
             if guard.is_some() {
-                (*guard).as_ref().unwrap().finish_at_current_pos()
+                let pb = (*guard).as_ref().unwrap();
+
+                if pb.position() > self.num_requests {
+                    pb.finish()
+                } else {
+                    pb.abandon()
+                }
             }
         }
     }
@@ -152,12 +175,14 @@ impl FeroxScan {
                     let bar_type = match self.output_level {
                         OutputLevel::Default => BarType::Default,
                         OutputLevel::Quiet => BarType::Quiet,
-                        OutputLevel::Silent => BarType::Hidden,
+                        OutputLevel::Silent | OutputLevel::SilentJSON => BarType::Hidden,
                     };
 
                     let pb = add_bar(&self.url, self.num_requests, bar_type);
                     pb.reset_elapsed();
 
+                    pb.set_position(self.requests_made_so_far);
+
                     let _ = std::mem::replace(&mut *guard, Some(pb.clone()));
 
                     pb
@@ -169,7 +194,7 @@ impl FeroxScan {
                 let bar_type = match self.output_level {
                     OutputLevel::Default => BarType::Default,
                     OutputLevel::Quiet => BarType::Quiet,
-                    OutputLevel::Silent => BarType::Hidden,
+                    OutputLevel::Silent | OutputLevel::SilentJSON => BarType::Hidden,
                 };
 
                 let pb = add_bar(&self.url, self.num_requests, bar_type);
@@ -191,6 +216,7 @@ impl FeroxScan {
     ) -> Arc<Self> {
         Arc::new(Self {
             url: url.to_string(),
+            normalized_url: format!("{}/", url.trim_end_matches('/')),
             scan_type,
             scan_order,
             num_requests,
@@ -228,13 +254,21 @@ impl FeroxScan {
         false
     }
 
+    /// small wrapper to inspect ScanStatus and see if it's Cancelled
+    pub fn is_cancelled(&self) -> bool {
+        if let Ok(guard) = self.status.lock() {
+            return matches!(*guard, ScanStatus::Cancelled);
+        }
+        false
+    }
+
     /// await a task's completion, similar to a thread's join; perform necessary bookkeeping
     pub async fn join(&self) {
         log::trace!("enter join({:?})", self);
         let mut guard = self.task.lock().await;
 
         if guard.is_some() {
-            if let Some(task) = std::mem::replace(&mut *guard, None) {
+            if let Some(task) = guard.take() {
                 task.await.unwrap();
                 self.set_status(ScanStatus::Complete)
                     .unwrap_or_else(|e| log::warn!("Could not mark scan complete: {}", e))
@@ -264,6 +298,7 @@ impl FeroxScan {
             PolicyTrigger::Status403 => self.status_403s(),
             PolicyTrigger::Status429 => self.status_429s(),
             PolicyTrigger::Errors => self.errors(),
+            PolicyTrigger::TryAdjustUp => 0,
         }
     }
 
@@ -332,13 +367,15 @@ impl Serialize for FeroxScan {
     where
         S: Serializer,
     {
-        let mut state = serializer.serialize_struct("FeroxScan", 4)?;
+        let mut state = serializer.serialize_struct("FeroxScan", 6)?;
 
         state.serialize_field("id", &self.id)?;
         state.serialize_field("url", &self.url)?;
+        state.serialize_field("normalized_url", &self.normalized_url)?;
         state.serialize_field("scan_type", &self.scan_type)?;
         state.serialize_field("status", &self.status)?;
         state.serialize_field("num_requests", &self.num_requests)?;
+        state.serialize_field("requests_made_so_far", &self.requests())?;
 
         state.end()
     }
@@ -387,11 +424,21 @@ impl<'de> Deserialize<'de> for FeroxScan {
                         scan.url = url.to_string();
                     }
                 }
+                "normalized_url" => {
+                    if let Some(normalized_url) = value.as_str() {
+                        scan.normalized_url = normalized_url.to_string();
+                    }
+                }
                 "num_requests" => {
                     if let Some(num_requests) = value.as_u64() {
                         scan.num_requests = num_requests;
                     }
                 }
+                "requests_made_so_far" => {
+                    if let Some(requests_made_so_far) = value.as_u64() {
+                        scan.requests_made_so_far = requests_made_so_far;
+                    }
+                }
                 _ => {}
             }
         }
@@ -480,9 +527,11 @@ mod tests {
         let scan = FeroxScan {
             id: "".to_string(),
             url: "".to_string(),
+            normalized_url: String::from("/"),
             scan_type: ScanType::Directory,
             scan_order: ScanOrder::Initial,
             num_requests: 0,
+            requests_made_so_far: 0,
             status: Mutex::new(ScanStatus::Running),
             task: Default::default(),
             progress_bar: Mutex::new(None),

src/scan_manager/scan_container.rs

@@ -1,17 +1,28 @@
 use super::scan::ScanType;
 use super::*;
+use crate::event_handlers::Handles;
+use crate::filters::{
+    EmptyFilter, LinesFilter, RegexFilter, SimilarityFilter, SizeFilter, StatusCodeFilter,
+    WildcardFilter, WordsFilter,
+};
+use crate::traits::FeroxFilter;
+use crate::Command::AddFilter;
 use crate::{
+    banner::Banner,
     config::OutputLevel,
     progress::PROGRESS_PRINTER,
     progress::{add_bar, BarType},
+    scan_manager::{MenuCmd, MenuCmdResult},
     scanner::RESPONSES,
     traits::FeroxSerialize,
-    SLEEP_DURATION,
+    Command, SLEEP_DURATION,
 };
 use anyhow::Result;
+use console::style;
 use reqwest::StatusCode;
 use serde::{ser::SerializeSeq, Serialize, Serializer};
 use std::{
+    collections::HashSet,
     convert::TryInto,
     fs::File,
     io::BufReader,
@@ -46,6 +57,9 @@ pub struct FeroxScans {
 
     /// whether or not the user passed --silent|--quiet on the command line
     output_level: OutputLevel,
+
+    /// vector of extensions discovered and collected during scans
+    pub(crate) collected_extensions: RwLock<HashSet<String>>,
 }
 
 /// Serialize implementation for FeroxScans
@@ -57,17 +71,20 @@ impl Serialize for FeroxScans {
     where
         S: Serializer,
     {
-        if let Ok(scans) = self.scans.read() {
-            let mut seq = serializer.serialize_seq(Some(scans.len()))?;
-            for scan in scans.iter() {
-                seq.serialize_element(&*scan).unwrap_or_default();
-            }
+        match self.scans.read() {
+            Ok(scans) => {
+                let mut seq = serializer.serialize_seq(Some(scans.len() + 1))?;
 
-            seq.end()
-        } else {
-            // if for some reason we can't unlock the RwLock, just write an empty list
-            let seq = serializer.serialize_seq(Some(0))?;
-            seq.end()
+                for scan in scans.iter() {
+                    seq.serialize_element(scan).unwrap_or_default();
+                }
+                seq.end()
+            }
+            Err(_) => {
+                // if for some reason we can't unlock the RwLock, just write an empty list
+                let seq = serializer.serialize_seq(Some(0))?;
+                seq.end()
+            }
         }
     }
 }
@@ -108,8 +125,8 @@ impl FeroxScans {
         sentry
     }
 
-    /// load serialized FeroxScan(s) into this FeroxScans  
-    pub fn add_serialized_scans(&self, filename: &str) -> Result<()> {
+    /// load serialized FeroxScan(s) and any previously collected extensions into this FeroxScans  
+    pub fn add_serialized_scans(&self, filename: &str, handles: Arc<Handles>) -> Result<()> {
         log::trace!("enter: add_serialized_scans({})", filename);
         let file = File::open(filename)?;
 
@@ -121,18 +138,83 @@ impl FeroxScans {
                 for scan in arr_scans {
                     let mut deser_scan: FeroxScan =
                         serde_json::from_value(scan.clone()).unwrap_or_default();
+
+                    if deser_scan.is_cancelled() {
+                        // if the scan was cancelled by the user, mark it as complete. This will
+                        // prevent the scan from being resumed as well as prevent the wordlist
+                        // from requesting it again
+                        if let Ok(mut guard) = deser_scan.status.lock() {
+                            *guard = ScanStatus::Complete;
+                        }
+                    }
+
                     // FeroxScans gets -q value from config as usual; the FeroxScans themselves
                     // rely on that value being passed in. If the user starts a scan without -q
                     // and resumes the scan but adds -q, FeroxScan will not have the proper value
                     // without the line below
                     deser_scan.output_level = self.output_level;
 
-                    log::debug!("added: {}", deser_scan);
                     self.insert(Arc::new(deser_scan));
                 }
             }
         }
 
+        if let Some(extensions) = state.get("collected_extensions") {
+            if let Some(arr_exts) = extensions.as_array() {
+                if let Ok(mut guard) = self.collected_extensions.write() {
+                    for ext in arr_exts {
+                        let deser_ext: String =
+                            serde_json::from_value(ext.clone()).unwrap_or_default();
+
+                        guard.insert(deser_ext);
+                    }
+                }
+            }
+        }
+
+        if let Some(filters) = state.get("filters") {
+            if let Some(arr_filters) = filters.as_array() {
+                for filter in arr_filters {
+                    let final_filter: Box<dyn FeroxFilter> = if let Ok(deserialized) =
+                        serde_json::from_value::<RegexFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<WordsFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<WildcardFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<SizeFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<LinesFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<SimilarityFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else if let Ok(deserialized) =
+                        serde_json::from_value::<StatusCodeFilter>(filter.clone())
+                    {
+                        Box::new(deserialized)
+                    } else {
+                        Box::new(EmptyFilter {})
+                    };
+
+                    handles
+                        .filters
+                        .send(AddFilter(final_filter))
+                        .unwrap_or_default();
+                }
+            }
+        }
+
         log::trace!("exit: add_serialized_scans");
         Ok(())
     }
@@ -141,8 +223,10 @@ impl FeroxScans {
     /// on the given URL
     pub fn contains(&self, url: &str) -> bool {
         if let Ok(scans) = self.scans.read() {
+            let normalized = format!("{}/", url.trim_end_matches('/'));
+
             for scan in scans.iter() {
-                if scan.url == url {
+                if scan.normalized_url == normalized {
                     return true;
                 }
             }
@@ -153,8 +237,10 @@ impl FeroxScans {
     /// Find and return a `FeroxScan` based on the given URL
     pub fn get_scan_by_url(&self, url: &str) -> Option<Arc<FeroxScan>> {
         if let Ok(guard) = self.scans.read() {
+            let normalized = format!("{}/", url.trim_end_matches('/'));
+
             for scan in guard.iter() {
-                if scan.url == url {
+                if scan.normalized_url == normalized {
                     return Some(scan.clone());
                 }
             }
@@ -162,8 +248,8 @@ impl FeroxScans {
         None
     }
 
-    pub(super) fn get_base_scan_by_url(&self, url: &str) -> Option<Arc<FeroxScan>> {
-        log::trace!("enter: get_sub_paths_from_path({})", url);
+    pub fn get_base_scan_by_url(&self, url: &str) -> Option<Arc<FeroxScan>> {
+        log::trace!("enter: get_base_scan_by_url({})", url);
 
         // rmatch_indices returns tuples in index, match form, i.e. (10, "/")
         // with the furthest-right match in the first position in the vector
@@ -186,15 +272,15 @@ impl FeroxScans {
             for (idx, _) in &matches {
                 for scan in guard.iter() {
                     let slice = url.index(0..*idx);
-                    if slice == scan.url || format!("{}/", slice).as_str() == scan.url {
-                        log::trace!("enter: get_sub_paths_from_path -> {}", scan);
+                    if slice == scan.url || format!("{slice}/").as_str() == scan.url {
+                        log::trace!("enter: get_base_scan_by_url -> {}", scan);
                         return Some(scan.clone());
                     }
                 }
             }
         }
 
-        log::trace!("enter: get_sub_paths_from_path -> None");
+        log::trace!("enter: get_base_scan_by_url -> None");
         None
     }
     /// add one to either 403 or 429 tracker in the scan related to the given url
@@ -236,23 +322,36 @@ impl FeroxScans {
                 .clone()
         };
 
-        for (i, scan) in scans.iter().enumerate() {
-            if matches!(scan.scan_order, ScanOrder::Initial) || scan.task.try_lock().is_err() {
-                // original target passed in via either -u or --stdin
-                continue;
-            }
+        let mut printed = 0;
 
+        for (i, scan) in scans.iter().enumerate() {
             if matches!(scan.scan_type, ScanType::Directory) {
+                if printed == 0 {
+                    self.menu
+                        .println(&format!("{}:", style("Scans").bright().blue()));
+                }
+
+                if let Ok(guard) = scan.status.lock() {
+                    if matches!(*guard, ScanStatus::Cancelled) {
+                        continue;
+                    }
+                }
+
                 // we're only interested in displaying directory scans, as those are
                 // the only ones that make sense to be stopped
-                let scan_msg = format!("{:3}: {}", i, scan);
+                let scan_msg = format!("{i:3}: {scan}");
                 self.menu.println(&scan_msg);
+                printed += 1;
             }
         }
+
+        if printed > 0 {
+            self.menu.print_border();
+        }
     }
 
     /// Given a list of indexes, cancel their associated FeroxScans
-    async fn cancel_scans(&self, indexes: Vec<usize>) -> usize {
+    async fn cancel_scans(&self, indexes: Vec<usize>, force: bool) -> usize {
         let menu_pause_duration = Duration::from_millis(SLEEP_DURATION);
 
         let mut num_cancelled = 0_usize;
@@ -264,27 +363,37 @@ impl FeroxScans {
                     if num >= u_scans.len() {
                         // usize can't be negative, just need to handle exceeding bounds
                         self.menu
-                            .println(&format!("The number {} is not a valid choice.", num));
+                            .println(&format!("The number {num} is not a valid choice."));
                         sleep(menu_pause_duration);
                         continue;
                     }
-                    u_scans.index(num).clone()
+
+                    let selected = u_scans.index(num);
+
+                    if matches!(selected.scan_type, ScanType::File) {
+                        continue;
+                    }
+
+                    selected.clone()
                 }
                 Err(..) => continue,
             };
 
-            let input = self.menu.confirm_cancellation(&selected.url);
+            let input = if force {
+                'y'
+            } else {
+                self.menu.confirm_cancellation(&selected.url)
+            };
 
             if input == 'y' || input == '\n' {
                 self.menu.println(&format!("Stopping {}...", selected.url));
-
                 selected
                     .abort()
                     .await
                     .unwrap_or_else(|e| log::warn!("Could not cancel task: {}", e));
 
                 let pb = selected.progress_bar();
-                num_cancelled += pb.length() as usize - pb.position() as usize
+                num_cancelled += pb.length().unwrap_or(0) as usize - pb.position() as usize;
             } else {
                 self.menu.println("Ok, doing nothing...");
             }
@@ -295,24 +404,96 @@ impl FeroxScans {
         num_cancelled
     }
 
+    fn display_filters(&self, handles: Arc<Handles>) {
+        let mut printed = 0;
+
+        if let Ok(guard) = handles.filters.data.filters.read() {
+            for (i, filter) in guard.iter().enumerate() {
+                if i == 0 {
+                    self.menu
+                        .println(&format!("{}:", style("Filters").bright().blue()));
+                }
+
+                let filter_msg = format!("{:3}: {}", i + 1, filter);
+                self.menu.println(&filter_msg);
+                printed += 1;
+            }
+
+            if printed > 0 {
+                self.menu.print_border();
+            }
+        }
+    }
+
     /// CLI menu that allows for interactive cancellation of recursed-into directories
-    async fn interactive_menu(&self) -> usize {
+    async fn interactive_menu(&self, handles: Arc<Handles>) -> Option<MenuCmdResult> {
         self.menu.hide_progress_bars();
         self.menu.clear_screen();
         self.menu.print_header();
         self.display_scans().await;
+        self.display_filters(handles.clone());
         self.menu.print_footer();
 
