Bump tokio from 1.39.3 to 1.44.2

Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.39.3 to 1.44.2.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.39.3...tokio-1.44.2)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.44.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.all-contributorsrc

@@ -144,7 +144,8 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/48113936?v=4",
       "profile": "https://tib3rius.com",
       "contributions": [
-        "bug"
+        "bug",
+        "ideas"
       ]
     },
     {
@@ -198,7 +199,8 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/24260009?v=4",
       "profile": "https://github.com/N0ur5",
       "contributions": [
-        "ideas"
+        "ideas",
+        "bug"
       ]
     },
     {
@@ -299,7 +301,8 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/16690056?v=4",
       "profile": "https://github.com/n0kovo",
       "contributions": [
-        "ideas"
+        "ideas",
+        "bug"
       ]
     },
     {
@@ -571,6 +574,310 @@
       "contributions": [
         "bug"
       ]
+    },
+    {
+      "login": "DrorDvash",
+      "name": "DrDv",
+      "avatar_url": "https://avatars.githubusercontent.com/u/8413651?v=4",
+      "profile": "https://github.com/DrorDvash",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "aroly",
+      "name": "Antoine Roly",
+      "avatar_url": "https://avatars.githubusercontent.com/u/1257705?v=4",
+      "profile": "https://github.com/aroly",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "lavafroth",
+      "name": "Himadri Bhattacharjee",
+      "avatar_url": "https://avatars.githubusercontent.com/u/107522312?v=4",
+      "profile": "http://lavafroth.is-a.dev",
+      "contributions": [
+        "code",
+        "ideas"
+      ]
+    },
+    {
+      "login": "AkechiShiro",
+      "name": "Samy Lahfa",
+      "avatar_url": "https://avatars.githubusercontent.com/u/14914796?v=4",
+      "profile": "https://github.com/AkechiShiro",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "sectroyer",
+      "name": "sectroyer",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6706818?v=4",
+      "profile": "https://github.com/sectroyer",
+      "contributions": [
+        "bug",
+        "ideas"
+      ]
+    },
+    {
+      "login": "ktecv2000",
+      "name": "ktecv2000",
+      "avatar_url": "https://avatars.githubusercontent.com/u/19836003?v=4",
+      "profile": "https://medium.com/@b3rm1nG",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "andreademurtas",
+      "name": "Andrea De Murtas",
+      "avatar_url": "https://avatars.githubusercontent.com/u/56048157?v=4",
+      "profile": "http://untrue.me",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "sawmj",
+      "name": "sawmj",
+      "avatar_url": "https://avatars.githubusercontent.com/u/30024085?v=4",
+      "profile": "https://github.com/sawmj",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "devx00",
+      "name": "Zach Hanson",
+      "avatar_url": "https://avatars.githubusercontent.com/u/6897405?v=4",
+      "profile": "https://github.com/devx00",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "ocervell",
+      "name": "Olivier Cervello",
+      "avatar_url": "https://avatars.githubusercontent.com/u/9629314?v=4",
+      "profile": "https://github.com/ocervell",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "RavySena",
+      "name": "RavySena",
+      "avatar_url": "https://avatars.githubusercontent.com/u/67729597?v=4",
+      "profile": "https://github.com/RavySena",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "stuhlmann",
+      "name": "Florian Stuhlmann",
+      "avatar_url": "https://avatars.githubusercontent.com/u/11061864?v=4",
+      "profile": "https://github.com/stuhlmann",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "Mister7F",
+      "name": "Mister7F",
+      "avatar_url": "https://avatars.githubusercontent.com/u/35213773?v=4",
+      "profile": "https://github.com/Mister7F",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "manugramm",
+      "name": "manugramm",
+      "avatar_url": "https://avatars.githubusercontent.com/u/145961515?v=4",
+      "profile": "https://github.com/manugramm",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "ArthurMuraro",
+      "name": "ArthurMuraro",
+      "avatar_url": "https://avatars.githubusercontent.com/u/73059809?v=4",
+      "profile": "https://github.com/ArthurMuraro",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "amiremami",
+      "name": "Shadow",
+      "avatar_url": "https://avatars.githubusercontent.com/u/15929497?v=4",
+      "profile": "https://github.com/amiremami",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "dirhamgithub",
+      "name": "dirhamgithub",
+      "avatar_url": "https://avatars.githubusercontent.com/u/115349974?v=4",
+      "profile": "https://github.com/dirhamgithub",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "FieldOfRice",
+      "name": "FieldOfRice",
+      "avatar_url": "https://avatars.githubusercontent.com/u/85353?v=4",
+      "profile": "https://github.com/FieldOfRice",
+      "contributions": [
+        "infra"
+      ]
+    },
+    {
+      "login": "NotoriousRebel",
+      "name": "Matt",
+      "avatar_url": "https://avatars.githubusercontent.com/u/36310667?v=4",
+      "profile": "https://github.com/NotoriousRebel",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "tritoke",
+      "name": "Sam Leonard",
+      "avatar_url": "https://avatars.githubusercontent.com/u/34941249?v=4",
+      "profile": "https://github.com/tritoke",
+      "contributions": [
+        "code"
+      ]
+    },
+    {
+      "login": "rew1nter",
+      "name": "Rewinter",
+      "avatar_url": "https://avatars.githubusercontent.com/u/64508791?v=4",
+      "profile": "https://github.com/rew1nter",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "deadloot",
+      "name": "deadloot",
+      "avatar_url": "https://avatars.githubusercontent.com/u/92878901?v=4",
+      "profile": "https://github.com/deadloot",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "Spidle",
+      "name": "Spidle",
+      "avatar_url": "https://avatars.githubusercontent.com/u/90011249?v=4",
+      "profile": "https://github.com/Spidle",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "JulianGR",
+      "name": "Julián Gómez",
+      "avatar_url": "https://avatars.githubusercontent.com/u/53094530?v=4",
+      "profile": "https://github.com/JulianGR",
+      "contributions": [
+        "ideas",
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "soutzis",
+      "name": "Petros",
+      "avatar_url": "https://avatars.githubusercontent.com/u/25797286?v=4",
+      "profile": "https://github.com/soutzis",
+      "contributions": [
+        "bug"
+      ]
+    },
+    {
+      "login": "sitiom",
+      "name": "Ryan",
+      "avatar_url": "https://avatars.githubusercontent.com/u/56180050?v=4",
+      "profile": "https://github.com/sitiom",
+      "contributions": [
+        "infra",
+        "doc"
+      ]
+    },
+    {
+      "login": "wikamp-collaborator",
+      "name": "wikamp-collaborator",
+      "avatar_url": "https://avatars.githubusercontent.com/u/147445097?v=4",
+      "profile": "https://github.com/wikamp-collaborator",
+      "contributions": [
+        "ideas",
+        "infra"
+      ]
+    },
+    {
+      "login": "L1-0",
+      "name": "Lino",
+      "avatar_url": "https://avatars.githubusercontent.com/u/123986259?v=4",
+      "profile": "http://lino.codes",
+      "contributions": [
+        "bug",
+        "ideas"
+      ]
+    },
+    {
+      "login": "sa7mon",
+      "name": "Dan Salmon",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3712226?v=4",
+      "profile": "https://danthesalmon.com",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "swordfish0x0",
+      "name": "swordfish0x0",
+      "avatar_url": "https://avatars.githubusercontent.com/u/21209130?v=4",
+      "profile": "https://github.com/swordfish0x0",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "libklein",
+      "name": "Patrick Klein",
+      "avatar_url": "https://avatars.githubusercontent.com/u/42714034?v=4",
+      "profile": "https://github.com/libklein",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "Raymond-JV",
+      "name": "Raymond",
+      "avatar_url": "https://avatars.githubusercontent.com/u/23642921?v=4",
+      "profile": "https://github.com/Raymond-JV",
+      "contributions": [
+        "ideas"
+      ]
+    },
+    {
+      "login": "zer0x64",
+      "name": "zer0x64",
+      "avatar_url": "https://avatars.githubusercontent.com/u/17575242?v=4",
+      "profile": "https://github.com/zer0x64",
+      "contributions": [
+        "code"
+      ]
     }
   ],
   "contributorsPerLine": 7,
@@ -579,5 +886,6 @@
   "repoType": "github",
   "repoHost": "https://github.com",
   "skipCi": true,
-  "commitConvention": "angular"
+  "commitConvention": "angular",
+  "commitType": "docs"
 }

.github/pull_request_template.md

@@ -20,7 +20,6 @@ Long form explanations of most of the items below can be found in the [CONTRIBUT
   - [ ] update [example config file section](https://epi052.github.io/feroxbuster-docs/docs/configuration/ferox-config-toml/)
   - [ ] update [help output section](https://epi052.github.io/feroxbuster-docs/docs/configuration/command-line/)
   - [ ] add an [example](https://epi052.github.io/feroxbuster-docs/docs/examples/)
-  - [ ] update [comparison table](https://epi052.github.io/feroxbuster-docs/docs/compare/)
 
 ## Additional Tests
 - [ ] New code is unit tested

.github/workflows/build.yml

@@ -27,68 +27,91 @@ jobs:
           - type: armv7
             os: ubuntu-latest
             target: armv7-unknown-linux-gnueabihf
-            name: armv7-feroxbuster
+            name: armv7-linux-feroxbuster
             path: target/armv7-unknown-linux-gnueabihf/release/feroxbuster
             pkg_config_path: /usr/lib/x86_64-linux-gnu/pkgconfig
           - type: aarch64
             os: ubuntu-latest
             target: aarch64-unknown-linux-gnu
-            name: aarch64-feroxbuster
+            name: aarch64-linux-feroxbuster
             path: target/aarch64-unknown-linux-gnu/release/feroxbuster
             pkg_config_path: /usr/lib/x86_64-linux-gnu/pkgconfig
     steps:
-      - uses: actions/checkout@v2
-      - name: Install System Dependencies
-        run: |
-          env
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends libssl-dev pkg-config gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - name: Build binary
+        uses: houseabsolute/actions-rust-cross@v0
         with:
-          toolchain: stable
-          target: ${{ matrix.target }}
-          override: true
-      - uses: actions-rs/cargo@v1
-        env:
-          PKG_CONFIG_PATH: ${{ matrix.pkg_config_path }}
-          OPENSSL_DIR: /usr/lib/ssl
-        with:
-          use-cross: true
           command: build
-          args: --release --target=${{ matrix.target }}
-      - name: Strip symbols from binary
-        run: |
-          strip -s ${{ matrix.path }} || arm-linux-gnueabihf-strip -s ${{ matrix.path }} || aarch64-linux-gnu-strip -s ${{ matrix.path }}
+          target: ${{ matrix.target }}
+          args: "--locked --release"
+          strip: true
+          toolchain: stable
       - name: Build tar.gz for homebrew installs
         if: matrix.type == 'ubuntu-x64'
         run: |
           tar czf ${{ matrix.name }}.tar.gz -C target/x86_64-unknown-linux-musl/release feroxbuster
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.name }}
           path: ${{ matrix.path }}
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: matrix.type == 'ubuntu-x64'
         with:
           name: ${{ matrix.name }}.tar.gz
           path: ${{ matrix.name }}.tar.gz
 
-  # build-deb:
-  #   needs: [build-nix]
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@master
-  #     - name: Install cargo-deb
-  #       run: cargo install -f cargo-deb
-  #     - name: Install musl toolchain
-  #       run: rustup target add x86_64-unknown-linux-musl
-  #     - name: Deb Build
-  #       run: cargo deb --target=x86_64-unknown-linux-musl
-  #     - name: Upload Deb Artifact
-  #       uses: actions/upload-artifact@v2
-  #       with:
-  #         name: feroxbuster_amd64.deb
-  #         path: ./target/x86_64-unknown-linux-musl/debian/*
+  build-debug:
+    env:
+      IN_PIPELINE: true
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install System Dependencies
+        run: |
+          env
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends libssl-dev pkg-config musl-tools
+      - name: Set up Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          target: x86_64-unknown-linux-musl
+
+      - name: Build the project
+        env:
+          PKG_CONFIG_PATH: /usr/lib/x86_64-linux-gnu/pkgconfig
+          OPENSSL_DIR: /usr/lib/ssl
+        run: cargo build --target=x86_64-unknown-linux-musl
+      - uses: actions/upload-artifact@v4
+        with:
+          name: x86_64-linux-debug-feroxbuster
+          path: target/x86_64-unknown-linux-musl/debug/feroxbuster
+
+  build-deb:
+    needs: [build-nix]
+    runs-on: ubuntu-latest
+    env:
+      IN_PIPELINE: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install cargo-deb
+        run: cargo install -f cargo-deb
+      - uses: awalsh128/cache-apt-pkgs-action@v1
+        with:
+          packages: musl-tools # provides musl-gcc
+          version: 1.0
+      - name: Install musl toolchain
+        run: rustup target add x86_64-unknown-linux-musl
+      - name: Deb Build
+        run: cargo deb --target=x86_64-unknown-linux-musl
+      - name: Upload Deb Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: feroxbuster_amd64.deb
+          path: ./target/x86_64-unknown-linux-musl/debian/*
 
   build-macos:
     env:
@@ -96,31 +119,57 @@ jobs:
     runs-on: macos-latest
     if: github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - name: Build binary
+        uses: houseabsolute/actions-rust-cross@v0
         with:
-          toolchain: stable
-          target: x86_64-apple-darwin
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          use-cross: true
           command: build
-          args: --release --target=x86_64-apple-darwin
-      - name: Strip symbols from binary
-        run: |
-          strip -u -r target/x86_64-apple-darwin/release/feroxbuster
+          target: x86_64-apple-darwin
+          args: "--locked --release"
+          strip: true
+          toolchain: stable
       - name: Build tar.gz for homebrew installs
         run: |
           tar czf x86_64-macos-feroxbuster.tar.gz -C target/x86_64-apple-darwin/release feroxbuster
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: x86_64-macos-feroxbuster
           path: target/x86_64-apple-darwin/release/feroxbuster
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: x86_64-macos-feroxbuster.tar.gz
           path: x86_64-macos-feroxbuster.tar.gz
+  
+  build-macos-aarch64:
+    env:
+      IN_PIPELINE: true
+    runs-on: macos-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - name: Build binary
+        uses: houseabsolute/actions-rust-cross@v0
+        with:
+          command: build
+          target: aarch64-apple-darwin
+          args: "--locked --release"
+          strip: true
+          toolchain: stable
+      - name: Build tar.gz for homebrew installs
+        run: |
+          tar czf aarch64-macos-feroxbuster.tar.gz -C target/aarch64-apple-darwin/release feroxbuster
+      - uses: actions/upload-artifact@v4
+        with:
+          name: aarch64-macos-feroxbuster
+          path: target/aarch64-apple-darwin/release/feroxbuster
+      - uses: actions/upload-artifact@v4
+        with:
+          name: aarch64-macos-feroxbuster.tar.gz
+          path: aarch64-macos-feroxbuster.tar.gz
 
   build-windows:
     env:
@@ -142,18 +191,18 @@ jobs:
             name: x86-windows-feroxbuster.exe
             path: target\i686-pc-windows-msvc\release\feroxbuster.exe
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - name: Build binary
+        uses: houseabsolute/actions-rust-cross@v0
         with:
-          toolchain: stable
-          target: ${{ matrix.target }}
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          use-cross: true
           command: build
-          args: --release --target=${{ matrix.target }}
-      - uses: actions/upload-artifact@v2
+          target:  ${{ matrix.target }}
+          args: "--locked --release"
+          strip: true
+          toolchain: stable
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.name }}
           path: ${{ matrix.path }}

.github/workflows/check.yml

@@ -7,40 +7,41 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/cargo@v1
-        with:
-          command: check
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo check
 
   test:
     name: Test Suite
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
       - name: Install latest nextest release
         uses: taiki-e/install-action@nextest
+      - uses: dtolnay/rust-toolchain@stable
       - name: Test with latest nextest release
-        uses: actions-rs/cargo@v1
-        with:
-          command: nextest
-          args: run --all-features --all-targets --retries 10
+        run: cargo nextest run --all-features --all-targets --retries 4 --no-fail-fast
 
   fmt:
     name: Rust fmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all -- --check
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo fmt --all -- --check
 
   clippy:
     name: Clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: --all-targets --all-features -- -D warnings
+      - uses: actions/checkout@v4
+      - name: Cache cargo & target directories
+        uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo clippy --all-targets --all-features -- -D warnings