-        let mut num_cancelled = 0_usize;
+        let menu_cmd = if let Ok(line) = self.menu.term.read_line() {
+            self.menu.get_command_input_from_user(&line)
+        } else {
+            None
+        };
 
-        if let Some(input) = self.menu.get_scans_from_user() {
-            num_cancelled += self.cancel_scans(input).await;
+        let result = match menu_cmd {
+            Some(MenuCmd::Cancel(indices, should_force)) => {
+                // cancel the things
+                let num_cancelled = self.cancel_scans(indices, should_force).await;
+                Some(MenuCmdResult::NumCancelled(num_cancelled))
+            }
+            Some(MenuCmd::AddUrl(url)) => Some(MenuCmdResult::Url(url)),
+            Some(MenuCmd::AddFilter(filter)) => Some(MenuCmdResult::Filter(filter)),
+            Some(MenuCmd::RemoveFilter(indices)) => {
+                handles
+                    .filters
+                    .send(Command::RemoveFilters(indices))
+                    .unwrap_or_default();
+                None
+            }
+            None => None,
         };
 
         self.menu.clear_screen();
+
+        let banner = Banner::new(&[handles.config.target_url.clone()], &handles.config);
+        banner
+            .print_to(&self.menu.term, handles.config.clone())
+            .unwrap_or_default();
+
         self.menu.show_progress_bars();
 
-        num_cancelled
+        let has_active_scans = if let Ok(guard) = self.scans.read() {
+            guard.iter().any(|s| s.is_active())
+        } else {
+            // if we can't tell for sure, we'll let it ride
+            //
+            // i'm not sure which is the better option here:
+            // either return true and let it potentially hang, or
+            // return false and exit, so just going with not
+            // abruptly exiting for maybe no reason
+            true
+        };
+
+        if !has_active_scans {
+            // the last active scan was cancelled, so we can exit
+            self.menu.println(&format!(
+                " 😱 no more active scans... {}",
+                style("exiting").red()
+            ));
+
+            let (tx, rx) = tokio::sync::oneshot::channel::<bool>();
+            handles
+                .send_scan_command(Command::JoinTasks(tx))
+                .unwrap_or_default();
+            rx.await.unwrap_or_default();
+        }
+
+        result
     }
 
     /// prints all known responses that the scanner has already seen
@@ -335,7 +516,7 @@ impl FeroxScans {
         let bar_type = match self.output_level {
             OutputLevel::Default => BarType::Message,
             OutputLevel::Quiet => BarType::Quiet,
-            OutputLevel::Silent => return Ok(()), // fast exit when --silent was used
+            OutputLevel::Silent | OutputLevel::SilentJSON => return Ok(()), // fast exit when --silent was used
         };
 
         if let Ok(scans) = self.scans.read() {
@@ -360,19 +541,23 @@ impl FeroxScans {
     ///
     /// When the value stored in `PAUSE_SCAN` becomes `false`, the function returns, exiting the busy
     /// loop
-    pub async fn pause(&self, get_user_input: bool) -> usize {
+    pub async fn pause(
+        &self,
+        get_user_input: bool,
+        handles: Arc<Handles>,
+    ) -> Option<MenuCmdResult> {
         // function uses tokio::time, not std
 
         // local testing showed a pretty slow increase (less than linear) in CPU usage as # of
         // concurrent scans rose when SLEEP_DURATION was set to 500, using that as the default for now
         let mut interval = time::interval(time::Duration::from_millis(SLEEP_DURATION));
-        let mut num_cancelled = 0_usize;
+        let mut command_result = None;
 
         if INTERACTIVE_BARRIER.load(Ordering::Relaxed) == 0 {
             INTERACTIVE_BARRIER.fetch_add(1, Ordering::Relaxed);
 
             if get_user_input {
-                num_cancelled += self.interactive_menu().await;
+                command_result = self.interactive_menu(handles).await;
                 PAUSE_SCAN.store(false, Ordering::Relaxed);
                 self.print_known_responses();
             }
@@ -389,8 +574,8 @@ impl FeroxScans {
                     INTERACTIVE_BARRIER.fetch_sub(1, Ordering::Relaxed);
                 }
 
-                log::trace!("exit: pause_scan -> {}", num_cancelled);
-                return num_cancelled;
+                log::trace!("exit: pause_scan -> {:?}", command_result);
+                return command_result;
             }
         }
     }
@@ -424,10 +609,10 @@ impl FeroxScans {
                 let bar_type = match self.output_level {
                     OutputLevel::Default => BarType::Default,
                     OutputLevel::Quiet => BarType::Quiet,
-                    OutputLevel::Silent => BarType::Hidden,
+                    OutputLevel::Silent | OutputLevel::SilentJSON => BarType::Hidden,
                 };
 
-                let progress_bar = add_bar(&url, bar_length, bar_type);
+                let progress_bar = add_bar(url, bar_length, bar_type);
 
                 progress_bar.reset_elapsed();
 
@@ -437,7 +622,7 @@ impl FeroxScans {
         };
 
         let ferox_scan = FeroxScan::new(
-            &url,
+            url,
             scan_type,
             scan_order,
             bar_length,
@@ -458,7 +643,8 @@ impl FeroxScans {
     ///
     /// Also return a reference to the new `FeroxScan`
     pub fn add_directory_scan(&self, url: &str, scan_order: ScanOrder) -> (bool, Arc<FeroxScan>) {
-        self.add_scan(&url, ScanType::Directory, scan_order)
+        let normalized = format!("{}/", url.trim_end_matches('/'));
+        self.add_scan(&normalized, ScanType::Directory, scan_order)
     }
 
     /// Given a url, create a new `FeroxScan` and add it to `FeroxScans` as a File Scan
@@ -467,7 +653,7 @@ impl FeroxScans {
     ///
     /// Also return a reference to the new `FeroxScan`
     pub fn add_file_scan(&self, url: &str, scan_order: ScanOrder) -> (bool, Arc<FeroxScan>) {
-        self.add_scan(&url, ScanType::File, scan_order)
+        self.add_scan(url, ScanType::File, scan_order)
     }
 
     /// small helper to determine whether any scans are active or not
@@ -496,4 +682,67 @@ impl FeroxScans {
         }
         scans
     }
+
+    /// given an extension, add it to `collected_extensions` if all constraints are met
+    /// returns `true` if an extension was added, `false` otherwise
+    pub fn add_discovered_extension(&self, extension: String) -> bool {
+        log::trace!("enter: add_discovered_extension({})", extension);
+        let mut extension_added = false;
+
+        // note: the filter by --dont-collect happens in the event handler, since it has access
+        // to a Handles object form which it can check the config value. additionally, the check
+        // against --extensions is performed there for the same reason
+
+        if let Ok(extensions) = self.collected_extensions.read() {
+            // quicker to allow most to read and return and then reopen for write if necessary
+            if extensions.contains(&extension) {
+                return extension_added;
+            }
+        }
+
+        if let Ok(mut extensions) = self.collected_extensions.write() {
+            log::info!("discovered new extension: {}", extension);
+            extensions.insert(extension);
+            extension_added = true;
+        }
+
+        log::trace!("exit: add_discovered_extension -> {}", extension_added);
+        extension_added
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    /// unknown extension should be added to collected_extensions
+    fn unknown_extension_is_added_to_collected_extensions() {
+        let scans = FeroxScans::new(OutputLevel::Default);
+
+        assert_eq!(0, scans.collected_extensions.read().unwrap().len());
+
+        let added = scans.add_discovered_extension(String::from("js"));
+
+        assert!(added);
+        assert_eq!(1, scans.collected_extensions.read().unwrap().len());
+    }
+
+    #[test]
+    /// known extension should not be added to collected_extensions
+    fn known_extension_is_added_to_collected_extensions() {
+        let scans = FeroxScans::new(OutputLevel::Default);
+        scans
+            .collected_extensions
+            .write()
+            .unwrap()
+            .insert(String::from("js"));
+
+        assert_eq!(1, scans.collected_extensions.read().unwrap().len());
+
+        let added = scans.add_discovered_extension(String::from("js"));
+
+        assert!(!added);
+        assert_eq!(1, scans.collected_extensions.read().unwrap().len());
+    }
 }

src/scan_manager/state.rs

@@ -1,7 +1,9 @@
 use super::*;
+use crate::filters::FeroxFilters;
 use crate::{config::Configuration, statistics::Stats, traits::FeroxSerialize, utils::fmt_err};
 use anyhow::{Context, Result};
 use serde::Serialize;
+use std::collections::HashSet;
 use std::sync::Arc;
 
 /// Data container for (de)?serialization of multiple items
@@ -18,6 +20,12 @@ pub struct FeroxState {
 
     /// Gathered statistics
     statistics: Arc<Stats>,
+
+    /// collected extensions
+    collected_extensions: HashSet<String>,
+
+    /// runtime filters, as they may differ from original config
+    filters: Arc<FeroxFilters>,
 }
 
 /// implementation of FeroxState
@@ -28,12 +36,20 @@ impl FeroxState {
         config: Arc<Configuration>,
         responses: &'static FeroxResponses,
         statistics: Arc<Stats>,
+        filters: Arc<FeroxFilters>,
     ) -> Self {
+        let collected_extensions = match scans.collected_extensions.read() {
+            Ok(extensions) => extensions.clone(),
+            Err(_) => HashSet::new(),
+        };
+
         Self {
             scans,
             config,
             responses,
             statistics,
+            collected_extensions,
+            filters,
         }
     }
 }
@@ -42,12 +58,12 @@ impl FeroxState {
 impl FeroxSerialize for FeroxState {
     /// Simply return debug format of FeroxState to satisfy as_str
     fn as_str(&self) -> String {
-        format!("{:?}", self)
+        format!("{self:?}")
     }
 
     /// Simple call to produce a JSON string using the given FeroxState
     fn as_json(&self) -> Result<String> {
-        Ok(serde_json::to_string(&self)
-            .with_context(|| fmt_err("Could not convert scan's running state to JSON"))?)
+        serde_json::to_string(&self)
+            .with_context(|| fmt_err("Could not convert scan's running state to JSON"))
     }
 }

src/scan_manager/tests.rs

@@ -1,4 +1,8 @@
 use super::*;
+use crate::filters::{
+    FeroxFilters, LinesFilter, RegexFilter, SimilarityFilter, SizeFilter, StatusCodeFilter,
+    WordsFilter,
+};
 use crate::{
     config::{Configuration, OutputLevel},
     event_handlers::Handles,
@@ -10,6 +14,7 @@ use crate::{
 };
 use indicatif::ProgressBar;
 use predicates::prelude::*;
+use regex::Regex;
 use std::sync::{atomic::Ordering, Arc};
 use std::thread::sleep;
 use std::time::Instant;
@@ -31,6 +36,7 @@ fn default_scantype_is_file() {
 async fn scanner_pause_scan_with_finished_spinner() {
     let now = time::Instant::now();
     let urls = FeroxScans::default();
+    let handles = Arc::new(Handles::for_testing(None, None).0);
 
     PAUSE_SCAN.store(true, Ordering::Relaxed);
 
@@ -41,7 +47,7 @@ async fn scanner_pause_scan_with_finished_spinner() {
         PAUSE_SCAN.store(false, Ordering::Relaxed);
     });
 
-    urls.pause(false).await;
+    urls.pause(false, handles).await;
 
     assert!(now.elapsed() > expected);
 }
@@ -52,7 +58,7 @@ fn add_url_to_list_of_scanned_urls_with_unknown_url() {
     let urls = FeroxScans::default();
     let url = "http://unknown_url";
     let (result, _scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
-    assert_eq!(result, true);
+    assert!(result);
 }
 
 #[test]
@@ -66,16 +72,16 @@ fn add_url_to_list_of_scanned_urls_with_known_url() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
     );
 
-    assert_eq!(urls.insert(scan), true);
+    assert!(urls.insert(scan));
 
     let (result, _scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
 
-    assert_eq!(result, false);
+    assert!(!result);
 }
 
 #[test]
@@ -88,32 +94,28 @@ fn stop_progress_bar_stops_bar() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
     );
 
-    assert_eq!(
-        scan.progress_bar
-            .lock()
-            .unwrap()
-            .as_ref()
-            .unwrap()
-            .is_finished(),
-        false
-    );
+    assert!(!scan
+        .progress_bar
+        .lock()
+        .unwrap()
+        .as_ref()
+        .unwrap()
+        .is_finished());
 
     scan.stop_progress_bar();
 
-    assert_eq!(
-        scan.progress_bar
-            .lock()
-            .unwrap()
-            .as_ref()
-            .unwrap()
-            .is_finished(),
-        true
-    );
+    assert!(scan
+        .progress_bar
+        .lock()
+        .unwrap()
+        .as_ref()
+        .unwrap()
+        .is_finished());
 }
 
 #[test]
@@ -131,11 +133,11 @@ fn add_url_to_list_of_scanned_urls_with_known_url_without_slash() {
         None,
     );
 
-    assert_eq!(urls.insert(scan), true);
+    assert!(urls.insert(scan));
 
     let (result, _scan) = urls.add_scan(url, ScanType::File, ScanOrder::Latest);
 
-    assert_eq!(result, false);
+    assert!(!result);
 }
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
@@ -150,7 +152,7 @@ async fn call_display_scans() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
     );
@@ -158,7 +160,7 @@ async fn call_display_scans() {
         url_two,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb_two.length(),
+        pb_two.length().unwrap(),
         OutputLevel::Default,
         Some(pb_two),
     );
@@ -171,8 +173,8 @@ async fn call_display_scans() {
         .await
         .unwrap();
 
-    assert_eq!(urls.insert(scan), true);
-    assert_eq!(urls.insert(scan_two), true);
+    assert!(urls.insert(scan));
+    assert!(urls.insert(scan_two));
 
     urls.display_scans().await;
 }
@@ -200,6 +202,7 @@ fn partial_eq_compares_the_id_field() {
 
     assert!(!scan.eq(&scan_two));
 
+    #[allow(clippy::redundant_clone)]
     let scan_two = scan.clone();
 
     assert!(scan.eq(&scan_two));
@@ -222,7 +225,7 @@ fn ferox_scan_get_progress_bar_when_none_is_set() {
 /// given a JSON entry representing a FeroxScan, test that it deserializes into the proper type
 /// with the right attributes
 fn ferox_scan_deserialize() {
-    let fs_json = r#"{"id":"057016a14769414aac9a7a62707598cb","url":"https://spiritanimal.com","scan_type":"Directory","status":"Complete"}"#;
+    let fs_json = r#"{"id":"057016a14769414aac9a7a62707598cb","url":"https://spiritanimal.com","scan_type":"Directory","status":"Complete","requests_made_so_far":500}"#;
     let fs_json_two = r#"{"id":"057016a14769414aac9a7a62707598cb","url":"https://spiritanimal.com","scan_type":"Not Correct","status":"Cancelled"}"#;
     let fs_json_three = r#"{"id":"057016a14769414aac9a7a62707598cb","url":"https://spiritanimal.com","scan_type":"Not Correct","status":"","num_requests":42}"#;
 
@@ -244,9 +247,13 @@ fn ferox_scan_deserialize() {
         ScanType::File => {}
     }
 
-    match *fs.progress_bar.lock().unwrap() {
-        None => {}
-        Some(_) => {
+    match fs.progress_bar.lock() {
+        Ok(guard) => {
+            if guard.is_some() {
+                panic!();
+            }
+        }
+        Err(_) => {
             panic!();
         }
     }
@@ -275,7 +282,7 @@ fn ferox_scan_serialize() {
         None,
     );
     let fs_json = format!(
-        r#"{{"id":"{}","url":"https://spiritanimal.com","scan_type":"Directory","status":"NotStarted","num_requests":0}}"#,
+        r#"{{"id":"{}","url":"https://spiritanimal.com","normalized_url":"https://spiritanimal.com/","scan_type":"Directory","status":"NotStarted","num_requests":0,"requests_made_so_far":0}}"#,
         fs.id
     );
     assert_eq!(fs_json, serde_json::to_string(&*fs).unwrap());
@@ -294,7 +301,7 @@ fn ferox_scans_serialize() {
     );
     let ferox_scans = FeroxScans::default();
     let ferox_scans_json = format!(
-        r#"[{{"id":"{}","url":"https://spiritanimal.com","scan_type":"Directory","status":"NotStarted","num_requests":0}}]"#,
+        r#"[{{"id":"{}","url":"https://spiritanimal.com","normalized_url":"https://spiritanimal.com/","scan_type":"Directory","status":"NotStarted","num_requests":0,"requests_made_so_far":0}}]"#,
         ferox_scan.id
     );
     ferox_scans.scans.write().unwrap().push(ferox_scan);
@@ -307,7 +314,7 @@ fn ferox_scans_serialize() {
 #[test]
 /// given a FeroxResponses, test that it serializes into the proper JSON entry
 fn ferox_responses_serialize() {
-    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","path":"/css","wildcard":true,"status":301,"content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"}}"#;
+    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":""}"#;
     let response: FeroxResponse = serde_json::from_str(json_response).unwrap();
 
     let responses = FeroxResponses::default();
@@ -315,7 +322,7 @@ fn ferox_responses_serialize() {
     // responses has a response now
 
     // serialized should be a list of responses
-    let expected = format!("[{}]", json_response);
+    let expected = format!("[{json_response}]");
 
     let serialized = serde_json::to_string(&responses).unwrap();
     assert_eq!(expected, serialized);
@@ -325,12 +332,12 @@ fn ferox_responses_serialize() {
 /// given a FeroxResponse, test that it serializes into the proper JSON entry
 fn ferox_response_serialize_and_deserialize() {
     // deserialize
-    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","path":"/css","wildcard":true,"status":301,"content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"}}"#;
+    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":""}"#;
     let response: FeroxResponse = serde_json::from_str(json_response).unwrap();
 
     assert_eq!(response.url().as_str(), "https://nerdcore.com/css");
     assert_eq!(response.url().path(), "/css");
-    assert_eq!(response.wildcard(), true);
+    assert!(response.wildcard());
     assert_eq!(response.status().as_u16(), 301);
     assert_eq!(response.content_length(), 173);
     assert_eq!(response.line_count(), 10);
@@ -355,20 +362,59 @@ fn feroxstates_feroxserialize_implementation() {
     );
     let ferox_scans = FeroxScans::default();
     let saved_id = ferox_scan.id.clone();
+
     ferox_scans.insert(ferox_scan);
 
-    let config = Configuration::new().unwrap();
-    let stats = Arc::new(Stats::new(config.extensions.len(), config.json));
+    ferox_scans
+        .collected_extensions
+        .write()
+        .unwrap()
+        .insert(String::from("php"));
 
-    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","path":"/css","wildcard":true,"status":301,"content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"}}"#;
+    let mut config = Configuration::new().unwrap();
+
+    config.collect_extensions = true;
+
+    let stats = Arc::new(Stats::new(config.json));
+
+    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","path":"/css","wildcard":true,"status":301,"content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":""}"#;
     let response: FeroxResponse = serde_json::from_str(json_response).unwrap();
     RESPONSES.insert(response);
 
+    let filters = FeroxFilters::default();
+    filters
+        .push(Box::new(StatusCodeFilter { filter_code: 100 }))
+        .unwrap();
+    filters
+        .push(Box::new(WordsFilter { word_count: 200 }))
+        .unwrap();
+    filters
+        .push(Box::new(SizeFilter {
+            content_length: 300,
+        }))
+        .unwrap();
+    filters
+        .push(Box::new(LinesFilter { line_count: 400 }))
+        .unwrap();
+    filters
+        .push(Box::new(RegexFilter {
+            raw_string: ".*".to_string(),
+            compiled: Regex::new(".*").unwrap(),
+        }))
+        .unwrap();
+    filters
+        .push(Box::new(SimilarityFilter {
+            hash: 1,
+            original_url: "http://localhost:12345/".to_string(),
+        }))
+        .unwrap();
+
     let ferox_state = FeroxState::new(
         Arc::new(ferox_scans),
-        Arc::new(Configuration::new().unwrap()),
+        Arc::new(config),
         &RESPONSES,
         stats,
+        Arc::new(filters),
     );
 
     let expected_strs = predicates::str::contains("scans: FeroxScans").and(
@@ -376,18 +422,100 @@ fn feroxstates_feroxserialize_implementation() {
             .and(predicate::str::contains("responses: FeroxResponses"))
             .and(predicate::str::contains("nerdcore.com"))
             .and(predicate::str::contains("/css"))
-            .and(predicate::str::contains("https://spiritanimal.com")),
+            .and(predicate::str::contains("https://spiritanimal.com"))
+            .and(predicate::str::contains("php")),
     );
 
     assert!(expected_strs.eval(&ferox_state.as_str()));
 
     let json_state = ferox_state.as_json().unwrap();
-    let expected = format!(
-        r#"{{"scans":[{{"id":"{}","url":"https://spiritanimal.com","scan_type":"Directory","status":"NotStarted","num_requests":0}}],"config":{{"type":"configuration","wordlist":"/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt","config":"","proxy":"","replay_proxy":"","target_url":"","status_codes":[200,204,301,302,307,308,401,403,405],"replay_codes":[200,204,301,302,307,308,401,403,405],"filter_status":[],"threads":50,"timeout":7,"verbosity":0,"silent":false,"quiet":false,"auto_bail":false,"auto_tune":false,"json":false,"output":"","debug_log":"","user_agent":"feroxbuster/{}","redirects":false,"insecure":false,"extensions":[],"headers":{{}},"queries":[],"no_recursion":false,"extract_links":false,"add_slash":false,"stdin":false,"depth":4,"scan_limit":0,"parallel":0,"rate_limit":0,"filter_size":[],"filter_line_count":[],"filter_word_count":[],"filter_regex":[],"dont_filter":false,"resumed":false,"resume_from":"","save_state":false,"time_limit":"","filter_similar":[]}},"responses":[{{"type":"response","url":"https://nerdcore.com/css","path":"/css","wildcard":true,"status":301,"content_length":173,"line_count":10,"word_count":16,"headers":{{"server":"nginx/1.16.1"}}}}]"#,
-        saved_id, VERSION
-    );
-    println!("{}\n{}", expected, json_state);
-    assert!(predicates::str::contains(expected).eval(&json_state));
+
+    println!("echo '{json_state}'|jq"); // for debugging, if the test fails, can see what's going on
+
+    for expected in [
+        r#""scans""#,
+        &format!(r#""id":"{saved_id}""#),
+        r#""url":"https://spiritanimal.com""#,
+        r#""scan_type":"Directory""#,
+        r#""status":"NotStarted""#,
+        r#""num_requests":0"#,
+        r#""config""#,
+        r#""type":"configuration""#,
+        r#""wordlist":"/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt""#,
+        r#""config""#,
+        r#""proxy":"""#,
+        r#""replay_proxy":"""#,
+        r#""target_url":"""#,
+        r#""status_codes":[100,101,102,200,201,202,203,204,205,206,207,208,226,300,301,302,303,304,305,307,308,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,421,422,423,424,426,428,429,431,451,500,501,502,503,504,505,506,507,508,510,511,103,425]"#,
+        r#""replay_codes":[100,101,102,200,201,202,203,204,205,206,207,208,226,300,301,302,303,304,305,307,308,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,421,422,423,424,426,428,429,431,451,500,501,502,503,504,505,506,507,508,510,511,103,425]"#,
+        r#""filter_status":[]"#,
+        r#""threads":50"#,
+        r#""timeout":7"#,
+        r#""verbosity":0"#,
+        r#""silent":false"#,
+        r#""quiet":false"#,
+        r#""auto_bail":false"#,
+        r#""auto_tune":false"#,
+        r#""force_recursion":false"#,
+        r#""json":false"#,
+        r#""output":"""#,
+        r#""debug_log":"""#,
+        &format!(r#""user_agent":"feroxbuster/{VERSION}""#),
+        r#""random_agent":false"#,
+        r#""redirects":false"#,
+        r#""insecure":false"#,
+        r#""extensions":[]"#,
+        r#""methods":["GET"],"#,
+        r#""data":[]"#,
+        r#""headers""#,
+        r#""queries":[]"#,
+        r#""no_recursion":false"#,
+        r#""extract_links":true"#,
+        r#""add_slash":false"#,
+        r#""stdin":false"#,
+        r#""depth":4"#,
+        r#""scan_limit":0"#,
+        r#""parallel":0"#,
+        r#""rate_limit":0"#,
+        r#""filter_size":[]"#,
+        r#""filter_line_count":[]"#,
+        r#""filter_word_count":[]"#,
+        r#""filter_regex":[]"#,
+        r#""dont_filter":false"#,
+        r#""resumed":false"#,
+        r#""resume_from":"""#,
+        r#""save_state":false"#,
+        r#""time_limit":"""#,
+        r#""filter_similar":[]"#,
+        r#""url_denylist":[]"#,
+        r#""responses""#,
+        r#""type":"response""#,
+        r#""client_cert":"""#,
+        r#""client_key":"""#,
+        r#""server_certs":[]"#,
+        r#""url":"https://nerdcore.com/css""#,
+        r#""path":"/css""#,
+        r#""wildcard":true"#,
+        r#""status":301"#,
+        r#""method":"GET""#,
+        r#""content_length":173"#,
+        r#""line_count":10"#,
+        r#""word_count":16"#,
+        r#""headers""#,
+        r#""server":"nginx/1.16.1"#,
+        r#""collect_extensions":true"#,
+        r#""collect_backups":false"#,
+        r#""collect_words":false"#,
+        r#""filters":[{"filter_code":100},{"word_count":200},{"content_length":300},{"line_count":400},{"compiled":".*","raw_string":".*"},{"hash":1,"original_url":"http://localhost:12345/"}]"#,
+        r#""collected_extensions":["php"]"#,
+        r#""dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"]"#,
+    ]
+    .iter()
+    {
+        assert!(
+            predicates::str::contains(*expected).eval(&json_state)
+        );
+    }
 }
 
 #[should_panic]
@@ -435,9 +563,11 @@ fn feroxscan_display() {
     let scan = FeroxScan {
         id: "".to_string(),
         url: String::from("http://localhost"),
+        normalized_url: String::from("http://localhost/"),
         scan_order: ScanOrder::Latest,
         scan_type: Default::default(),
         num_requests: 0,
+        requests_made_so_far: 0,
         start_time: Instant::now(),
         output_level: OutputLevel::Default,
         status_403s: Default::default(),
@@ -448,26 +578,26 @@ fn feroxscan_display() {
         errors: Default::default(),
     };
 
-    let not_started = format!("{}", scan);
+    let not_started = format!("{scan}");
 
     assert!(predicate::str::contains("not started")
         .and(predicate::str::contains("localhost"))
         .eval(&not_started));
 
     scan.set_status(ScanStatus::Complete).unwrap();
-    let complete = format!("{}", scan);
+    let complete = format!("{scan}");
     assert!(predicate::str::contains("complete")
         .and(predicate::str::contains("localhost"))
         .eval(&complete));
 
     scan.set_status(ScanStatus::Cancelled).unwrap();
-    let cancelled = format!("{}", scan);
+    let cancelled = format!("{scan}");
     assert!(predicate::str::contains("cancelled")
         .and(predicate::str::contains("localhost"))
         .eval(&cancelled));
 
     scan.set_status(ScanStatus::Running).unwrap();
-    let running = format!("{}", scan);
+    let running = format!("{scan}");
     assert!(predicate::str::contains("running")
         .and(predicate::str::contains("localhost"))
         .eval(&running));
@@ -479,9 +609,11 @@ async fn ferox_scan_abort() {
     let scan = FeroxScan {
         id: "".to_string(),
         url: String::from("http://localhost"),
+        normalized_url: String::from("http://localhost/"),
         scan_order: ScanOrder::Latest,
         scan_type: Default::default(),
         num_requests: 0,
+        requests_made_so_far: 0,
         start_time: Instant::now(),
         output_level: OutputLevel::Default,
         status_403s: Default::default(),
@@ -509,6 +641,11 @@ async fn ferox_scan_abort() {
 /// and their correctness can be verified easily manually; just calling for now
 fn menu_print_header_and_footer() {
     let menu = Menu::new();
+    let menu_cmd_1 = MenuCmd::AddUrl(String::from("http://localhost"));
+    let menu_cmd_2 = MenuCmd::Cancel(vec![0], false);
+    let menu_cmd_res_1 = MenuCmdResult::Url(String::from("http://localhost"));
+    let menu_cmd_res_2 = MenuCmdResult::NumCancelled(2);
+    println!("{menu_cmd_1:?}{menu_cmd_2:?}{menu_cmd_res_1:?}{menu_cmd_res_2:?}");
     menu.clear_screen();
     menu.print_header();
     menu.print_footer();
@@ -516,14 +653,65 @@ fn menu_print_header_and_footer() {
     menu.show_progress_bars();
 }
 
+/// ensure command parsing from user input results int he correct MenuCmd returned
+#[test]
+fn menu_get_command_input_from_user_returns_cancel() {
+    let menu = Menu::new();
+
+    for (idx, cmd) in ["cancel", "Cancel", "c", "C"].iter().enumerate() {
+        let force = idx % 2 == 0;
+
+        let full_cmd = if force {
+            format!("{cmd} -f {idx}\n")
+        } else {
+            format!("{cmd} {idx}\n")
+        };
+
+        let result = menu.get_command_input_from_user(&full_cmd).unwrap();
+
+        assert!(matches!(result, MenuCmd::Cancel(_, _)));
+
+        if let MenuCmd::Cancel(canx_list, ret_force) = result {
+            assert_eq!(canx_list, vec![idx]);
+            assert_eq!(force, ret_force);
+        }
+    }
+}
+
+/// ensure command parsing from user input results int he correct MenuCmd returned
+#[test]
+fn menu_get_command_input_from_user_returns_add() {
+    let menu = Menu::new();
+
+    for cmd in ["add", "Addd", "a", "A", "None"] {
+        let test_url = "http://happyfuntimes.commmm";
+        let full_cmd = format!("{cmd} {test_url}\n");
+
+        if cmd != "None" {
+            let result = menu.get_command_input_from_user(&full_cmd).unwrap();
+            assert!(matches!(result, MenuCmd::AddUrl(_)));
+
+            if let MenuCmd::AddUrl(url) = result {
+                assert_eq!(url, test_url);
+            }
+        } else {
+            assert!(menu.get_command_input_from_user(&full_cmd).is_none());
+        };
+    }
+}
+
 #[test]
 /// ensure spaces are trimmed and numbers are returned from split_to_nums
 fn split_to_nums_is_correct() {
     let menu = Menu::new();
 
-    let nums = menu.split_to_nums("1, 3,      4");
+    let nums = menu.split_to_nums("1, 3,      4, 7 -     12, 10-10, 10-11, 9-12, 12-6, -1, 4-");
 