.github/workflows/cicd-to-dockerhub.yml

@@ -9,21 +9,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           context: ./
           file: ./Dockerfile

.github/workflows/coverage.yml

@@ -7,7 +7,7 @@ jobs:
     name: LLVM Coverage
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: llvm-tools-preview
@@ -16,9 +16,10 @@ jobs:
         with:
           tool: cargo-nextest,cargo-llvm-cov
       - name: Generate code coverage
-        run: cargo llvm-cov nextest --all-features --no-fail-fast --lcov --output-path lcov.info
+        run: cargo llvm-cov nextest --all-features --no-fail-fast --lcov --retries 4 --output-path lcov.info
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: lcov.info
           fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/winget.yml

@@ -0,0 +1,21 @@
+name: Publish to Winget
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Tag name of release'
+        required: true
+        type: string
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: vedantmgoyal2009/winget-releaser@main
+        with:
+          identifier: epi052.feroxbuster
+          installers-regex: '-windows-feroxbuster\.exe\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
+          release-tag: ${{ inputs.tag_name || github.event.release.tag_name || github.ref_name }}

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "feroxbuster"
-version = "2.9.3"
+version = "2.11.0"
 authors = ["Ben 'epi' Risher (@epi052)"]
 license = "MIT"
 edition = "2021"
@@ -22,41 +22,44 @@ build = "build.rs"
 maintenance = { status = "actively-developed" }
 
 [build-dependencies]
-clap = { version = "4.1.8", features = ["wrap_help", "cargo"] }
-clap_complete = "4.1.4"
-regex = "1.5.5"
-lazy_static = "1.4.0"
-dirs = "5.0.0"
+clap = { version = "4.5", features = ["wrap_help", "cargo"] }
+clap_complete = "4.5"
+regex = "1.10"
+lazy_static = "1.5"
+dirs = "5.0"
 
 [dependencies]
-scraper = "0.16.0"
-futures = "0.3.26"
-tokio = { version = "1.26.0", features = ["full"] }
-tokio-util = { version = "0.7.7", features = ["codec"] }
-log = "0.4.17"
-env_logger = "0.10.0"
-reqwest = { version = "0.11.10", features = ["socks"] }
+scraper = "0.19"
+futures = "0.3"
+tokio = { version = "1.44", features = ["full"] }
+tokio-util = { version = "0.7", features = ["codec"] }
+log = "0.4"
+env_logger = "0.11"
+reqwest = { version = "0.12", features = ["socks", "native-tls-alpn"] }
 # uses feature unification to add 'serde' to reqwest::Url
-url = { version = "2.2.2", features = ["serde"] }
-serde_regex = "1.1.0"
-clap = { version = "4.1.8", features = ["wrap_help", "cargo"] }
-lazy_static = "1.4.0"
-toml = "0.7.2"
-serde = { version = "1.0.137", features = ["derive", "rc"] }
-serde_json = "1.0.94"
-uuid = { version = "1.3.0", features = ["v4"] }
-indicatif = "0.15"
-console = "0.15.2"
+url = { version = "2.5", features = ["serde"] }
+serde_regex = "1.1"
+clap = { version = "4.5", features = ["wrap_help", "cargo"] }
+lazy_static = "1.5"
+toml = "0.8"
+serde = { version = "1.0", features = ["derive", "rc"] }
+serde_json = "1.0"
+uuid = { version = "1.10", features = ["v4"] }
+indicatif = { version = "0.17.8" }
+console = "0.15"
 openssl = { version = "0.10", features = ["vendored"] }
-dirs = "5.0.0"
-regex = "1.5.5"
-crossterm = "0.26.0"
-rlimit = "0.9.1"
-ctrlc = "3.2.2"
-anyhow = "1.0.69"
-leaky-bucket = "0.12.1"
-gaoya = "0.1.2"
-self_update = { version = "0.36.0", features = [
+dirs = "5.0"
+regex = "1.10"
+crossterm = "0.27"
+rlimit = "0.10"
+ctrlc = "3.4"
+anyhow = "1.0"
+leaky-bucket = "1.1"
+gaoya = "0.2"
+# 0.37+ relies on the broken version of indicatif and forces
+# the broken version to be used regardless of the version
+# specified above 
+self_update = { version = "0.40", features = [
     "archive-tar",
     "compression-flate2",
     "archive-zip",
@@ -64,10 +67,10 @@ self_update = { version = "0.36.0", features = [
 ] }
 
 [dev-dependencies]
-tempfile = "3.3.0"
-httpmock = "0.6.6"
-assert_cmd = "2.0.4"
-predicates = "3.0.1"
+tempfile = "3.12"
+httpmock = "0.7"
+assert_cmd = "2.0"
+predicates = "3.1"
 
 [profile.release]
 lto = true

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.1 as build
+FROM alpine:3.17.1 AS build
 LABEL maintainer="wfnintr@null.net"
 
 RUN apk upgrade --update-cache --available && apk add --update openssl
@@ -9,7 +9,7 @@ RUN wget https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-l
     && chmod +x /tmp/feroxbuster \
     && wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-medium-directories.txt -O /tmp/raft-medium-directories.txt
 
-from alpine:3.17.1 as release
+FROM alpine:3.17.1 AS release
 COPY --from=build /tmp/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 COPY --from=build /tmp/feroxbuster /usr/local/bin/feroxbuster
 

Makefile.toml

@@ -2,6 +2,9 @@
 [tasks.upgrade]
 dependencies = ["upgrade-deps", "update"]
 
+[tasks.check]
+dependencies = ["fmt", "clippy", "test"]
+
 # cleaning
 [tasks.clean-state]
 script = """
@@ -11,7 +14,7 @@ rm ferox-*.state
 # dependency management
 [tasks.upgrade-deps]
 command = "cargo"
-args = ["upgrade", "--exclude", "indicatif"]
+args = ["upgrade", "--exclude", "self_update"]
 
 [tasks.update]
 command = "cargo"
@@ -24,9 +27,15 @@ script = """
 cargo clippy --all-targets --all-features -- -D warnings
 """
 
+[tasks.fmt]
+clear = true
+script = """
+cargo fmt --all
+"""
+
 # tests
 [tasks.test]
 clear = true
 script = """
-cargo nextest run --all-features --all-targets --retries 10
+cargo nextest run --all-features --all-targets --retries 4 --no-fail-fast
 """

README.md

@@ -97,8 +97,14 @@ sudo apt update && sudo apt install -y feroxbuster
 
 #### Linux (32 and 64-bit) & MacOS
 
+Install to a particular directory
 ```
-curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash
+curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash -s $HOME/.local/bin
+```
+
+Install to current working directory
+```
+curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash
 ```
 
 #### MacOS via Homebrew 
@@ -115,6 +121,12 @@ Expand-Archive .\feroxbuster.zip
 .\feroxbuster\feroxbuster.exe -V
 ```
 
+#### Windows via Winget
+
+```
+winget install epi052.feroxbuster
+```
+
 #### Windows via Chocolatey
 