-    assert_eq!(nums, vec![1, 3, 4]);
+    assert_eq!(nums, vec![1, 3, 4, 7, 8, 9, 10, 11, 12]);
+    assert_eq!(menu.split_to_nums("9-12"), vec![9, 10, 11, 12]);
+    assert!(menu.split_to_nums("-12").is_empty());
+    assert!(menu.split_to_nums("12-").is_empty());
+    assert!(menu.split_to_nums("\n").is_empty());
 }
 
 #[test]

src/scan_manager/utils.rs

@@ -41,7 +41,7 @@ pub async fn start_max_time_thread(handles: Arc<Handles>) {
         log::trace!("exit: start_max_time_thread");
 
         #[cfg(test)]
-        panic!(handles);
+        panic!("{handles:?}");
         #[cfg(not(test))]
         let _ = TermInputHandler::sigint_handler(handles.clone());
     }

src/scanner/ferox_scanner.rs

@@ -1,23 +1,32 @@
-use std::{collections::HashSet, ops::Deref, sync::atomic::Ordering, sync::Arc, time::Instant};
+use std::fmt::Write as _;
+use std::sync::atomic::AtomicBool;
+use std::{ops::Deref, sync::atomic::Ordering, sync::Arc, time::Instant};
 
 use anyhow::{bail, Result};
+use console::style;
 use futures::{stream, StreamExt};
+use indicatif::ProgressBar;
 use lazy_static::lazy_static;
 use tokio::sync::Semaphore;
 
+use crate::filters::{create_similarity_filter, EmptyFilter, SimilarityFilter};
+use crate::heuristics::WildcardResult;
+use crate::Command::AddFilter;
 use crate::{
     event_handlers::{
-        Command::{AddError, AddToF64Field, SubtractFromUsizeField},
+        Command::{AddError, AddToF64Field, AddToUsizeField, SubtractFromUsizeField},
         Handles,
     },
-    extractor::{ExtractionTarget::RobotsTxt, ExtractorBuilder},
+    extractor::{ExtractionTarget, ExtractorBuilder},
     heuristics,
-    scan_manager::{FeroxResponses, ScanOrder, ScanStatus, PAUSE_SCAN},
+    scan_manager::{FeroxResponses, FeroxScans, MenuCmdResult, ScanOrder, ScanStatus, PAUSE_SCAN},
+    scanner::requester::TF_IDF,
     statistics::{
         StatError::Other,
         StatField::{DirScanTimes, TotalExpected},
     },
     utils::fmt_err,
+    Command,
 };
 
 use super::requester::Requester;
@@ -27,6 +36,75 @@ lazy_static! {
     pub static ref RESPONSES: FeroxResponses = FeroxResponses::default();
     // todo consider removing this
 }
+
+/// check to see if `pause_flag` is set to true. when true; enter a busy loop that only exits
+/// by setting PAUSE_SCAN back to false
+async fn check_for_user_input(
+    pause_flag: &AtomicBool,
+    scanned_urls: Arc<FeroxScans>,
+    handles: Arc<Handles>,
+) {
+    log::trace!(
+        "enter: check_for_user_input({:?}, SCANNED_URLS, HANDLES)",
+        pause_flag
+    );
+
+    // todo write a test or two for this function at some point...
+    if pause_flag.load(Ordering::Acquire) {
+        match scanned_urls.pause(true, handles.clone()).await {
+            Some(MenuCmdResult::Url(url)) => {
+                // user wants to add a new url to be scanned, need to send
+                // it over to the event handler for processing
+                handles
+                    .send_scan_command(Command::ScanNewUrl(url))
+                    .unwrap_or_else(|e| log::warn!("Could not add scan to scan queue: {}", e))
+            }
+            Some(MenuCmdResult::NumCancelled(num_canx)) => {
+                if num_canx > 0 {
+                    handles
+                        .stats
+                        .send(SubtractFromUsizeField(TotalExpected, num_canx))
+                        .unwrap_or_else(|e| log::warn!("Could not update overall scan bar: {}", e));
+                }
+            }
+            Some(MenuCmdResult::Filter(mut filter)) => {
+                let url = if let Some(SimilarityFilter { original_url, .. }) =
+                    filter.as_any().downcast_ref::<SimilarityFilter>()
+                {
+                    original_url.to_owned()
+                } else {
+                    String::new()
+                };
+
+                if !url.is_empty() {
+                    // filter was a SimilarityFilter and now we have a url to request.
+                    //
+                    // The reason for this janky structure is that `filter.as_any().downcast_ref`
+                    // isn't Send so we can't call create_similarity_filter(...).await, within
+                    // the if let Some ipso-facto, janky code /shrug
+                    let real_filter = create_similarity_filter(&url, handles.clone())
+                        .await
+                        .unwrap_or_default();
+
+                    if real_filter.original_url.is_empty() {
+                        // failed to create filter
+                        filter = Box::new(EmptyFilter {});
+                    } else {
+                        filter = Box::new(real_filter)
+                    }
+                }
+
+                handles
+                    .filters
+                    .send(AddFilter(filter))
+                    .unwrap_or_else(|e| log::warn!("Could not add new filter: {}", e));
+            }
+            _ => {}
+        }
+    }
+    log::trace!("exit: check_for_user_input");
+}
+
 /// handles the main muscle movement of scanning a url
 pub struct FeroxScanner {
     /// handles to handlers and config
@@ -40,9 +118,9 @@ pub struct FeroxScanner {
     order: ScanOrder,
 
     /// wordlist that's already been read from disk
-    wordlist: Arc<HashSet<String>>,
+    wordlist: Arc<Vec<String>>,
 
-    /// limiter that restricts the number of active FeroxScanners  
+    /// limiter that restricts the number of active FeroxScanners
     scan_limiter: Arc<Semaphore>,
 }
 
@@ -52,7 +130,7 @@ impl FeroxScanner {
     pub fn new(
         target_url: &str,
         order: ScanOrder,
-        wordlist: Arc<HashSet<String>>,
+        wordlist: Arc<Vec<String>>,
         scan_limiter: Arc<Semaphore>,
         handles: Arc<Handles>,
     ) -> Self {
@@ -65,6 +143,58 @@ impl FeroxScanner {
         }
     }
 
+    /// produces and awaits tasks (mp of mpsc); responsible for making requests
+    async fn stream_requests(
+        &self,
+        looping_words: Arc<Vec<String>>,
+        progress_bar: ProgressBar,
+        scanned_urls: Arc<FeroxScans>,
+        requester: Arc<Requester>,
+    ) {
+        log::trace!("enter: stream_requests(params too verbose to print)");
+
+        let producers = stream::iter(looping_words.deref().to_owned())
+            .map(|word| {
+                let pb = progress_bar.clone(); // progress bar is an Arc around internal state
+                let scanned_urls_clone = scanned_urls.clone();
+                let requester_clone = requester.clone();
+                let handles_clone = self.handles.clone();
+                (
+                    tokio::spawn(async move {
+                        // for every word in the wordlist, check to see if user has pressed enter
+                        // in order to go into the interactive menu
+                        check_for_user_input(&PAUSE_SCAN, scanned_urls_clone, handles_clone).await;
+
+                        // after checking for user input, send the request
+                        requester_clone
+                            .request(&word)
+                            .await
+                            .unwrap_or_else(|e| log::warn!("Requester encountered an error: {}", e))
+                    }),
+                    pb,
+                )
+            })
+            .for_each_concurrent(self.handles.config.threads, |(resp, bar)| async move {
+                match resp.await {
+                    Ok(_) => {
+                        let increment_len = self.handles.expected_num_requests_multiplier() as u64;
+                        bar.inc(increment_len);
+                    }
+                    Err(e) => {
+                        log::warn!("error awaiting a response: {}", e);
+                        self.handles.stats.send(AddError(Other)).unwrap_or_default();
+                        std::process::exit(1);
+                    }
+                }
+            });
+
+        // await tx tasks
+        log::trace!("awaiting scan producers");
+        producers.await;
+        log::trace!("done awaiting scan producers");
+        log::trace!("exit: stream_requests");
+    }
+
     /// Scan a given url using a given wordlist
     ///
     /// This is the primary entrypoint for the scanner
@@ -72,22 +202,24 @@ impl FeroxScanner {
         log::trace!("enter: scan_url");
         log::info!("Starting scan against: {}", self.target_url);
 
-        let scan_timer = Instant::now();
+        let mut scan_timer = Instant::now();
+        // every time we extract links we'll need to await the task to make sure
+        // it completes before the scan ends
+        let mut extraction_tasks = Vec::new();
 
-        if matches!(self.order, ScanOrder::Initial) && self.handles.config.extract_links {
-            // only grab robots.txt on the initial scan_url calls. all fresh dirs will be passed
-            // to try_recursion
-            let extractor = ExtractorBuilder::default()
+        if self.handles.config.extract_links && matches!(self.order, ScanOrder::Initial) {
+            // check for robots.txt (cannot be in sub-directories, so limited to Initial)
+            let mut extractor = ExtractorBuilder::default()
+                .target(ExtractionTarget::RobotsTxt)
                 .url(&self.target_url)
                 .handles(self.handles.clone())
-                .target(RobotsTxt)
                 .build()?;
 
-            let _ = extractor.extract().await;
+            let result = extractor.extract().await?;
+            extraction_tasks.push(extractor.request_links(result).await?)
         }
 
         let scanned_urls = self.handles.ferox_scans()?;
-
         let ferox_scan = match scanned_urls.get_scan_by_url(&self.target_url) {
             Some(scan) => {
                 scan.set_status(ScanStatus::Running)?;
@@ -110,72 +242,146 @@ impl FeroxScanner {
         // to the caller.
         let _permit = self.scan_limiter.acquire().await;
 
-        // Arc clones to be passed around to the various scans
-        let looping_words = self.wordlist.clone();
+        if self.handles.config.scan_limit > 0 {
+            scan_timer = Instant::now();
+            progress_bar.reset();
+        }
 
         {
+            // heuristics test block:
             let test = heuristics::HeuristicTests::new(self.handles.clone());
-            if let Ok(num_reqs) = test.wildcard(&self.target_url).await {
-                progress_bar.inc(num_reqs);
+
+            if let Ok(Some(dirlist_result)) = test.directory_listing(&self.target_url).await {
+                // at this point, we have a DirListingType, and it's not the None variant
+                // which means we found directory listing based on the heuristic; now we need
+                // to process the links that are available if --extract-links was used
+
+                if self.handles.config.extract_links {
+                    let mut extractor = ExtractorBuilder::default()
+                        .response(&dirlist_result.response)
+                        .target(ExtractionTarget::DirectoryListing)
+                        .url(&self.target_url)
+                        .handles(self.handles.clone())
+                        .build()?;
+
+                    let result = extractor.extract_from_dir_listing().await?;
+
+                    extraction_tasks.push(extractor.request_links(result).await?);
+
+                    log::trace!("exit: scan_url -> Directory listing heuristic");
+
+                    self.handles.stats.send(AddToF64Field(
+                        DirScanTimes,
+                        scan_timer.elapsed().as_secs_f64(),
+                    ))?;
+
+                    self.handles.stats.send(SubtractFromUsizeField(
+                        TotalExpected,
+                        progress_bar.length().unwrap_or(0) as usize,
+                    ))?;
+                }
+
+                let mut message = format!("=> {}", style("Directory listing").blue().bright());
+
+                if !self.handles.config.extract_links {
+                    write!(
+                        message,
+                        " (remove {} to scan)",
+                        style("--dont-extract-links").bright().yellow()
+                    )?;
+                }
+
+                if !self.handles.config.force_recursion {
+                    for handle in extraction_tasks.into_iter().flatten() {
+                        _ = handle.await;
+                    }
+
+                    progress_bar.reset_eta();
+                    progress_bar.finish_with_message(message);
+
+                    ferox_scan.finish()?;
+
+                    return Ok(()); // nothing left to do if we found a dir listing
+                }
+            }
+
+            // now that we haven't found a directory listing, we'll attempt to derive whatever
+            // the server is using to respond to resources that don't exist (could be a
+            // traditional 404, or a custom response)
+            //
+            // `detect_404_like_responses` will make the requests that the wildcard test used to
+            // perform pre-2.8 in addition to new detection techniques, superseding the old
+            // wildcard test
+            let num_reqs_made = test.detect_404_like_responses(&self.target_url).await?;
+
+            match num_reqs_made {
+                Some(WildcardResult::WildcardDirectory(num_reqs)) => {
+                    let message = format!(
+                        "=> {} dir! {} recursion",
+                        style("Wildcard").blue().bright(),
+                        style("stopped").red()
+                    );
+                    progress_bar.set_message(message);
+                    progress_bar.inc(num_reqs as u64);
+                }
+                Some(WildcardResult::FourOhFourLike(num_reqs)) => {
+                    progress_bar.inc(num_reqs as u64);
+                }
+                _ => {}
             }
         }
 
+        // Arc clones to be passed around to the various scans
+        let looping_words = self.wordlist.clone();
+
         let requester = Arc::new(Requester::from(self, ferox_scan.clone())?);
-        let increment_len = (self.handles.config.extensions.len() + 1) as u64;
 
-        // producer tasks (mp of mpsc); responsible for making requests
-        let producers = stream::iter(looping_words.deref().to_owned())
-            .map(|word| {
-                let pb = progress_bar.clone(); // progress bar is an Arc around internal state
-                let scanned_urls_clone = scanned_urls.clone();
-                let requester_clone = requester.clone();
-                let handles_clone = self.handles.clone();
-                (
-                    tokio::spawn(async move {
-                        if PAUSE_SCAN.load(Ordering::Acquire) {
-                            // for every word in the wordlist, check to see if PAUSE_SCAN is set to true
-                            // when true; enter a busy loop that only exits by setting PAUSE_SCAN back
-                            // to false
-                            let num_cancelled = scanned_urls_clone.pause(true).await;
-                            if num_cancelled > 0 {
-                                handles_clone
-                                    .stats
-                                    .send(SubtractFromUsizeField(TotalExpected, num_cancelled))
-                                    .unwrap_or_else(|e| {
-                                        log::warn!("Could not update overall scan bar: {}", e)
-                                    });
-                            }
-                        }
-                        requester_clone
-                            .request(&word)
-                            .await
-                            .unwrap_or_else(|e| log::warn!("Requester encountered an error: {}", e))
-                    }),
-                    pb,
-                )
-            })
-            .for_each_concurrent(self.handles.config.threads, |(resp, bar)| async move {
-                match resp.await {
-                    Ok(_) => {
-                        bar.inc(increment_len);
-                    }
-                    Err(e) => {
-                        log::warn!("error awaiting a response: {}", e);
-                        self.handles.stats.send(AddError(Other)).unwrap_or_default();
-                    }
-                }
-            });
+        self.stream_requests(
+            looping_words.clone(),
+            progress_bar.clone(),
+            scanned_urls.clone(),
+            requester.clone(),
+        )
+        .await;
 
-        // await tx tasks
-        log::trace!("awaiting scan producers");
-        producers.await;
-        log::trace!("done awaiting scan producers");
+        if self.handles.config.collect_words {
+            let new_words = TF_IDF.read().unwrap().all_words();
+            let new_words_len = new_words.len();
+
+            let cur_length = progress_bar.length().unwrap_or(0);
+            let new_length = cur_length + new_words_len as u64;
+
+            progress_bar.set_length(new_length);
+
+            self.handles
+                .stats
+                .send(AddToUsizeField(TotalExpected, new_words.len()))
+                .unwrap_or_default();
+
+            log::info!(
+                "requesting {} collected words: {:?}...",
+                new_words_len,
+                &new_words[..new_words_len.min(3)]
+            );
+
+            self.stream_requests(
+                Arc::new(new_words),
+                progress_bar.clone(),
+                scanned_urls.clone(),
+                requester.clone(),
+            )
+            .await;
+        }
 
         self.handles.stats.send(AddToF64Field(
             DirScanTimes,
             scan_timer.elapsed().as_secs_f64(),
         ))?;
 