 ```
@@ -220,13 +232,13 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/wtwver"><img src="https://avatars.githubusercontent.com/u/53866088?v=4?s=100" width="100px;" alt="wtwver"/><br /><sub><b>wtwver</b></sub></a><br /><a href="#infra-wtwver" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a></td>
     </tr>
     <tr>
-      <td align="center" valign="top" width="14.28%"><a href="https://tib3rius.com"><img src="https://avatars.githubusercontent.com/u/48113936?v=4?s=100" width="100px;" alt="Tib3rius"/><br /><sub><b>Tib3rius</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3ATib3rius" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://tib3rius.com"><img src="https://avatars.githubusercontent.com/u/48113936?v=4?s=100" width="100px;" alt="Tib3rius"/><br /><sub><b>Tib3rius</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3ATib3rius" title="Bug reports">🐛</a> <a href="#ideas-Tib3rius" title="Ideas, Planning, & Feedback">🤔</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/0xdf"><img src="https://avatars.githubusercontent.com/u/1489045?v=4?s=100" width="100px;" alt="0xdf"/><br /><sub><b>0xdf</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3A0xdf" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="http://secure77.de"><img src="https://avatars.githubusercontent.com/u/31564517?v=4?s=100" width="100px;" alt="secure-77"/><br /><sub><b>secure-77</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Asecure-77" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/sbrun"><img src="https://avatars.githubusercontent.com/u/7712154?v=4?s=100" width="100px;" alt="Sophie Brun"/><br /><sub><b>Sophie Brun</b></sub></a><br /><a href="#infra-sbrun" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/black-A"><img src="https://avatars.githubusercontent.com/u/30686803?v=4?s=100" width="100px;" alt="black-A"/><br /><sub><b>black-A</b></sub></a><br /><a href="#ideas-black-A" title="Ideas, Planning, & Feedback">🤔</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/dinosn"><img src="https://avatars.githubusercontent.com/u/3851678?v=4?s=100" width="100px;" alt="Nicolas Krassas"/><br /><sub><b>Nicolas Krassas</b></sub></a><br /><a href="#ideas-dinosn" title="Ideas, Planning, & Feedback">🤔</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/N0ur5"><img src="https://avatars.githubusercontent.com/u/24260009?v=4?s=100" width="100px;" alt="N0ur5"/><br /><sub><b>N0ur5</b></sub></a><br /><a href="#ideas-N0ur5" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/N0ur5"><img src="https://avatars.githubusercontent.com/u/24260009?v=4?s=100" width="100px;" alt="N0ur5"/><br /><sub><b>N0ur5</b></sub></a><br /><a href="#ideas-N0ur5" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/epi052/feroxbuster/issues?q=author%3AN0ur5" title="Bug reports">🐛</a></td>
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/moscowchill"><img src="https://avatars.githubusercontent.com/u/72578879?v=4?s=100" width="100px;" alt="mchill"/><br /><sub><b>mchill</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Amoscowchill" title="Bug reports">🐛</a></td>
@@ -241,7 +253,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/hunter0x8"><img src="https://avatars.githubusercontent.com/u/46222314?v=4?s=100" width="100px;" alt="Muhammad Ahsan"/><br /><sub><b>Muhammad Ahsan</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Ahunter0x8" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/cortantief"><img src="https://avatars.githubusercontent.com/u/34527333?v=4?s=100" width="100px;" alt="cortantief"/><br /><sub><b>cortantief</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Acortantief" title="Bug reports">🐛</a> <a href="https://github.com/epi052/feroxbuster/commits?author=cortantief" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/dsaxton"><img src="https://avatars.githubusercontent.com/u/2658661?v=4?s=100" width="100px;" alt="Daniel Saxton"/><br /><sub><b>Daniel Saxton</b></sub></a><br /><a href="#ideas-dsaxton" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/epi052/feroxbuster/commits?author=dsaxton" title="Code">💻</a></td>
-      <td align="center" valign="top" width="14.28%"><a href="https://github.com/n0kovo"><img src="https://avatars.githubusercontent.com/u/16690056?v=4?s=100" width="100px;" alt="n0kovo"/><br /><sub><b>n0kovo</b></sub></a><br /><a href="#ideas-n0kovo" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/n0kovo"><img src="https://avatars.githubusercontent.com/u/16690056?v=4?s=100" width="100px;" alt="n0kovo"/><br /><sub><b>n0kovo</b></sub></a><br /><a href="#ideas-n0kovo" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/epi052/feroxbuster/issues?q=author%3An0kovo" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://ring0.lol"><img src="https://avatars.githubusercontent.com/u/1893909?v=4?s=100" width="100px;" alt="Justin Steven"/><br /><sub><b>Justin Steven</b></sub></a><br /><a href="#ideas-justinsteven" title="Ideas, Planning, & Feedback">🤔</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/7047payloads"><img src="https://avatars.githubusercontent.com/u/95562424?v=4?s=100" width="100px;" alt="7047payloads"/><br /><sub><b>7047payloads</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=7047payloads" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/unkn0wnsyst3m"><img src="https://avatars.githubusercontent.com/u/21272239?v=4?s=100" width="100px;" alt="unkn0wnsyst3m"/><br /><sub><b>unkn0wnsyst3m</b></sub></a><br /><a href="#ideas-unkn0wnsyst3m" title="Ideas, Planning, & Feedback">🤔</a></td>
@@ -279,6 +291,49 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://petruknisme.com"><img src="https://avatars.githubusercontent.com/u/6284204?v=4?s=100" width="100px;" alt="Aan"/><br /><sub><b>Aan</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=aancw" title="Code">💻</a> <a href="#infra-aancw" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#ideas-aancw" title="Ideas, Planning, & Feedback">🤔</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/imBigo"><img src="https://avatars.githubusercontent.com/u/54672433?v=4?s=100" width="100px;" alt="Simon"/><br /><sub><b>Simon</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3AimBigo" title="Bug reports">🐛</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://acut3.github.io/"><img src="https://avatars.githubusercontent.com/u/17295243?v=4?s=100" width="100px;" alt="Nicolas Christin"/><br /><sub><b>Nicolas Christin</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Aacut3" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/DrorDvash"><img src="https://avatars.githubusercontent.com/u/8413651?v=4?s=100" width="100px;" alt="DrDv"/><br /><sub><b>DrDv</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3ADrorDvash" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/aroly"><img src="https://avatars.githubusercontent.com/u/1257705?v=4?s=100" width="100px;" alt="Antoine Roly"/><br /><sub><b>Antoine Roly</b></sub></a><br /><a href="#ideas-aroly" title="Ideas, Planning, & Feedback">🤔</a></td>
+    </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="http://lavafroth.is-a.dev"><img src="https://avatars.githubusercontent.com/u/107522312?v=4?s=100" width="100px;" alt="Himadri Bhattacharjee"/><br /><sub><b>Himadri Bhattacharjee</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=lavafroth" title="Code">💻</a> <a href="#ideas-lavafroth" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/AkechiShiro"><img src="https://avatars.githubusercontent.com/u/14914796?v=4?s=100" width="100px;" alt="Samy Lahfa"/><br /><sub><b>Samy Lahfa</b></sub></a><br /><a href="#ideas-AkechiShiro" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/sectroyer"><img src="https://avatars.githubusercontent.com/u/6706818?v=4?s=100" width="100px;" alt="sectroyer"/><br /><sub><b>sectroyer</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Asectroyer" title="Bug reports">🐛</a> <a href="#ideas-sectroyer" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://medium.com/@b3rm1nG"><img src="https://avatars.githubusercontent.com/u/19836003?v=4?s=100" width="100px;" alt="ktecv2000"/><br /><sub><b>ktecv2000</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Aktecv2000" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="http://untrue.me"><img src="https://avatars.githubusercontent.com/u/56048157?v=4?s=100" width="100px;" alt="Andrea De Murtas"/><br /><sub><b>Andrea De Murtas</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=andreademurtas" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/sawmj"><img src="https://avatars.githubusercontent.com/u/30024085?v=4?s=100" width="100px;" alt="sawmj"/><br /><sub><b>sawmj</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Asawmj" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/devx00"><img src="https://avatars.githubusercontent.com/u/6897405?v=4?s=100" width="100px;" alt="Zach Hanson"/><br /><sub><b>Zach Hanson</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Adevx00" title="Bug reports">🐛</a></td>
+    </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/ocervell"><img src="https://avatars.githubusercontent.com/u/9629314?v=4?s=100" width="100px;" alt="Olivier Cervello"/><br /><sub><b>Olivier Cervello</b></sub></a><br /><a href="#ideas-ocervell" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/RavySena"><img src="https://avatars.githubusercontent.com/u/67729597?v=4?s=100" width="100px;" alt="RavySena"/><br /><sub><b>RavySena</b></sub></a><br /><a href="#ideas-RavySena" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/stuhlmann"><img src="https://avatars.githubusercontent.com/u/11061864?v=4?s=100" width="100px;" alt="Florian Stuhlmann"/><br /><sub><b>Florian Stuhlmann</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Astuhlmann" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Mister7F"><img src="https://avatars.githubusercontent.com/u/35213773?v=4?s=100" width="100px;" alt="Mister7F"/><br /><sub><b>Mister7F</b></sub></a><br /><a href="#ideas-Mister7F" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/manugramm"><img src="https://avatars.githubusercontent.com/u/145961515?v=4?s=100" width="100px;" alt="manugramm"/><br /><sub><b>manugramm</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Amanugramm" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/ArthurMuraro"><img src="https://avatars.githubusercontent.com/u/73059809?v=4?s=100" width="100px;" alt="ArthurMuraro"/><br /><sub><b>ArthurMuraro</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3AArthurMuraro" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/amiremami"><img src="https://avatars.githubusercontent.com/u/15929497?v=4?s=100" width="100px;" alt="Shadow"/><br /><sub><b>Shadow</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Aamiremami" title="Bug reports">🐛</a></td>
+    </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/dirhamgithub"><img src="https://avatars.githubusercontent.com/u/115349974?v=4?s=100" width="100px;" alt="dirhamgithub"/><br /><sub><b>dirhamgithub</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Adirhamgithub" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/FieldOfRice"><img src="https://avatars.githubusercontent.com/u/85353?v=4?s=100" width="100px;" alt="FieldOfRice"/><br /><sub><b>FieldOfRice</b></sub></a><br /><a href="#infra-FieldOfRice" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/NotoriousRebel"><img src="https://avatars.githubusercontent.com/u/36310667?v=4?s=100" width="100px;" alt="Matt"/><br /><sub><b>Matt</b></sub></a><br /><a href="#ideas-NotoriousRebel" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/tritoke"><img src="https://avatars.githubusercontent.com/u/34941249?v=4?s=100" width="100px;" alt="Sam Leonard"/><br /><sub><b>Sam Leonard</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=tritoke" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/rew1nter"><img src="https://avatars.githubusercontent.com/u/64508791?v=4?s=100" width="100px;" alt="Rewinter"/><br /><sub><b>Rewinter</b></sub></a><br /><a href="#ideas-rew1nter" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/deadloot"><img src="https://avatars.githubusercontent.com/u/92878901?v=4?s=100" width="100px;" alt="deadloot"/><br /><sub><b>deadloot</b></sub></a><br /><a href="#ideas-deadloot" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Spidle"><img src="https://avatars.githubusercontent.com/u/90011249?v=4?s=100" width="100px;" alt="Spidle"/><br /><sub><b>Spidle</b></sub></a><br /><a href="#ideas-Spidle" title="Ideas, Planning, & Feedback">🤔</a></td>
+    </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/JulianGR"><img src="https://avatars.githubusercontent.com/u/53094530?v=4?s=100" width="100px;" alt="Julián Gómez"/><br /><sub><b>Julián Gómez</b></sub></a><br /><a href="#ideas-JulianGR" title="Ideas, Planning, & Feedback">🤔</a> <a href="#infra-JulianGR" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="https://github.com/epi052/feroxbuster/commits?author=JulianGR" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/soutzis"><img src="https://avatars.githubusercontent.com/u/25797286?v=4?s=100" width="100px;" alt="Petros"/><br /><sub><b>Petros</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3Asoutzis" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/sitiom"><img src="https://avatars.githubusercontent.com/u/56180050?v=4?s=100" width="100px;" alt="Ryan"/><br /><sub><b>Ryan</b></sub></a><br /><a href="#infra-sitiom" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="https://github.com/epi052/feroxbuster/commits?author=sitiom" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/wikamp-collaborator"><img src="https://avatars.githubusercontent.com/u/147445097?v=4?s=100" width="100px;" alt="wikamp-collaborator"/><br /><sub><b>wikamp-collaborator</b></sub></a><br /><a href="#ideas-wikamp-collaborator" title="Ideas, Planning, & Feedback">🤔</a> <a href="#infra-wikamp-collaborator" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="http://lino.codes"><img src="https://avatars.githubusercontent.com/u/123986259?v=4?s=100" width="100px;" alt="Lino"/><br /><sub><b>Lino</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/issues?q=author%3AL1-0" title="Bug reports">🐛</a> <a href="#ideas-L1-0" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://danthesalmon.com"><img src="https://avatars.githubusercontent.com/u/3712226?v=4?s=100" width="100px;" alt="Dan Salmon"/><br /><sub><b>Dan Salmon</b></sub></a><br /><a href="#ideas-sa7mon" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/swordfish0x0"><img src="https://avatars.githubusercontent.com/u/21209130?v=4?s=100" width="100px;" alt="swordfish0x0"/><br /><sub><b>swordfish0x0</b></sub></a><br /><a href="#ideas-swordfish0x0" title="Ideas, Planning, & Feedback">🤔</a></td>
+    </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/libklein"><img src="https://avatars.githubusercontent.com/u/42714034?v=4?s=100" width="100px;" alt="Patrick Klein"/><br /><sub><b>Patrick Klein</b></sub></a><br /><a href="#ideas-libklein" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Raymond-JV"><img src="https://avatars.githubusercontent.com/u/23642921?v=4?s=100" width="100px;" alt="Raymond"/><br /><sub><b>Raymond</b></sub></a><br /><a href="#ideas-Raymond-JV" title="Ideas, Planning, & Feedback">🤔</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/zer0x64"><img src="https://avatars.githubusercontent.com/u/17575242?v=4?s=100" width="100px;" alt="zer0x64"/><br /><sub><b>zer0x64</b></sub></a><br /><a href="https://github.com/epi052/feroxbuster/commits?author=zer0x64" title="Code">💻</a></td>
     </tr>
   </tbody>
 </table>

build.rs

@@ -18,7 +18,7 @@ fn main() {
 
     generate_to(shells::Bash, &mut app, "feroxbuster", outdir).unwrap();
     generate_to(shells::Zsh, &mut app, "feroxbuster", outdir).unwrap();
-    generate_to(shells::Zsh, &mut app, "feroxbuster", outdir).unwrap();
+    generate_to(shells::Fish, &mut app, "feroxbuster", outdir).unwrap();
     generate_to(shells::PowerShell, &mut app, "feroxbuster", outdir).unwrap();
     generate_to(shells::Elvish, &mut app, "feroxbuster", outdir).unwrap();
 

ferox-config.toml.example

@@ -45,6 +45,7 @@
 # dont_filter = true
 # extract_links = true
 # depth = 1
+# limit_bars = 3
 # force_recursion = true
 # filter_size = [5174]
 # filter_regex = ["^ignore me$"]
@@ -54,6 +55,12 @@
 # queries = [["name","value"], ["rick", "astley"]]
 # save_state = false
 # time_limit = "10m"
+# server_certs = ["/some/cert.pem", "/some/other/cert.pem"]
+# client_cert = "/some/client/cert.pem"
+# client_key = "/some/client/key.pem"
+# request_file = "/some/raw/request/file"
+# protocol = "http"
+# scan_dir_listings = true
 
 # headers can be specified on multiple lines or as an inline table
 #
@@ -64,6 +71,7 @@
 #   note: if multi-line is used, all key/value pairs under it belong to the headers table until the next table
 #         is found or the end of the file is reached
 #
+# If you want to use [headers], UNCOMMENT the line below
 # [headers]
 # stuff = "things"
 # more = "headers"

install-nix.sh

@@ -13,13 +13,13 @@ LIN64_URL="$BASE_URL/$LIN64_ZIP"
 
 EMOJI_URL=https://gist.github.com/epi052/8196b550ea51d0907ad4b93751b1b57d/raw/6112c9f32ae07922983fdc549c54fd3fb9a38e4c/NotoColorEmoji.ttf
 
-echo "[+] Installing feroxbuster!"
+INSTALL_DIR="${1:-$(pwd)}"
+
+echo "[+] Installing feroxbuster to ${INSTALL_DIR}!"
 
 which unzip &>/dev/null
-if [ "$?" = "0" ]; then
-  echo "[+] unzip found"
-else
-  echo "[ ] unzip not found, exiting. "
+if [ "$?" != "0" ]; then
+  echo "[!] unzip not found, exiting. "
   exit -1
 fi
 