+        for handle in extraction_tasks.into_iter().flatten() {
+            _ = handle.await;
+        }
+
         ferox_scan.finish()?;
 
         log::trace!("exit: scan_url");

src/scanner/init.rs

@@ -11,12 +11,7 @@ pub async fn initialize(num_words: usize, handles: Arc<Handles>) -> Result<()> {
     log::trace!("enter: initialize({}, {:?})", num_words, handles);
 
     // number of requests only needs to be calculated once, and then can be reused
-    let num_reqs_expected: u64 = if handles.config.extensions.is_empty() {
-        num_words.try_into()?
-    } else {
-        let total = num_words * (handles.config.extensions.len() + 1);
-        total.try_into()?
-    };
+    let num_reqs_expected: u64 = handles.expected_num_requests_per_dir().try_into()?;
 
     {
         // no real reason to keep the arc around beyond this call

src/scanner/limit_heap.rs

@@ -41,7 +41,7 @@ impl Debug for LimitHeap {
             "LimitHeap {{ original: {}, current: {}, inner: [{}...] }}",
             self.original, self.current, self.inner[0]
         );
-        write!(f, "{}", msg)
+        write!(f, "{msg}")
     }
 }
 

src/scanner/policy_data.rs

@@ -84,17 +84,11 @@ impl PolicyData {
                     if heap.has_parent() && heap.parent_value() > current {
                         // all nodes except 0th node (root)
                         heap.move_up();
-                    } else if !heap.has_parent() {
-                        // been here enough that we can try resuming the scan to its original
-                        // speed (no limiting at all)
-                        atomic_store!(self.remove_limit, true);
                     }
                 }
-                self.set_limit(heap.value() as usize);
             } else if heap.has_children() {
                 // streak not at 3, just check that we can move down, and do so
                 heap.move_left();
-                self.set_limit(heap.value() as usize);
             } else {
                 // tree bottomed out, need to move back up the tree a bit
                 let current = heap.value();
@@ -104,9 +98,14 @@ impl PolicyData {
                 if current > heap.value() {
                     heap.move_up();
                 }
-
-                self.set_limit(heap.value() as usize);
             }
+
+            if !heap.has_parent() {
+                // been here enough that we can try resuming the scan to its original
+                // speed (no limiting at all)
+                atomic_store!(self.remove_limit, true);
+            }
+            self.set_limit(heap.value() as usize);
         }
     }
 
@@ -200,7 +199,7 @@ mod tests {
         pd.adjust_up(&3);
         assert_eq!(pd.heap.read().unwrap().value(), 300);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 300);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), false);
+        assert!(!pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]
@@ -217,7 +216,7 @@ mod tests {
         pd.adjust_up(&3);
         assert_eq!(pd.heap.read().unwrap().value(), 200);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 200);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), true);
+        assert!(pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]
@@ -234,7 +233,7 @@ mod tests {
         pd.adjust_up(&3);
         assert_eq!(pd.heap.read().unwrap().value(), 350);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 350);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), false);
+        assert!(!pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]
@@ -251,7 +250,7 @@ mod tests {
         pd.adjust_up(&3);
         assert_eq!(pd.heap.read().unwrap().value(), 300);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 300);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), false);
+        assert!(!pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]
@@ -269,7 +268,7 @@ mod tests {
         pd.adjust_up(&0);
         assert_eq!(pd.heap.read().unwrap().value(), 43);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 43);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), false);
+        assert!(!pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]
@@ -287,7 +286,7 @@ mod tests {
         pd.adjust_up(&0);
         assert_eq!(pd.heap.read().unwrap().value(), 37);
         assert_eq!(pd.limit.load(Ordering::Relaxed), 37);
-        assert_eq!(pd.remove_limit.load(Ordering::Relaxed), false);
+        assert!(!pd.remove_limit.load(Ordering::Relaxed));
     }
 
     #[test]

src/scanner/requester.rs

@@ -1,12 +1,19 @@
 use std::{
     cmp::max,
-    sync::{atomic::Ordering, Arc, Mutex},
+    collections::HashSet,
+    sync::{
+        self,
+        atomic::{AtomicBool, Ordering},
+        Arc, Mutex,
+    },
 };
 
 use anyhow::Result;
-use leaky_bucket::LeakyBucket;
+use console::style;
+use lazy_static::lazy_static;
+use leaky_bucket::RateLimiter;
 use tokio::{
-    sync::{oneshot, RwLock},
+    sync::RwLock,
     time::{sleep, Duration},
 };
 
@@ -14,20 +21,26 @@ use crate::{
     atomic_load, atomic_store,
     config::RequesterPolicy,
     event_handlers::{
-        Command::{self, AddError, SubtractFromUsizeField},
+        Command::{AddError, SubtractFromUsizeField},
         Handles,
     },
-    extractor::{ExtractionTarget::ResponseBody, ExtractorBuilder},
+    extractor::{ExtractionTarget, ExtractorBuilder},
+    nlp::{Document, TfIdf},
     response::FeroxResponse,
     scan_manager::{FeroxScan, ScanStatus},
     statistics::{StatError::Other, StatField::TotalExpected},
     url::FeroxUrl,
-    utils::logged_request,
+    utils::{logged_request, send_try_recursion_command, should_deny_url},
     HIGH_ERROR_RATIO,
 };
 
 use super::{policy_data::PolicyData, FeroxScanner, PolicyTrigger};
 
+lazy_static! {
+    /// make sure to note that this is a std rwlock and not tokio
+    pub(crate) static ref TF_IDF: Arc<sync::RwLock<TfIdf>> = Arc::new(sync::RwLock::new(TfIdf::new()));
+}
+
 /// Makes multiple requests based on the presence of extensions
 pub(super) struct Requester {
     /// handles to handlers and config
@@ -37,7 +50,7 @@ pub(super) struct Requester {
     target_url: String,
 
     /// limits requests per second if present
-    rate_limiter: RwLock<Option<LeakyBucket>>,
+    rate_limiter: RwLock<Option<RateLimiter>>,
 
     /// data regarding policy and metadata about last enforced trigger etc...
     policy_data: PolicyData,
@@ -45,12 +58,19 @@ pub(super) struct Requester {
     /// FeroxScan associated with the creation of this Requester
     ferox_scan: Arc<FeroxScan>,
 
+    /// cache of previously seen links gotten via link extraction. since the requester is passed
+    /// around as an arc, and seen_links needs to be mutable, putting it behind a lock for
+    /// interior mutability, similar to the tuning_lock below
+    seen_links: RwLock<HashSet<String>>,
+
     /// simple lock to control access to tuning to a single thread (per-scan)
     ///
     /// need a usize to determine the number of consecutive non-error calls that a requester has
     /// seen; this will satisfy the non-mut self constraint (due to us being behind an Arc, and
-    /// the need for a counter
+    /// the need for a counter)
     tuning_lock: Mutex<usize>,
+
+    policy_triggered: AtomicBool,
 }
 
 /// Requester implementation
@@ -73,25 +93,27 @@ impl Requester {
         Ok(Self {
             ferox_scan,
             policy_data,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             rate_limiter: RwLock::new(rate_limiter),
             handles: scanner.handles.clone(),
             target_url: scanner.target_url.to_owned(),
             tuning_lock: Mutex::new(0),
+            policy_triggered: AtomicBool::new(false),
         })
     }
 
-    /// build a LeakyBucket, given a rate limit (as requests per second)
-    fn build_a_bucket(limit: usize) -> Result<LeakyBucket> {
+    /// build a RateLimiter, given a rate limit (as requests per second)
+    fn build_a_bucket(limit: usize) -> Result<RateLimiter> {
         let refill = max((limit as f64 / 10.0).round() as usize, 1); // minimum of 1 per second
         let tokens = max((limit as f64 / 2.0).round() as usize, 1);
         let interval = if refill == 1 { 1000 } else { 100 }; // 1 second if refill is 1
 
-        Ok(LeakyBucket::builder()
-            .refill_interval(Duration::from_millis(interval)) // add tokens every 0.1s
-            .refill_amount(refill) // ex: 100 req/s -> 10 tokens per 0.1s
-            .tokens(tokens) // reduce initial burst, 2 is arbitrary, but felt good
+        Ok(RateLimiter::builder()
+            .interval(Duration::from_millis(interval)) // add tokens every 0.1s
+            .refill(refill) // ex: 100 req/s -> 10 tokens per 0.1s
+            .initial(tokens) // reduce initial burst, 2 is arbitrary, but felt good
             .max(limit)
-            .build()?)
+            .build())
     }
 
     /// sleep and set a flag that can be checked by other threads
@@ -104,19 +126,19 @@ impl Requester {
         atomic_store!(self.policy_data.cooling_down, true, Ordering::SeqCst);
 
         sleep(Duration::from_millis(self.policy_data.wait_time)).await;
+        self.ferox_scan.progress_bar().set_message("");
 
         atomic_store!(self.policy_data.cooling_down, false, Ordering::SeqCst);
     }
 
     /// limit the number of requests per second
     pub async fn limit(&self) -> Result<()> {
-        self.rate_limiter
-            .read()
-            .await
-            .as_ref()
-            .unwrap()
-            .acquire_one()
-            .await?;
+        let guard = self.rate_limiter.read().await;
+
+        if guard.is_some() {
+            guard.as_ref().unwrap().acquire_one().await;
+        }
+
         Ok(())
     }
 
@@ -190,18 +212,34 @@ impl Requester {
                 *guard = 0; // reset streak counter to 0
                 if atomic_load!(self.policy_data.errors) != 0 {
                     self.policy_data.adjust_down();
+
+                    let styled_direction = style("reduced").red();
+
+                    self.ferox_scan
+                        .progress_bar()
+                        .set_message(format!("=> 🚦 {styled_direction} scan speed",));
                 }
                 self.policy_data.set_errors(scan_errors);
             } else {
                 // errors can only be incremented, so an else is sufficient
                 *guard += 1;
-                self.policy_data.adjust_up(&*guard);
+
+                self.policy_data.adjust_up(&guard);
+
+                let styled_direction = style("increased").green();
+
+                self.ferox_scan
+                    .progress_bar()
+                    .set_message(format!("=> 🚦 {styled_direction} scan speed",));
             }
         }
 
         if atomic_load!(self.policy_data.remove_limit) {
             self.set_rate_limiter(None).await?;
             atomic_store!(self.policy_data.remove_limit, false);
+            self.ferox_scan
+                .progress_bar()
+                .set_message("=> 🚦 removed rate limiter 🚀");
         } else if create_limiter {
             // create_limiter is really just used for unit testing situations, it's true anytime
             // during actual execution
@@ -240,8 +278,15 @@ impl Requester {
             let reqs_sec = self.ferox_scan.requests_per_second() as usize;
             self.policy_data.set_reqs_sec(reqs_sec);
 
+            // set the flag to indicate that we have triggered the rate limiter
+            // at least once
+            atomic_store!(self.policy_triggered, true);
+
             let new_limit = self.policy_data.get_limit();
             self.set_rate_limiter(Some(new_limit)).await?;
+            self.ferox_scan
+                .progress_bar()
+                .set_message(format!("=> 🚦 set rate limit ({new_limit}/s)"));
         }
 
         self.adjust_limit(trigger, true).await?;
@@ -276,7 +321,15 @@ impl Requester {
 
             // figure out how many requests are skipped as a result
             let pb = self.ferox_scan.progress_bar();
-            let num_skipped = pb.length().saturating_sub(pb.position()) as usize;
+            let num_skipped = pb.length().unwrap_or(0).saturating_sub(pb.position()) as usize;
+
+            let styled_trigger = style(format!("{trigger:?}")).red();
+
+            pb.set_message(format!(
+                "=> 💀 too many {} ({}) 💀 bailing",
+                styled_trigger,
+                self.ferox_scan.num_errors(trigger),
+            ));
 
             // update the overall scan bar by subtracting the number of skipped requests from
             // the total
@@ -295,84 +348,185 @@ impl Requester {
     pub async fn request(&self, word: &str) -> Result<()> {
         log::trace!("enter: request({})", word);
 
-        let urls =
-            FeroxUrl::from_string(&self.target_url, self.handles.clone()).formatted_urls(word)?;
+        let collected = self.handles.collected_extensions();
+
+        let urls = FeroxUrl::from_string(&self.target_url, self.handles.clone())
+            .formatted_urls(word, collected)?;
+
+        let should_test_deny = !self.handles.config.url_denylist.is_empty()
+            || !self.handles.config.regex_denylist.is_empty();
 
         for url in urls {
-            // auto_tune is true, or rate_limit was set (mutually exclusive to user)
-            // and a rate_limiter has been created
-            // short-circuiting the lock access behind the first boolean check
-            let should_tune = self.handles.config.auto_tune || self.handles.config.rate_limit > 0;
-            let should_limit = should_tune && self.rate_limiter.read().await.is_some();
+            for method in self.handles.config.methods.iter() {
+                // auto_tune is true, or rate_limit was set (mutually exclusive to user)
+                // and a rate_limiter has been created
+                // short-circuiting the lock access behind the first boolean check
+                let should_tune =
+                    self.handles.config.auto_tune || self.handles.config.rate_limit > 0;
+                let should_limit = should_tune && self.rate_limiter.read().await.is_some();
 
-            if should_limit {
-                // found a rate limiter, limit that junk!
-                if let Err(e) = self.limit().await {
-                    log::warn!("Could not rate limit scan: {}", e);
-                    self.handles.stats.send(AddError(Other)).unwrap_or_default();
+                if should_limit {
+                    // found a rate limiter, limit that junk!
+                    if let Err(e) = self.limit().await {
+                        log::warn!("Could not rate limit scan: {}", e);
+                        self.handles.stats.send(AddError(Other)).unwrap_or_default();
+                    }
                 }
-            }
 
-            let response = logged_request(&url, self.handles.clone()).await?;
+                if should_test_deny && should_deny_url(&url, self.handles.clone())? {
+                    // can't allow a denied url to be requested
+                    continue;
+                }
 
-            if (should_tune || self.handles.config.auto_bail)
-                && !atomic_load!(self.policy_data.cooling_down, Ordering::SeqCst)
-            {
-                // only check for policy enforcement when the trigger isn't on cooldown and tuning
-                // or bailing is in place (should_tune used here because when auto-tune is on, we'll
-                // reach this without a rate_limiter in place)
-                match self.policy_data.policy {
-                    RequesterPolicy::AutoTune => {
-                        if let Some(trigger) = self.should_enforce_policy() {
-                            self.tune(trigger).await?;
+                let data = if self.handles.config.data.is_empty() {
+                    None
+                } else {
+                    Some(self.handles.config.data.as_slice())
+                };
+
+                let response =
+                    logged_request(&url, method.as_str(), data, self.handles.clone()).await?;
+
+                if (should_tune || self.handles.config.auto_bail)
+                    && !atomic_load!(self.policy_data.cooling_down, Ordering::SeqCst)
+                {
+                    // only check for policy enforcement when the trigger isn't on cooldown and tuning
+                    // or bailing is in place (should_tune used here because when auto-tune is on, we'll
+                    // reach this without a rate_limiter in place)
+                    match self.policy_data.policy {
+                        RequesterPolicy::AutoTune => {
+                            if let Some(trigger) = self.should_enforce_policy() {
+                                self.tune(trigger).await?;
+                            } else if atomic_load!(self.policy_triggered) {
+                                self.adjust_limit(PolicyTrigger::TryAdjustUp, true).await?;
+                                self.cool_down().await;
+                            }
+                        }
+                        RequesterPolicy::AutoBail => {
+                            if let Some(trigger) = self.should_enforce_policy() {
+                                self.bail(trigger).await?;
+                            }
+                        }
+                        RequesterPolicy::Default => {}
+                    }
+                }
+
+                // response came back without error, convert it to FeroxResponse
+                let mut ferox_response = FeroxResponse::from(
+                    response,
+                    &self.target_url,
+                    method,
+                    self.handles.config.output_level,
+                )
+                .await;
+
+                // do recursion if appropriate
+                if !self.handles.config.no_recursion && !self.handles.config.force_recursion {
+                    // to support --force-recursion, we want to limit recursive calls to only
+                    // 'found' assets. That means we need to either gate or delay the call.
+                    //
+                    // this branch will retain the 'old' behavior by checking that
+                    // --force-recursion isn't turned on
+                    send_try_recursion_command(self.handles.clone(), ferox_response.clone())
+                        .await?;
+                }
+
+                // purposefully doing recursion before filtering. the thought process is that
+                // even though this particular url is filtered, subsequent urls may not
+                if self
+                    .handles
+                    .filters
+                    .data
+                    .should_filter_response(&ferox_response, self.handles.stats.tx.clone())
+                {
+                    continue;
+                }
+
+                if !self.handles.config.no_recursion && self.handles.config.force_recursion {
+                    // in this branch, we're saying that both recursion AND force recursion
+                    // are turned on. It comes after should_filter_response, so those cases
+                    // are handled. Now we need to account for -s/-C options.
+
+                    if self.handles.config.filter_status.is_empty() {
+                        // -C wasn't used, so -s is the only 'filter' left to account for
+                        if self
+                            .handles
+                            .config
+                            .status_codes
+                            .contains(&ferox_response.status().as_u16())
+                        {
+                            send_try_recursion_command(
+                                self.handles.clone(),
+                                ferox_response.clone(),
+                            )
+                            .await?;
+                        }
+                    } else {
+                        // -C was used, that means the filters above would have removed
+                        // those responses, and anything else should be let through
+                        send_try_recursion_command(self.handles.clone(), ferox_response.clone())
+                            .await?;
+                    }
+                }
+
+                if self.handles.config.collect_extensions {
+                    ferox_response.parse_extension(self.handles.clone())?;
+                }
+
+                if self.handles.config.collect_words {
+                    if let Ok(mut guard) = TF_IDF.write() {
+                        if let Some(doc) = Document::from_html(ferox_response.text()) {
+                            guard.add_document(doc);
+                            if guard.num_documents() % 12 == 0
+                                || (guard.num_documents() < 5 && guard.num_documents() % 2 == 0)
+                            {
+                                guard.calculate_tf_idf_scores();
+                            }
                         }
                     }
-                    RequesterPolicy::AutoBail => {
-                        if let Some(trigger) = self.should_enforce_policy() {
-                            self.bail(trigger).await?;
+                }
+
+                if self.handles.config.extract_links {
+                    let mut extractor = ExtractorBuilder::default()
+                        .target(ExtractionTarget::ResponseBody)
+                        .response(&ferox_response)
+                        .handles(self.handles.clone())
+                        .url(self.ferox_scan.url())
+                        .build()?;
+
+                    let new_links: HashSet<_>;
+
+                    let result = extractor.extract().await?;
+
+                    {
+                        // gain and quickly drop the read lock on seen_links, using it while unlocked
+                        // to determine if there are any new links to process
+                        let read_links = self.seen_links.read().await;
+                        new_links = result.difference(&read_links).cloned().collect();
+                    }
+
+                    if !new_links.is_empty() {
+                        // using is_empty instead of direct iteration to acquire the write lock behind
+                        // some kind of less expensive gate (and not in a loop, obv)
+                        let mut write_links = self.seen_links.write().await;
+                        for new_link in &new_links {
+                            write_links.insert(new_link.to_owned());
+                        }
+                    }
+
+                    if !new_links.is_empty() {
+                        let extraction_task = extractor.request_links(new_links).await?;
+
+                        if let Some(task) = extraction_task {
+                            _ = task.await;
                         }
                     }
-                    RequesterPolicy::Default => {}
                 }
-            }
 
-            // response came back without error, convert it to FeroxResponse
-            let ferox_response =
-                FeroxResponse::from(response, true, self.handles.config.output_level).await;
-
-            // do recursion if appropriate
-            if !self.handles.config.no_recursion {
-                self.handles
-                    .send_scan_command(Command::TryRecursion(Box::new(ferox_response.clone())))?;
-                let (tx, rx) = oneshot::channel::<bool>();
-                self.handles.send_scan_command(Command::Sync(tx))?;
-                rx.await?;
-            }
-
-            // purposefully doing recursion before filtering. the thought process is that
-            // even though this particular url is filtered, subsequent urls may not
-            if self
-                .handles
-                .filters
-                .data
-                .should_filter_response(&ferox_response, self.handles.stats.tx.clone())
-            {
-                continue;
-            }
-
-            if self.handles.config.extract_links && !ferox_response.status().is_redirection() {
-                let extractor = ExtractorBuilder::default()
-                    .target(ResponseBody)
-                    .response(&ferox_response)
-                    .handles(self.handles.clone())
-                    .build()?;
-
-                extractor.extract().await?;
-            }
-
-            // everything else should be reported
-            if let Err(e) = ferox_response.send_report(self.handles.output.tx.clone()) {
-                log::warn!("Could not send FeroxResponse to output handler: {}", e);
+                // everything else should be reported
+                if let Err(e) = ferox_response.send_report(self.handles.output.tx.clone()) {
+                    log::warn!("Could not send FeroxResponse to output handler: {}", e);
+                }
             }
         }
 
@@ -390,6 +544,7 @@ mod tests {
     use crate::{
         config::Configuration,
         config::OutputLevel,
+        event_handlers::Command::AddStatus,
         event_handlers::{FiltersHandler, ScanHandler, StatsHandler, Tasks, TermOutHandler},
         filters,
         scan_manager::{ScanOrder, ScanType},
@@ -407,12 +562,14 @@ mod tests {
         let (filters_task, filters_handle) = FiltersHandler::initialize();
         let (out_task, out_handle) =
             TermOutHandler::initialize(configuration.clone(), stats_handle.tx.clone());
+        let wordlist = Arc::new(vec![String::from("this_is_a_test")]);
 
         let handles = Arc::new(Handles::new(
             stats_handle,
             filters_handle,
             out_handle,
             configuration.clone(),
+            wordlist,
         ));
 
         let (scan_task, scan_handle) = ScanHandler::initialize(handles.clone());
@@ -428,10 +585,7 @@ mod tests {
     /// helper to stay DRY
     async fn increment_errors(handles: Arc<Handles>, scan: Arc<FeroxScan>, num_errors: usize) {
         for _ in 0..num_errors {
-            handles
-                .stats
-                .send(Command::AddError(StatError::Other))
-                .unwrap();
+            handles.stats.send(AddError(StatError::Other)).unwrap();
             scan.add_error();
         }
 
@@ -443,7 +597,7 @@ mod tests {
         let scans = handles.ferox_scans().unwrap();
 
         for _ in 0..num_errors {
-            scans.increment_error(format!("{}/", url).as_str());
+            scans.increment_error(format!("{url}/").as_str());
         }
     }
 
@@ -456,7 +610,7 @@ mod tests {
     ) {
         let scans = handles.ferox_scans().unwrap();
         for _ in 0..num_errors {
-            scans.increment_status_code(format!("{}/", url).as_str(), code);
+            scans.increment_status_code(format!("{url}/").as_str(), code);
         }
     }
 
@@ -468,7 +622,7 @@ mod tests {
         code: StatusCode,
     ) {
         for _ in 0..num_codes {
-            handles.stats.send(Command::AddStatus(code)).unwrap();
+            handles.stats.send(AddStatus(code)).unwrap();
             if code == StatusCode::FORBIDDEN {
                 scan.add_403();
             } else {
@@ -522,6 +676,7 @@ mod tests {
             PolicyTrigger::Errors => {
                 increment_scan_errors(handles.clone(), url, num_errors).await;
             }
+            _ => {}
         }
 
         assert_eq!(scan.num_errors(trigger), num_errors);
@@ -536,11 +691,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            target_url: "http://localhost".to_string(),
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
-            target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         let ferox_scan = Arc::new(FeroxScan::default());
@@ -563,11 +720,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: ferox_scan.clone(),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         increment_errors(requester.handles.clone(), ferox_scan.clone(), 25).await;
@@ -587,11 +746,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: ferox_scan.clone(),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         increment_status_codes(
@@ -626,11 +787,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: ferox_scan.clone(),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         increment_status_codes(
@@ -680,11 +843,13 @@ mod tests {
         let req_clone = scan_two.clone();
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: req_clone,
             target_url: "http://one/one/stuff.php".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester.bail(PolicyTrigger::Errors).await.unwrap();
@@ -713,11 +878,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://one/one/stuff.php".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         let result = requester.bail(PolicyTrigger::Status403).await;
@@ -734,11 +901,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: Default::default(),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester
@@ -756,11 +925,13 @@ mod tests {
 
         let requester = Arc::new(Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         });
 
         let start = Instant::now();
@@ -772,7 +943,7 @@ mod tests {
 
         requester.cool_down().await;
 
-        assert_eq!(resp.await.unwrap(), true);
+        assert!(resp.await.unwrap());
         println!("{}", start.elapsed().as_millis());
         assert!(start.elapsed().as_millis() >= 3500);
     }
@@ -785,11 +956,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester.policy_data.set_reqs_sec(400);
@@ -811,10 +984,10 @@ mod tests {
     /// decrease the scan rate
     async fn adjust_limit_resets_streak_counter_on_downward_movement() {
         let (handles, _) = setup_requester_test(None).await;
-        let mut buckets = leaky_bucket::LeakyBuckets::new();
-        let coordinator = buckets.coordinate().unwrap();
-        tokio::spawn(async move { coordinator.await.expect("coordinator errored") });
-        let limiter = buckets.rate_limiter().max(200).build().unwrap();
+        let limiter = RateLimiter::builder()
+            .interval(Duration::from_secs(1))
+            .max(200)
+            .build();
 
         let scan = FeroxScan::default();
         scan.add_error();
@@ -822,19 +995,22 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(scan),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(Some(limiter)),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester.policy_data.set_reqs_sec(400);
         requester.policy_data.set_errors(1);
 
-        let mut guard = requester.tuning_lock.lock().unwrap();
-        *guard = 2;
-        drop(guard);
+        {
+            let mut guard = requester.tuning_lock.lock().unwrap();
+            *guard = 2;
+        }
 
         requester
             .adjust_limit(PolicyTrigger::Errors, false)
@@ -857,11 +1033,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(scan),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester.policy_data.set_reqs_sec(400);
@@ -884,35 +1062,25 @@ mod tests {
 
         let mut requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(None),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         };
 
-        assert_eq!(
-            requester.too_many_status_errors(PolicyTrigger::Errors),
-            false
-        );
+        assert!(!requester.too_many_status_errors(PolicyTrigger::Errors));
 
-        assert_eq!(
-            requester.too_many_status_errors(PolicyTrigger::Status429),
-            false
-        );
+        assert!(!requester.too_many_status_errors(PolicyTrigger::Status429));
         requester.ferox_scan.progress_bar().set_position(10);
         requester.ferox_scan.add_429();
         requester.ferox_scan.add_429();
         requester.ferox_scan.add_429();
-        assert_eq!(
-            requester.too_many_status_errors(PolicyTrigger::Status429),
-            true
-        );
+        assert!(requester.too_many_status_errors(PolicyTrigger::Status429));
 
-        assert_eq!(
-            requester.too_many_status_errors(PolicyTrigger::Status403),
-            false
-        );
+        assert!(!requester.too_many_status_errors(PolicyTrigger::Status403));
         requester.ferox_scan = Arc::new(FeroxScan::default());
         requester.ferox_scan.progress_bar().set_position(10);
         requester.ferox_scan.add_403();
@@ -924,28 +1092,27 @@ mod tests {
         requester.ferox_scan.add_403();
         requester.ferox_scan.add_403();
         requester.ferox_scan.add_403();
-        assert_eq!(
-            requester.too_many_status_errors(PolicyTrigger::Status403),
-            true
-        );
+        assert!(requester.too_many_status_errors(PolicyTrigger::Status403));
     }
 
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     /// set_rate_limiter should exit early when new limit equals the current bucket's max
     async fn set_rate_limiter_early_exit() {
         let (handles, _) = setup_requester_test(None).await;
-        let mut buckets = leaky_bucket::LeakyBuckets::new();
-        let coordinator = buckets.coordinate().unwrap();
-        tokio::spawn(async move { coordinator.await.expect("coordinator errored") });
-        let limiter = buckets.rate_limiter().max(200).build().unwrap();
+        let limiter = RateLimiter::builder()
+            .interval(Duration::from_secs(1))
+            .max(200)
+            .build();
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: Arc::new(FeroxScan::default()),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(Some(limiter)),
             policy_data: PolicyData::new(RequesterPolicy::AutoBail, 7),
+            policy_triggered: AtomicBool::new(false),
         };
 
         requester.set_rate_limiter(Some(200)).await.unwrap();
@@ -965,10 +1132,10 @@ mod tests {
     async fn tune_sets_expected_values_and_then_waits() {
         let (handles, _) = setup_requester_test(None).await;
 
-        let mut buckets = leaky_bucket::LeakyBuckets::new();
-        let coordinator = buckets.coordinate().unwrap();
-        tokio::spawn(async move { coordinator.await.expect("coordinator errored") });
-        let limiter = buckets.rate_limiter().max(200).build().unwrap();
+        let limiter = RateLimiter::builder()
+            .interval(Duration::from_secs(1))
+            .max(200)
+            .build();
 
         let scan = FeroxScan::new(
             "http://localhost",
@@ -983,11 +1150,13 @@ mod tests {
 
         let requester = Requester {
             handles,
+            seen_links: RwLock::new(HashSet::<String>::new()),
             tuning_lock: Mutex::new(0),
             ferox_scan: scan.clone(),
             target_url: "http://localhost".to_string(),
             rate_limiter: RwLock::new(Some(limiter)),
             policy_data: PolicyData::new(RequesterPolicy::AutoTune, 4),
+            policy_triggered: AtomicBool::new(false),
         };
 
         let start = Instant::now();

src/scanner/utils.rs

@@ -1,4 +1,4 @@
-#[derive(Copy, Clone, PartialEq, Debug)]
+#[derive(Copy, Clone, PartialEq, Eq, Debug)]
 /// represents different situations where different criteria can trigger auto-tune/bail behavior
 pub enum PolicyTrigger {
     /// excessive 403 trigger
@@ -9,4 +9,7 @@ pub enum PolicyTrigger {
 
     /// excessive general errors
     Errors,
+
+    /// dummy error for upward rate adjustment
+    TryAdjustUp,
 }

src/statistics/container.rs

@@ -1,4 +1,6 @@
 use std::{
+    collections::HashMap,
+    convert::TryFrom,
     fs::File,
     io::BufReader,
     sync::{
@@ -9,7 +11,8 @@ use std::{
 
 use anyhow::{Context, Result};
 use reqwest::StatusCode;
-use serde::{Deserialize, Serialize};
+use serde::{ser::SerializeStruct, Deserialize, Deserializer, Serialize, Serializer};
+use serde_json::Value;
 
 use crate::{
     traits::FeroxSerialize,
@@ -19,9 +22,8 @@ use crate::{
 use super::{error::StatError, field::StatField};
 