@@ -27,24 +27,24 @@ if [[ "$(uname)" == "Darwin" ]]; then
   echo "[=] Found MacOS, downloading from $MAC_URL"
 
   curl -sLO "$MAC_URL"
-  unzip -o "$MAC_ZIP" >/dev/null
+  unzip -o "$MAC_ZIP" -d "${INSTALL_DIR}" >/dev/null
   rm "$MAC_ZIP"
 elif [[ "$(expr substr $(uname -s) 1 5)" == "Linux" ]]; then
   if [[ $(getconf LONG_BIT) == 32 ]]; then
     echo "[=] Found 32-bit Linux, downloading from $LIN32_URL"
 
     curl -sLO "$LIN32_URL"
-    unzip -o "$LIN32_ZIP" >/dev/null
+    unzip -o "$LIN32_ZIP" -d "${INSTALL_DIR}" >/dev/null
     rm "$LIN32_ZIP"
   else
     echo "[=] Found 64-bit Linux, downloading from $LIN64_URL"
 
     curl -sLO "$LIN64_URL"
-    unzip -o "$LIN64_ZIP" >/dev/null
+    unzip -o "$LIN64_ZIP" -d "${INSTALL_DIR}" >/dev/null
     rm "$LIN64_ZIP"
   fi
 
-  if [[ -e ~/.fonts/NotoColorEmoji.ttf ]]; then
+  if [[ "$(fc-list NotoColorEmoji | wc -l)" -gt 0 ]]; then
     echo "[=] Found Noto Emoji Font, skipping install"
   else
     echo "[=] Installing Noto Emoji Font"
@@ -60,6 +60,8 @@ elif [[ "$(expr substr $(uname -s) 1 5)" == "Linux" ]]; then
   fi
 fi
 
-chmod +x ./feroxbuster
+chmod +x "${INSTALL_DIR}/feroxbuster"
 
-echo "[+] Installed feroxbuster version $(./feroxbuster -V)"
+echo "[+] Installed feroxbuster"
+echo "  [-] path: ${INSTALL_DIR}/feroxbuster"
+echo "  [-] version: $(${INSTALL_DIR}/feroxbuster -V | awk '{print $2}')"