 /// Data collection of statistics related to a scan
-#[derive(Default, Deserialize, Debug, Serialize)]
+#[derive(Default, Debug)]
 pub struct Stats {
-    #[serde(rename = "type")]
     /// Name of this type of struct, used for serialization, i.e. `{"type":"statistics"}`
     kind: String,
 
@@ -67,6 +69,10 @@ pub struct Stats {
     /// response bodies and robots.txt as of v1.11.0
     links_extracted: AtomicUsize,
 
+    /// tracker for number of extensions discovered when `--collect-extensions` is used; sources
+    /// are response bodies
+    extensions_collected: AtomicUsize,
+
     /// tracker for overall number of 200s seen by the client
     status_200s: AtomicUsize,
 
@@ -124,12 +130,7 @@ pub struct Stats {
     /// tracker for total runtime
     total_runtime: Mutex<Vec<f64>>,
 
-    /// tracker for the number of extensions the user specified
-    #[serde(skip)]
-    num_extensions: usize,
-
     /// tracker for whether to use json during serialization or not
-    #[serde(skip)]
     json: bool,
 }
 
@@ -147,13 +148,318 @@ impl FeroxSerialize for Stats {
     }
 }
 
+/// Serialize implementation for Stats
+impl Serialize for Stats {
+    /// Function that handles serialization of Stats
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        let mut state = serializer.serialize_struct("Stats", 32)?;
+
+        state.serialize_field("type", &self.kind)?;
+        state.serialize_field("timeouts", &atomic_load!(self.timeouts))?;
+        state.serialize_field("requests", &atomic_load!(self.requests))?;
+        state.serialize_field("expected_per_scan", &atomic_load!(self.expected_per_scan))?;
+        state.serialize_field("total_expected", &atomic_load!(self.total_expected))?;
+        state.serialize_field("errors", &atomic_load!(self.errors))?;
+        state.serialize_field("successes", &atomic_load!(self.successes))?;
+        state.serialize_field("redirects", &atomic_load!(self.redirects))?;
+        state.serialize_field("client_errors", &atomic_load!(self.client_errors))?;
+        state.serialize_field("server_errors", &atomic_load!(self.server_errors))?;
+        state.serialize_field("total_scans", &atomic_load!(self.total_scans))?;
+        state.serialize_field("initial_targets", &atomic_load!(self.initial_targets))?;
+        state.serialize_field("links_extracted", &atomic_load!(self.links_extracted))?;
+        state.serialize_field(
+            "extensions_collected",
+            &atomic_load!(self.extensions_collected),
+        )?;
+        state.serialize_field("status_200s", &atomic_load!(self.status_200s))?;
+        state.serialize_field("status_301s", &atomic_load!(self.status_301s))?;
+        state.serialize_field("status_302s", &atomic_load!(self.status_302s))?;
+        state.serialize_field("status_401s", &atomic_load!(self.status_401s))?;
+        state.serialize_field("status_403s", &atomic_load!(self.status_403s))?;
+        state.serialize_field("status_429s", &atomic_load!(self.status_429s))?;
+        state.serialize_field("status_500s", &atomic_load!(self.status_500s))?;
+        state.serialize_field("status_503s", &atomic_load!(self.status_503s))?;
+        state.serialize_field("status_504s", &atomic_load!(self.status_504s))?;
+        state.serialize_field("status_508s", &atomic_load!(self.status_508s))?;
+        state.serialize_field("wildcards_filtered", &atomic_load!(self.wildcards_filtered))?;
+        state.serialize_field("responses_filtered", &atomic_load!(self.responses_filtered))?;
+        state.serialize_field(
+            "resources_discovered",
+            &atomic_load!(self.resources_discovered),
+        )?;
+        state.serialize_field("url_format_errors", &atomic_load!(self.url_format_errors))?;
+        state.serialize_field("redirection_errors", &atomic_load!(self.redirection_errors))?;
+        state.serialize_field("connection_errors", &atomic_load!(self.connection_errors))?;
+        state.serialize_field("request_errors", &atomic_load!(self.request_errors))?;
+        state.serialize_field("directory_scan_times", &self.directory_scan_times)?;
+        state.serialize_field("total_runtime", &self.total_runtime)?;
+
+        state.end()
+    }
+}
+
+/// Deserialize implementation for Stats
+impl<'a> Deserialize<'a> for Stats {
+    /// Deserialize a Stats object from a serde_json::Value
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'a>,
+    {
+        let stats = Self::new(false);
+
+        let map: HashMap<String, Value> = HashMap::deserialize(deserializer)?;
+
+        for (key, value) in &map {
+            match key.as_str() {
+                "timeouts" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.timeouts, parsed);
+                        }
+                    }
+                }
+                "requests" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.requests, parsed);
+                        }
+                    }
+                }
+                "expected_per_scan" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.expected_per_scan, parsed);
+                        }
+                    }
+                }
+                "total_expected" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.total_expected, parsed);
+                        }
+                    }
+                }
+                "errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.errors, parsed);
+                        }
+                    }
+                }
+                "successes" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.successes, parsed);
+                        }
+                    }
+                }
+                "redirects" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.redirects, parsed);
+                        }
+                    }
+                }
+                "client_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.client_errors, parsed);
+                        }
+                    }
+                }
+                "server_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.server_errors, parsed);
+                        }
+                    }
+                }
+                "total_scans" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.total_scans, parsed);
+                        }
+                    }
+                }
+                "initial_targets" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.initial_targets, parsed);
+                        }
+                    }
+                }
+                "links_extracted" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.links_extracted, parsed);
+                        }
+                    }
+                }
+                "extensions_collected" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.extensions_collected, parsed);
+                        }
+                    }
+                }
+                "status_200s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_200s, parsed);
+                        }
+                    }
+                }
+                "status_301s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_301s, parsed);
+                        }
+                    }
+                }
+                "status_302s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_302s, parsed);
+                        }
+                    }
+                }
+                "status_401s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_401s, parsed);
+                        }
+                    }
+                }
+                "status_403s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_403s, parsed);
+                        }
+                    }
+                }
+                "status_429s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_429s, parsed);
+                        }
+                    }
+                }
+                "status_500s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_500s, parsed);
+                        }
+                    }
+                }
+                "status_503s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_503s, parsed);
+                        }
+                    }
+                }
+                "status_504s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_504s, parsed);
+                        }
+                    }
+                }
+                "status_508s" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.status_508s, parsed);
+                        }
+                    }
+                }
+                "wildcards_filtered" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.wildcards_filtered, parsed);
+                        }
+                    }
+                }
+                "responses_filtered" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.responses_filtered, parsed);
+                        }
+                    }
+                }
+                "resources_discovered" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.resources_discovered, parsed);
+                        }
+                    }
+                }
+                "url_format_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.url_format_errors, parsed);
+                        }
+                    }
+                }
+                "redirection_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.redirection_errors, parsed);
+                        }
+                    }
+                }
+                "connection_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.connection_errors, parsed);
+                        }
+                    }
+                }
+                "request_errors" => {
+                    if let Some(num) = value.as_u64() {
+                        if let Ok(parsed) = usize::try_from(num) {
+                            atomic_increment!(stats.request_errors, parsed);
+                        }
+                    }
+                }
+                "directory_scan_times" => {
+                    if let Some(arr) = value.as_array() {
+                        for val in arr {
+                            if let Some(parsed) = val.as_f64() {
+                                if let Ok(mut guard) = stats.directory_scan_times.lock() {
+                                    guard.push(parsed)
+                                }
+                            }
+                        }
+                    }
+                }
+                "total_runtime" => {
+                    if let Some(arr) = value.as_array() {
+                        for val in arr {
+                            if let Some(parsed) = val.as_f64() {
+                                if let Ok(mut guard) = stats.total_runtime.lock() {
+                                    guard.push(parsed)
+                                }
+                            }
+                        }
+                    }
+                }
+                _ => {}
+            }
+        }
+
+        Ok(stats)
+    }
+}
+
 /// implementation of statistics data collection struct
 impl Stats {
     /// Small wrapper for default to set `kind` to "statistics" and `total_runtime` to have at least
     /// one value
-    pub fn new(num_extensions: usize, is_json: bool) -> Self {
+    pub fn new(is_json: bool) -> Self {
         Self {
-            num_extensions,
             json: is_json,
             kind: String::from("statistics"),
             total_runtime: Mutex::new(vec![0.0]),
@@ -325,12 +631,10 @@ impl Stats {
                 atomic_increment!(self.expected_per_scan, value);
             }
             StatField::TotalScans => {
-                let multiplier = self.num_extensions.max(1);
-
                 atomic_increment!(self.total_scans, value);
                 atomic_increment!(
                     self.total_expected,
-                    value * self.expected_per_scan.load(Ordering::Relaxed) * multiplier
+                    value * self.expected_per_scan.load(Ordering::Relaxed)
                 );
             }
             StatField::TotalExpected => {
@@ -339,6 +643,9 @@ impl Stats {
             StatField::LinksExtracted => {
                 atomic_increment!(self.links_extracted, value);
             }
+            StatField::ExtensionsCollected => {
+                atomic_increment!(self.extensions_collected, value);
+            }
             StatField::WildcardsFiltered => {
                 atomic_increment!(self.wildcards_filtered, value);
                 atomic_increment!(self.responses_filtered, value);
@@ -360,8 +667,8 @@ impl Stats {
     ///
     /// This is only ever called when resuming a scan from disk
     pub fn merge_from(&self, filename: &str) -> Result<()> {
-        let file = File::open(filename)
-            .with_context(|| fmt_err(&format!("Could not open {}", filename)))?;
+        let file =
+            File::open(filename).with_context(|| fmt_err(&format!("Could not open {filename}")))?;
         let reader = BufReader::new(file);
         let state: serde_json::Value = serde_json::from_reader(reader)?;
 
@@ -375,6 +682,10 @@ impl Stats {
             atomic_increment!(self.client_errors, atomic_load!(d_stats.client_errors));
             atomic_increment!(self.server_errors, atomic_load!(d_stats.server_errors));
             atomic_increment!(self.links_extracted, atomic_load!(d_stats.links_extracted));
+            atomic_increment!(
+                self.extensions_collected,
+                atomic_load!(d_stats.extensions_collected)
+            );
             atomic_increment!(self.status_200s, atomic_load!(d_stats.status_200s));
             atomic_increment!(self.status_301s, atomic_load!(d_stats.status_301s));
             atomic_increment!(self.status_302s, atomic_load!(d_stats.status_302s));
@@ -497,7 +808,7 @@ mod tests {
     ///     - errors
     fn stats_increments_timeouts() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
 
         stats.add_error(StatError::Timeout);
         stats.add_error(StatError::Timeout);
@@ -515,7 +826,7 @@ mod tests {
     ///     - responses_filtered
     fn stats_increments_wildcards() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
 
         assert_eq!(stats.responses_filtered.load(Ordering::Relaxed), 0);
         assert_eq!(stats.wildcards_filtered.load(Ordering::Relaxed), 0);
@@ -531,7 +842,7 @@ mod tests {
     /// when Stats::update_usize_field receives StatField::ResponsesFiltered, it should increment
     fn stats_increments_responses_filtered() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
 
         assert_eq!(stats.responses_filtered.load(Ordering::Relaxed), 0);
 
@@ -545,9 +856,9 @@ mod tests {
     #[test]
     /// Stats::merge_from should properly increment expected fields and ignore others
     fn stats_merge_from_alters_correct_fields() {
-        let contents = r#"{"statistics":{"type":"statistics","timeouts":1,"requests":9207,"expected_per_scan":707,"total_expected":9191,"errors":3,"successes":720,"redirects":13,"client_errors":8474,"server_errors":2,"total_scans":13,"initial_targets":1,"links_extracted":51,"status_403s":3,"status_200s":720,"status_301s":12,"status_302s":1,"status_401s":4,"status_429s":2,"status_500s":5,"status_503s":9,"status_504s":6,"status_508s":7,"wildcards_filtered":707,"responses_filtered":707,"resources_discovered":27,"directory_scan_times":[2.211973078,1.989015505,1.898675839,3.9714468910000003,4.938152838,5.256073528,6.021986595,6.065740734,6.42633762,7.095142125,7.336982137,5.319785619,4.843649778],"total_runtime":[11.556575456000001],"url_format_errors":17,"redirection_errors":12,"connection_errors":21,"request_errors":4}}"#;
+        let contents = r#"{"statistics":{"type":"statistics","timeouts":1,"requests":9207,"expected_per_scan":707,"total_expected":9191,"errors":3,"successes":720,"redirects":13,"client_errors":8474,"server_errors":2,"total_scans":13,"initial_targets":1,"links_extracted":51,"extensions_collected":4,"status_403s":3,"status_200s":720,"status_301s":12,"status_302s":1,"status_401s":4,"status_429s":2,"status_500s":5,"status_503s":9,"status_504s":6,"status_508s":7,"wildcards_filtered":707,"responses_filtered":707,"resources_discovered":27,"directory_scan_times":[2.211973078,1.989015505,1.898675839,3.9714468910000003,4.938152838,5.256073528,6.021986595,6.065740734,6.42633762,7.095142125,7.336982137,5.319785619,4.843649778],"total_runtime":[11.556575456000001],"url_format_errors":17,"redirection_errors":12,"connection_errors":21,"request_errors":4}}"#;
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
 
         let tfile = NamedTempFile::new().unwrap();
         write(&tfile, contents).unwrap();
@@ -568,6 +879,7 @@ mod tests {
         assert_eq!(atomic_load!(stats.total_scans), 0); // not updated in merge_from
         assert_eq!(atomic_load!(stats.initial_targets), 0); // not updated in merge_from
         assert_eq!(atomic_load!(stats.links_extracted), 51);
+        assert_eq!(atomic_load!(stats.extensions_collected), 4);
         assert_eq!(atomic_load!(stats.status_200s), 720);
         assert_eq!(atomic_load!(stats.status_301s), 12);
         assert_eq!(atomic_load!(stats.status_302s), 1);
@@ -598,7 +910,7 @@ mod tests {
     /// ensure update runtime overwrites the default 0th entry
     fn update_runtime_works() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
 
         assert!((stats.total_runtime.lock().unwrap()[0] - 0.0).abs() < f64::EPSILON);
         stats.update_runtime(20.2);
@@ -609,7 +921,7 @@ mod tests {
     /// ensure status_403s returns the correct value
     fn status_403s_returns_correct_value() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
         stats.status_403s.store(12, Ordering::Relaxed);
         assert_eq!(stats.status_403s(), 12);
     }
@@ -618,7 +930,7 @@ mod tests {
     /// ensure status_403s returns the correct value
     fn status_429s_returns_correct_value() {
         let config = Configuration::new().unwrap();
-        let stats = Stats::new(config.extensions.len(), config.json);
+        let stats = Stats::new(config.json);
         stats.status_429s.store(141, Ordering::Relaxed);
         assert_eq!(stats.status_429s(), 141);
     }

src/statistics/field.rs

@@ -13,6 +13,9 @@ pub enum StatField {
     /// Translates to `links_extracted`
     LinksExtracted,
 