shell_completions/_feroxbuster

@@ -14,66 +14,74 @@ _feroxbuster() {
     fi
 
     local context curcontext="$curcontext" state line
-    _arguments "${_arguments_options[@]}" \
-'-u+[The target URL (required, unless \[--stdin || --resume-from\] used)]:URL:_urls' \
-'--url=[The target URL (required, unless \[--stdin || --resume-from\] used)]:URL:_urls' \
+    _arguments "${_arguments_options[@]}" : \
+'-u+[The target URL (required, unless \[--stdin || --resume-from || --request-file\] used)]:URL:_urls' \
+'--url=[The target URL (required, unless \[--stdin || --resume-from || --request-file\] used)]:URL:_urls' \
 '(-u --url)--resume-from=[State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)]:STATE_FILE:_files' \
-'-p+[Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)]:PROXY:_urls' \
-'--proxy=[Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)]:PROXY:_urls' \
+'(-u --url)--request-file=[Raw HTTP request file to use as a template for all requests]:REQUEST_FILE:_files' \
+'-p+[Proxy to use for requests (ex\: http(s)\://host\:port, socks5(h)\://host\:port)]:PROXY:_urls' \
+'--proxy=[Proxy to use for requests (ex\: http(s)\://host\:port, socks5(h)\://host\:port)]:PROXY:_urls' \
 '-P+[Send only unfiltered requests through a Replay Proxy, instead of all requests]:REPLAY_PROXY:_urls' \
 '--replay-proxy=[Send only unfiltered requests through a Replay Proxy, instead of all requests]:REPLAY_PROXY:_urls' \
-'*-R+[Status Codes to send through a Replay Proxy when found (default: --status-codes value)]:REPLAY_CODE: ' \
-'*--replay-codes=[Status Codes to send through a Replay Proxy when found (default: --status-codes value)]:REPLAY_CODE: ' \
-'-a+[Sets the User-Agent (default: feroxbuster/2.9.3)]:USER_AGENT: ' \
-'--user-agent=[Sets the User-Agent (default: feroxbuster/2.9.3)]:USER_AGENT: ' \
-'*-x+[File extension(s) to search for (ex: -x php -x pdf js)]:FILE_EXTENSION: ' \
-'*--extensions=[File extension(s) to search for (ex: -x php -x pdf js)]:FILE_EXTENSION: ' \
-'*-m+[Which HTTP request method(s) should be sent (default: GET)]:HTTP_METHODS: ' \
-'*--methods=[Which HTTP request method(s) should be sent (default: GET)]:HTTP_METHODS: ' \
-'--data=[Request'\''s Body; can read data from a file if input starts with an @ (ex: @post.bin)]:DATA: ' \
-'*-H+[Specify HTTP headers to be used in each request (ex: -H Header:val -H '\''stuff: things'\'')]:HEADER: ' \
-'*--headers=[Specify HTTP headers to be used in each request (ex: -H Header:val -H '\''stuff: things'\'')]:HEADER: ' \
-'*-b+[Specify HTTP cookies to be used in each request (ex: -b stuff=things)]:COOKIE: ' \
-'*--cookies=[Specify HTTP cookies to be used in each request (ex: -b stuff=things)]:COOKIE: ' \
-'*-Q+[Request'\''s URL query parameters (ex: -Q token=stuff -Q secret=key)]:QUERY: ' \
-'*--query=[Request'\''s URL query parameters (ex: -Q token=stuff -Q secret=key)]:QUERY: ' \
+'*-R+[Status Codes to send through a Replay Proxy when found (default\: --status-codes value)]:REPLAY_CODE: ' \
+'*--replay-codes=[Status Codes to send through a Replay Proxy when found (default\: --status-codes value)]:REPLAY_CODE: ' \
+'-a+[Sets the User-Agent (default\: feroxbuster/2.11.0)]:USER_AGENT: ' \
+'--user-agent=[Sets the User-Agent (default\: feroxbuster/2.11.0)]:USER_AGENT: ' \
+'*-x+[File extension(s) to search for (ex\: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex\: @ext.txt)]:FILE_EXTENSION: ' \
+'*--extensions=[File extension(s) to search for (ex\: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex\: @ext.txt)]:FILE_EXTENSION: ' \
+'*-m+[Which HTTP request method(s) should be sent (default\: GET)]:HTTP_METHODS: ' \
+'*--methods=[Which HTTP request method(s) should be sent (default\: GET)]:HTTP_METHODS: ' \
+'--data=[Request'\''s Body; can read data from a file if input starts with an @ (ex\: @post.bin)]:DATA: ' \
+'*-H+[Specify HTTP headers to be used in each request (ex\: -H Header\:val -H '\''stuff\: things'\'')]:HEADER: ' \
+'*--headers=[Specify HTTP headers to be used in each request (ex\: -H Header\:val -H '\''stuff\: things'\'')]:HEADER: ' \
+'*-b+[Specify HTTP cookies to be used in each request (ex\: -b stuff=things)]:COOKIE: ' \
+'*--cookies=[Specify HTTP cookies to be used in each request (ex\: -b stuff=things)]:COOKIE: ' \
+'*-Q+[Request'\''s URL query parameters (ex\: -Q token=stuff -Q secret=key)]:QUERY: ' \
+'*--query=[Request'\''s URL query parameters (ex\: -Q token=stuff -Q secret=key)]:QUERY: ' \
+'--protocol=[Specify the protocol to use when targeting via --request-file or --url with domain only (default\: https)]:PROTOCOL: ' \
 '*--dont-scan=[URL(s) or Regex Pattern(s) to exclude from recursion/scans]:URL: ' \
-'*-S+[Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)]:SIZE: ' \
-'*--filter-size=[Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)]:SIZE: ' \
-'*-X+[Filter out messages via regular expression matching on the response'\''s body (ex: -X '\''^ignore me$'\'')]:REGEX: ' \
-'*--filter-regex=[Filter out messages via regular expression matching on the response'\''s body (ex: -X '\''^ignore me$'\'')]:REGEX: ' \
-'*-W+[Filter out messages of a particular word count (ex: -W 312 -W 91,82)]:WORDS: ' \
-'*--filter-words=[Filter out messages of a particular word count (ex: -W 312 -W 91,82)]:WORDS: ' \
-'*-N+[Filter out messages of a particular line count (ex: -N 20 -N 31,30)]:LINES: ' \
-'*--filter-lines=[Filter out messages of a particular line count (ex: -N 20 -N 31,30)]:LINES: ' \
-'(-s --status-codes)*-C+[Filter out status codes (deny list) (ex: -C 200 -C 401)]:STATUS_CODE: ' \
-'(-s --status-codes)*--filter-status=[Filter out status codes (deny list) (ex: -C 200 -C 401)]:STATUS_CODE: ' \
-'*--filter-similar-to=[Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)]:UNWANTED_PAGE:_urls' \
-'*-s+[Status Codes to include (allow list) (default: All Status Codes)]:STATUS_CODE: ' \
-'*--status-codes=[Status Codes to include (allow list) (default: All Status Codes)]:STATUS_CODE: ' \
-'-T+[Number of seconds before a client'\''s request times out (default: 7)]:SECONDS: ' \
-'--timeout=[Number of seconds before a client'\''s request times out (default: 7)]:SECONDS: ' \
-'-t+[Number of concurrent threads (default: 50)]:THREADS: ' \
-'--threads=[Number of concurrent threads (default: 50)]:THREADS: ' \
-'-d+[Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)]:RECURSION_DEPTH: ' \
-'--depth=[Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)]:RECURSION_DEPTH: ' \
-'-L+[Limit total number of concurrent scans (default: 0, i.e. no limit)]:SCAN_LIMIT: ' \
-'--scan-limit=[Limit total number of concurrent scans (default: 0, i.e. no limit)]:SCAN_LIMIT: ' \
-'--parallel=[Run parallel feroxbuster instances (one child process per url passed via stdin)]:PARALLEL_SCANS: ' \
-'(--auto-tune)--rate-limit=[Limit number of requests per second (per directory) (default: 0, i.e. no limit)]:RATE_LIMIT: ' \
-'--time-limit=[Limit total run time of all scans (ex: --time-limit 10m)]:TIME_SPEC: ' \
+'*-S+[Filter out messages of a particular size (ex\: -S 5120 -S 4927,1970)]:SIZE: ' \
+'*--filter-size=[Filter out messages of a particular size (ex\: -S 5120 -S 4927,1970)]:SIZE: ' \
+'*-X+[Filter out messages via regular expression matching on the response'\''s body/headers (ex\: -X '\''^ignore me\$'\'')]:REGEX: ' \
+'*--filter-regex=[Filter out messages via regular expression matching on the response'\''s body/headers (ex\: -X '\''^ignore me\$'\'')]:REGEX: ' \
+'*-W+[Filter out messages of a particular word count (ex\: -W 312 -W 91,82)]:WORDS: ' \
+'*--filter-words=[Filter out messages of a particular word count (ex\: -W 312 -W 91,82)]:WORDS: ' \
+'*-N+[Filter out messages of a particular line count (ex\: -N 20 -N 31,30)]:LINES: ' \
+'*--filter-lines=[Filter out messages of a particular line count (ex\: -N 20 -N 31,30)]:LINES: ' \
+'(-s --status-codes)*-C+[Filter out status codes (deny list) (ex\: -C 200 -C 401)]:STATUS_CODE: ' \
+'(-s --status-codes)*--filter-status=[Filter out status codes (deny list) (ex\: -C 200 -C 401)]:STATUS_CODE: ' \
+'*--filter-similar-to=[Filter out pages that are similar to the given page (ex. --filter-similar-to http\://site.xyz/soft404)]:UNWANTED_PAGE:_urls' \
+'*-s+[Status Codes to include (allow list) (default\: All Status Codes)]:STATUS_CODE: ' \
+'*--status-codes=[Status Codes to include (allow list) (default\: All Status Codes)]:STATUS_CODE: ' \
+'-T+[Number of seconds before a client'\''s request times out (default\: 7)]:SECONDS: ' \
+'--timeout=[Number of seconds before a client'\''s request times out (default\: 7)]:SECONDS: ' \
+'--server-certs=[Add custom root certificate(s) for servers with unknown certificates]:PEM|DER:_files' \
+'--client-cert=[Add a PEM encoded certificate for mutual authentication (mTLS)]:PEM:_files' \
+'--client-key=[Add a PEM encoded private key for mutual authentication (mTLS)]:PEM:_files' \
+'-t+[Number of concurrent threads (default\: 50)]:THREADS: ' \
+'--threads=[Number of concurrent threads (default\: 50)]:THREADS: ' \
+'-d+[Maximum recursion depth, a depth of 0 is infinite recursion (default\: 4)]:RECURSION_DEPTH: ' \
+'--depth=[Maximum recursion depth, a depth of 0 is infinite recursion (default\: 4)]:RECURSION_DEPTH: ' \
+'-L+[Limit total number of concurrent scans (default\: 0, i.e. no limit)]:SCAN_LIMIT: ' \
+'--scan-limit=[Limit total number of concurrent scans (default\: 0, i.e. no limit)]:SCAN_LIMIT: ' \
+'(-v --verbosity -u --url)--parallel=[Run parallel feroxbuster instances (one child process per url passed via stdin)]:PARALLEL_SCANS: ' \
+'(--auto-tune)--rate-limit=[Limit number of requests per second (per directory) (default\: 0, i.e. no limit)]:RATE_LIMIT: ' \
+'--time-limit=[Limit total run time of all scans (ex\: --time-limit 10m)]:TIME_SPEC: ' \
 '-w+[Path or URL of the wordlist]:FILE:_files' \
 '--wordlist=[Path or URL of the wordlist]:FILE:_files' \
+'-B+[Automatically request likely backup extensions for "found" urls (default\: ~, .bak, .bak2, .old, .1)]' \
+'--collect-backups=[Automatically request likely backup extensions for "found" urls (default\: ~, .bak, .bak2, .old, .1)]' \
 '*-I+[File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)]:FILE_EXTENSION: ' \
 '*--dont-collect=[File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)]:FILE_EXTENSION: ' \
 '-o+[Output file to write results to (use w/ --json for JSON entries)]:FILE:_files' \
 '--output=[Output file to write results to (use w/ --json for JSON entries)]:FILE:_files' \
 '--debug-log=[Output file to write log entries (use w/ --json for JSON entries)]:FILE:_files' \
+'--limit-bars=[Number of directory scan bars to show at any given time (default\: no limit)]:NUM_BARS_TO_SHOW: ' \
 '(-u --url)--stdin[Read url(s) from STDIN]' \
-'(-p --proxy -k --insecure --burp-replay)--burp[Set --proxy to http://127.0.0.1:8080 and set --insecure to true]' \
-'(-P --replay-proxy -k --insecure)--burp-replay[Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true]' \
+'(-p --proxy -k --insecure --burp-replay)--burp[Set --proxy to http\://127.0.0.1\:8080 and set --insecure to true]' \
+'(-P --replay-proxy -k --insecure)--burp-replay[Set --replay-proxy to http\://127.0.0.1\:8080 and set --insecure to true]' \
 '(--rate-limit --auto-bail)--smart[Set --auto-tune, --collect-words, and --collect-backups to true]' \
-'(--rate-limit --auto-bail)--thorough[Use the same settings as --smart and set --collect-extensions to true]' \
+'(--rate-limit --auto-bail)--thorough[Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true]' \
 '-A[Use a random User-Agent]' \
 '--random-agent[Use a random User-Agent]' \
 '-f[Append / to each request'\''s URL]' \
@@ -85,8 +93,8 @@ _feroxbuster() {
 '-n[Do not scan recursively]' \
 '--no-recursion[Do not scan recursively]' \
 '(-n --no-recursion)--force-recursion[Force recursion attempts on all '\''found'\'' endpoints (still respects recursion depth)]' \
-'-e[Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)]' \
-'--extract-links[Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)]' \
+'-e[Extract links from response body (html, javascript, etc...); make new requests based on findings (default\: true)]' \
+'--extract-links[Extract links from response body (html, javascript, etc...); make new requests based on findings (default\: true)]' \
 '--dont-extract-links[Don'\''t extract links from response body (html, javascript, etc...)]' \
 '(--auto-bail)--auto-tune[Automatically lower scan rate when an excessive amount of errors are encountered]' \
 '--auto-bail[Automatically stop scanning when an excessive amount of errors are encountered]' \
@@ -94,13 +102,12 @@ _feroxbuster() {
 '--dont-filter[Don'\''t auto-filter wildcard responses]' \
 '-E[Automatically discover extensions and add them to --extensions (unless they'\''re in --dont-collect)]' \
 '--collect-extensions[Automatically discover extensions and add them to --extensions (unless they'\''re in --dont-collect)]' \
-'-B[Automatically request likely backup extensions for "found" urls]' \
-'--collect-backups[Automatically request likely backup extensions for "found" urls]' \
 '-g[Automatically discover important words from within responses and add them to the wordlist]' \
 '--collect-words[Automatically discover important words from within responses and add them to the wordlist]' \
+'--scan-dir-listings[Force scans to recurse into directory listings]' \
 '(--silent)*-v[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
 '(--silent)*--verbosity[Increase verbosity level (use -vv or more for greater effect. \[CAUTION\] 4 -v'\''s is probably too much)]' \
-'(-q --quiet)--silent[Only print URLs + turn off logging (good for piping a list of urls to other commands)]' \
+'(-q --quiet)--silent[Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)]' \
 '-q[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
 '--quiet[Hide progress bars and banner (good for tmux windows w/ notifications)]' \
 '--json[Emit JSON logs to --output and --debug-log instead of normal text]' \