+    /// Translates to `extensions_collected`
+    ExtensionsCollected,
+
     /// Translates to `total_expected`
     TotalExpected,
 

src/statistics/macros.rs

@@ -18,10 +18,10 @@ macro_rules! atomic_increment {
 #[macro_export]
 macro_rules! atomic_load {
     ($metric:expr) => {
-        $metric.load(Ordering::Relaxed);
+        $metric.load(Ordering::Relaxed)
     };
     ($metric:expr, $ordering:expr) => {
-        $metric.load($ordering);
+        $metric.load($ordering)
     };
 }
 

src/statistics/tests.rs

@@ -41,7 +41,7 @@ async fn statistics_handler_exits() -> Result<()> {
 /// Stats::save should write contents of Stats to disk
 fn save_writes_stats_object_to_disk() {
     let config = Configuration::new().unwrap();
-    let stats = Stats::new(config.extensions.len(), config.json);
+    let stats = Stats::new(config.json);
 
     stats.add_request();
     stats.add_request();
@@ -55,10 +55,7 @@ fn save_writes_stats_object_to_disk() {
     stats.add_status_code(StatusCode::OK);
     stats.add_status_code(StatusCode::OK);
     let outfile = NamedTempFile::new().unwrap();
-    if stats
-        .save(174.33, &outfile.path().to_str().unwrap())
-        .is_ok()
-    {}
+    assert!(stats.save(174.33, outfile.path().to_str().unwrap()).is_ok());
 
     assert!(stats.as_json().unwrap().contains("statistics"));
     assert!(stats.as_json().unwrap().contains("11")); // requests made

src/traits.rs

@@ -1,9 +1,15 @@
 //! collection of all traits used
+use crate::filters::{
+    LinesFilter, RegexFilter, SimilarityFilter, SizeFilter, StatusCodeFilter, WildcardFilter,
+    WordsFilter,
+};
 use crate::response::FeroxResponse;
+use crate::utils::status_colorizer;
 use anyhow::Result;
+use crossterm::style::{style, Stylize};
 use serde::Serialize;
 use std::any::Any;
-use std::fmt::Debug;
+use std::fmt::{self, Debug, Display, Formatter};
 
 // references:
 //   https://dev.to/magnusstrale/rust-trait-objects-in-a-vector-non-trivial-4co5
@@ -22,6 +28,68 @@ pub trait FeroxFilter: Debug + Send + Sync {
     fn as_any(&self) -> &dyn Any;
 }
 
+impl Display for dyn FeroxFilter {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), fmt::Error> {
+        if let Some(filter) = self.as_any().downcast_ref::<LinesFilter>() {
+            write!(f, "Line count: {}", style(filter.line_count).cyan())
+        } else if let Some(filter) = self.as_any().downcast_ref::<WordsFilter>() {
+            write!(f, "Word count: {}", style(filter.word_count).cyan())
+        } else if let Some(filter) = self.as_any().downcast_ref::<SizeFilter>() {
+            write!(f, "Response size: {}", style(filter.content_length).cyan())
+        } else if let Some(filter) = self.as_any().downcast_ref::<RegexFilter>() {
+            write!(f, "Regex: {}", style(&filter.raw_string).cyan())
+        } else if let Some(filter) = self.as_any().downcast_ref::<WildcardFilter>() {
+            let mut msg = format!(
+                "{} requests with {} responses ",
+                style(&filter.method).cyan(),
+                status_colorizer(&filter.status_code.to_string())
+            );
+
+            match (filter.content_length, filter.word_count, filter.line_count) {
+                (None, None, None) => {
+                    unreachable!("wildcard filter without any filters set");
+                }
+                (None, None, Some(lc)) => {
+                    msg.push_str(&format!("containing {} lines", lc));
+                }
+                (None, Some(wc), None) => {
+                    msg.push_str(&format!("containing {} words", wc));
+                }
+                (None, Some(wc), Some(lc)) => {
+                    msg.push_str(&format!("containing {} words and {} lines", wc, lc));
+                }
+                (Some(cl), None, None) => {
+                    msg.push_str(&format!("containing {} bytes", cl));
+                }
+                (Some(cl), None, Some(lc)) => {
+                    msg.push_str(&format!("containing {} bytes and {} lines", cl, lc));
+                }
+                (Some(cl), Some(wc), None) => {
+                    msg.push_str(&format!("containing {} bytes and {} words", cl, wc));
+                }
+                (Some(cl), Some(wc), Some(lc)) => {
+                    msg.push_str(&format!(
+                        "containing {} bytes, {} words, and {} lines",
+                        cl, wc, lc
+                    ));
+                }
+            }
+
+            write!(f, "{}", msg)
+        } else if let Some(filter) = self.as_any().downcast_ref::<StatusCodeFilter>() {
+            write!(f, "Status code: {}", style(filter.filter_code).cyan())
+        } else if let Some(filter) = self.as_any().downcast_ref::<SimilarityFilter>() {
+            write!(
+                f,
+                "Pages similar to: {}",
+                style(&filter.original_url).cyan()
+            )
+        } else {
+            write!(f, "Filter: {self:?}")
+        }
+    }
+}
+
 /// implementation of PartialEq, necessary long-form due to "trait cannot be made into an object"
 /// error when attempting to derive PartialEq on the trait itself
 impl PartialEq for Box<dyn FeroxFilter> {

src/url.rs

@@ -1,13 +1,15 @@
+use crate::utils::parse_url_with_raw_path;
 use crate::{event_handlers::Handles, statistics::StatError::UrlFormat, Command::AddError};
 use anyhow::{anyhow, bail, Result};
 use reqwest::Url;
-use std::{convert::TryInto, fmt, sync::Arc};
+use std::collections::HashSet;
+use std::{fmt, sync::Arc};
 
 /// abstraction around target urls; collects all Url related shenanigans in one place
 #[derive(Debug)]
 pub struct FeroxUrl {
     /// string representation of the target url
-    target: String,
+    pub target: String,
 
     /// Handles object for grabbing config values
     handles: Arc<Handles>,
@@ -37,25 +39,40 @@ impl FeroxUrl {
     ///
     /// If any extensions were passed to the program, each extension will add a
     /// (base_url + word + ext) Url to the vector
-    pub fn formatted_urls(&self, word: &str) -> Result<Vec<Url>> {
+    pub fn formatted_urls(
+        &self,
+        word: &str,
+        collected_extensions: HashSet<String>,
+    ) -> Result<Vec<Url>> {
         log::trace!("enter: formatted_urls({})", word);
 
         let mut urls = vec![];
 
-        match self.format(word, None) {
+        let slash = if self.handles.config.add_slash {
+            Some("/")
+        } else {
+            None
+        };
+
+        match self.format(word, slash) {
             // default request, i.e. no extension
             Ok(url) => urls.push(url),
             Err(_) => self.handles.stats.send(AddError(UrlFormat))?,
         }
 
-        for ext in self.handles.config.extensions.iter() {
+        for ext in self
+            .handles
+            .config
+            .extensions
+            .iter()
+            .chain(collected_extensions.iter())
+        {
             match self.format(word, Some(ext)) {
                 // any extensions passed in
                 Ok(url) => urls.push(url),
                 Err(_) => self.handles.stats.send(AddError(UrlFormat))?,
             }
         }
-
         log::trace!("exit: formatted_urls -> {:?}", urls);
         Ok(urls)
     }
@@ -66,7 +83,7 @@ impl FeroxUrl {
     pub fn format(&self, word: &str, extension: Option<&str>) -> Result<Url> {
         log::trace!("enter: format({}, {:?})", word, extension);
 
-        if Url::parse(&word).is_ok() {
+        if Url::parse(word).is_ok() {
             // when a full url is passed in as a word to be joined to a base url using
             // reqwest::Url::join, the result is that the word (url) completely overwrites the base
             // url, potentially resulting in requests to places that aren't actually the target
@@ -74,7 +91,7 @@ impl FeroxUrl {
             //
             // in order to resolve the issue, we check if the word from the wordlist is a parsable URL
             // and if so, don't do any further processing
-            let message = format!("word ({}) from wordlist is a URL, skipping...", word);
+            let message = format!("word ({word}) from wordlist is a URL, skipping...");
             log::warn!("{}", message);
             log::trace!("exit: format -> Err({})", message);
             bail!(message);
@@ -97,13 +114,25 @@ impl FeroxUrl {
             self.target.to_string()
         };
 
-        // extensions and slashes are mutually exclusive cases
-        let word = if extension.is_some() {
-            format!("{}.{}", word, extension.unwrap())
-        } else if self.handles.config.add_slash && !word.ends_with('/') {
-            // -f used, and word doesn't already end with a /
-            format!("{}/", word)
-        } else if word.starts_with("//") {
+        // As of version 2.3.4, extensions and trailing slashes are no longer mutually exclusive.
+        // Trailing slashes are now treated as just another extension, which is pretty clever.
+        //
+        // In addition to the change above, @cortantief ID'd a bug here that incorrectly handled
+        // 2 leading forward slashes when extensions were used. This block addresses the bugfix.
+        let mut word = if let Some(ext) = extension {
+            // We handle the special case of forward slash
+            // That allow us to treat it as an extension with a particular format
+            if ext == "/" {
+                format!("{word}/")
+            } else {
+                format!("{word}.{ext}")
+            }
+        } else {
+            String::from(word)
+        };
+
+        // We check separately if the current word begins with 2 forward slashes
+        if word.starts_with("//") {
             // bug ID'd by @Sicks3c, when a wordlist contains words that begin with 2 forward slashes
             // i.e. //1_40_0/static/js, it gets joined onto the base url in a surprising way
             // ex: https://localhost/ + //1_40_0/static/js -> https://1_40_0/static/js
@@ -111,65 +140,22 @@ impl FeroxUrl {
             // and simply removes prefixed forward slashes if there are two of them. Additionally,
             // trim_start_matches will trim the pattern until it's gone, so even if there are more than
             // 2 /'s, they'll still be trimmed
-            word.trim_start_matches('/').to_string()
-        } else {
-            String::from(word)
+            word = word.trim_start_matches('/').to_string();
         };
 
-        let base_url = Url::parse(&url)?;
-        let joined = base_url.join(&word)?;
+        let base_url = parse_url_with_raw_path(&url)?;
+        let mut joined = base_url.join(&word)?;
 
-        if self.handles.config.queries.is_empty() {
-            // no query params to process
-            log::trace!("exit: format -> {}", joined);
-            Ok(joined)
-        } else {
-            let with_params =
-                Url::parse_with_params(joined.as_str(), &self.handles.config.queries)?;
-            log::trace!("exit: format_url -> {}", with_params);
-            Ok(with_params) // request with params attached
-        }
-    }
-
-    /// Gets the length of a url's path
-    pub fn path_length(&self) -> Result<u64> {
-        let parsed = Url::parse(&self.target)?;
-        Ok(FeroxUrl::path_length_of_url(&parsed))
-    }
-
-    /// Gets the length of a url's path
-    ///
-    /// example: http://localhost/stuff -> 5
-    pub fn path_length_of_url(url: &Url) -> u64 {
-        log::trace!("enter: get_path_length({})", url);
-
-        let path = url.path();
-
-        let segments = if let Some(split) = path.strip_prefix('/') {
-            split.split_terminator('/')
-        } else {
-            log::trace!("exit: get_path_length -> 0");
-            return 0;
-        };
-
-        if let Some(last) = segments.last() {
-            // failure on conversion should be very unlikely. While a usize can absolutely overflow a
-            // u64, the generally accepted maximum for the length of a url is ~2000.  so the value we're
-            // putting into the u64 should never realistically be anywhere close to producing an
-            // overflow.
-            // usize max: 18,446,744,073,709,551,615
-            // u64 max:   9,223,372,036,854,775,807
-            let url_len: u64 = last
-                .len()
-                .try_into()
-                .expect("Failed usize -> u64 conversion");
-
-            log::trace!("exit: get_path_length -> {}", url_len);
-            return url_len;
+        if !self.handles.config.queries.is_empty() {
+            // if called, this adds a '?' to the url, whether or not there are queries to be added
+            // so we need to check if there are queries to be added before blindly adding the '?'
+            joined
+                .query_pairs_mut()
+                .extend_pairs(self.handles.config.queries.iter());
         }
 
-        log::trace!("exit: get_path_length -> 0");
-        0
+        log::trace!("exit: format_url -> {}", joined);
+        Ok(joined)
     }
 
     /// Simple helper to abstract away adding a forward-slash to a url if not present
@@ -204,7 +190,7 @@ impl FeroxUrl {
 
         let target = self.normalize();
 
-        let parsed = Url::parse(&target)?;
+        let parsed = parse_url_with_raw_path(&target)?;
         let parts = parsed
             .path_segments()
             .ok_or_else(|| anyhow!("No path segments found"))?;
@@ -239,7 +225,7 @@ mod tests {
     fn formatted_urls_no_extension_returns_base_url_with_word() {
         let handles = Arc::new(Handles::for_testing(None, None).0);
         let url = FeroxUrl::from_string("http://localhost", handles);
-        let urls = url.formatted_urls("turbo").unwrap();
+        let urls = url.formatted_urls("turbo", HashSet::new()).unwrap();
         assert_eq!(urls, [Url::parse("http://localhost/turbo").unwrap()])
     }
 
@@ -253,7 +239,7 @@ mod tests {
 
         let handles = Arc::new(Handles::for_testing(None, Some(Arc::new(config))).0);
         let url = FeroxUrl::from_string("http://localhost", handles);
-        let urls = url.formatted_urls("turbo").unwrap();
+        let urls = url.formatted_urls("turbo", HashSet::new()).unwrap();
 
         assert_eq!(
             urls,
@@ -300,7 +286,7 @@ mod tests {
             let handles = Arc::new(Handles::for_testing(None, Some(Arc::new(config))).0);
             let url = FeroxUrl::from_string("http://localhost", handles);
 
-            let urls = url.formatted_urls("turbo").unwrap();
+            let urls = url.formatted_urls("turbo", HashSet::new()).unwrap();
             assert_eq!(urls, expected[i]);
         }
     }
@@ -451,6 +437,20 @@ mod tests {
         );
     }
 
+    #[test]
+    /// word with two prepended slashes and extensions doesn't discard the entire domain
+    fn format_url_word_with_two_prepended_slashes_and_extensions() {
+        let handles = Arc::new(Handles::for_testing(None, None).0);
+        let url = FeroxUrl::from_string("http://localhost", handles);
+        for ext in ["rocks", "fun"] {
+            let to_check = format!("http://localhost/upload/ferox.{ext}");
+            assert_eq!(
+                url.format("//upload/ferox", Some(ext)).unwrap(),
+                reqwest::Url::parse(&to_check[..]).unwrap()
+            );
+        }
+    }
+
     #[test]
     /// word that is a fully formed url, should return an error
     fn format_url_word_that_is_a_url() {
@@ -460,4 +460,33 @@ mod tests {
 
         assert!(formatted.is_err());
     }
+
+    #[test]
+    /// sending url + word with both an extension and add-slash should get back
+    /// two urls, one with '/' appended to the word, and the other with the extension
+    /// appended
+    fn formatted_urls_with_postslash_and_extensions() {
+        let config = Configuration {
+            add_slash: true,
+            extensions: vec!["rocks".to_string(), "fun".to_string()],
+            ..Default::default()
+        };
+        let handles = Arc::new(Handles::for_testing(None, Some(Arc::new(config))).0);
+        let url = FeroxUrl::from_string("http://localhost", handles);
+        match url.formatted_urls("ferox", HashSet::new()) {
+            Ok(urls) => {
+                // 3 = One for the main word + slash and for the two extensions
+                assert_eq!(urls.len(), 3);
+                assert_eq!(
+                    urls,
+                    [
+                        Url::parse("http://localhost/ferox/").unwrap(),
+                        Url::parse("http://localhost/ferox.rocks").unwrap(),
+                        Url::parse("http://localhost/ferox.fun").unwrap(),
+                    ]
+                )
+            }
+            Err(err) => panic!("{}", err.to_string()),
+        }
+    }
 }

tests/mutual-auth/Caddyfile

@@ -0,0 +1,17 @@
+(mTLS) {
+	tls {
+		client_auth {
+			mode require_and_verify
+			trusted_ca_cert_file certs/server/ca.crt
+		}
+	}
+}
+
+https://localhost:8001 {
+	import mTLS
+	log
+
+	handle / {
+		file_server browse
+	}
+}