shell_completions/_feroxbuster.ps1

@@ -21,102 +21,109 @@ Register-ArgumentCompleter -Native -CommandName 'feroxbuster' -ScriptBlock {
 
     $completions = @(switch ($command) {
         'feroxbuster' {
-            [CompletionResult]::new('-u', 'u', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from] used)')
-            [CompletionResult]::new('--url', 'url', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from] used)')
-            [CompletionResult]::new('--resume-from', 'resume-from', [CompletionResultType]::ParameterName, 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)')
-            [CompletionResult]::new('-p', 'p', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
-            [CompletionResult]::new('--proxy', 'proxy', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
-            [CompletionResult]::new('-P', 'P', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
-            [CompletionResult]::new('--replay-proxy', 'replay-proxy', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
-            [CompletionResult]::new('-R', 'R', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
-            [CompletionResult]::new('--replay-codes', 'replay-codes', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
-            [CompletionResult]::new('-a', 'a', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.9.3)')
-            [CompletionResult]::new('--user-agent', 'user-agent', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.9.3)')
-            [CompletionResult]::new('-x', 'x', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js)')
-            [CompletionResult]::new('--extensions', 'extensions', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js)')
-            [CompletionResult]::new('-m', 'm', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
-            [CompletionResult]::new('--methods', 'methods', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
-            [CompletionResult]::new('--data', 'data', [CompletionResultType]::ParameterName, 'Request''s Body; can read data from a file if input starts with an @ (ex: @post.bin)')
-            [CompletionResult]::new('-H', 'H', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
-            [CompletionResult]::new('--headers', 'headers', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
-            [CompletionResult]::new('-b', 'b', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
-            [CompletionResult]::new('--cookies', 'cookies', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
-            [CompletionResult]::new('-Q', 'Q', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
-            [CompletionResult]::new('--query', 'query', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
-            [CompletionResult]::new('--dont-scan', 'dont-scan', [CompletionResultType]::ParameterName, 'URL(s) or Regex Pattern(s) to exclude from recursion/scans')
-            [CompletionResult]::new('-S', 'S', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
-            [CompletionResult]::new('--filter-size', 'filter-size', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
-            [CompletionResult]::new('-X', 'X', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
-            [CompletionResult]::new('--filter-regex', 'filter-regex', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')')
-            [CompletionResult]::new('-W', 'W', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
-            [CompletionResult]::new('--filter-words', 'filter-words', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
-            [CompletionResult]::new('-N', 'N', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
-            [CompletionResult]::new('--filter-lines', 'filter-lines', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
-            [CompletionResult]::new('-C', 'C', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
-            [CompletionResult]::new('--filter-status', 'filter-status', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
-            [CompletionResult]::new('--filter-similar-to', 'filter-similar-to', [CompletionResultType]::ParameterName, 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)')
-            [CompletionResult]::new('-s', 's', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
-            [CompletionResult]::new('--status-codes', 'status-codes', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
-            [CompletionResult]::new('-T', 'T', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
-            [CompletionResult]::new('--timeout', 'timeout', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
-            [CompletionResult]::new('-t', 't', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
-            [CompletionResult]::new('--threads', 'threads', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
-            [CompletionResult]::new('-d', 'd', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
-            [CompletionResult]::new('--depth', 'depth', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
-            [CompletionResult]::new('-L', 'L', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
-            [CompletionResult]::new('--scan-limit', 'scan-limit', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
-            [CompletionResult]::new('--parallel', 'parallel', [CompletionResultType]::ParameterName, 'Run parallel feroxbuster instances (one child process per url passed via stdin)')
-            [CompletionResult]::new('--rate-limit', 'rate-limit', [CompletionResultType]::ParameterName, 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)')
-            [CompletionResult]::new('--time-limit', 'time-limit', [CompletionResultType]::ParameterName, 'Limit total run time of all scans (ex: --time-limit 10m)')
-            [CompletionResult]::new('-w', 'w', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
-            [CompletionResult]::new('--wordlist', 'wordlist', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
-            [CompletionResult]::new('-I', 'I', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
-            [CompletionResult]::new('--dont-collect', 'dont-collect', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
-            [CompletionResult]::new('-o', 'o', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
-            [CompletionResult]::new('--output', 'output', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
-            [CompletionResult]::new('--debug-log', 'debug-log', [CompletionResultType]::ParameterName, 'Output file to write log entries (use w/ --json for JSON entries)')
-            [CompletionResult]::new('--stdin', 'stdin', [CompletionResultType]::ParameterName, 'Read url(s) from STDIN')
-            [CompletionResult]::new('--burp', 'burp', [CompletionResultType]::ParameterName, 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true')
-            [CompletionResult]::new('--burp-replay', 'burp-replay', [CompletionResultType]::ParameterName, 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true')
-            [CompletionResult]::new('--smart', 'smart', [CompletionResultType]::ParameterName, 'Set --auto-tune, --collect-words, and --collect-backups to true')
-            [CompletionResult]::new('--thorough', 'thorough', [CompletionResultType]::ParameterName, 'Use the same settings as --smart and set --collect-extensions to true')
-            [CompletionResult]::new('-A', 'A', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
-            [CompletionResult]::new('--random-agent', 'random-agent', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
-            [CompletionResult]::new('-f', 'f', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
-            [CompletionResult]::new('--add-slash', 'add-slash', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
-            [CompletionResult]::new('-r', 'r', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
-            [CompletionResult]::new('--redirects', 'redirects', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
-            [CompletionResult]::new('-k', 'k', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
-            [CompletionResult]::new('--insecure', 'insecure', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
-            [CompletionResult]::new('-n', 'n', [CompletionResultType]::ParameterName, 'Do not scan recursively')
-            [CompletionResult]::new('--no-recursion', 'no-recursion', [CompletionResultType]::ParameterName, 'Do not scan recursively')
-            [CompletionResult]::new('--force-recursion', 'force-recursion', [CompletionResultType]::ParameterName, 'Force recursion attempts on all ''found'' endpoints (still respects recursion depth)')
-            [CompletionResult]::new('-e', 'e', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
-            [CompletionResult]::new('--extract-links', 'extract-links', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
-            [CompletionResult]::new('--dont-extract-links', 'dont-extract-links', [CompletionResultType]::ParameterName, 'Don''t extract links from response body (html, javascript, etc...)')
-            [CompletionResult]::new('--auto-tune', 'auto-tune', [CompletionResultType]::ParameterName, 'Automatically lower scan rate when an excessive amount of errors are encountered')
-            [CompletionResult]::new('--auto-bail', 'auto-bail', [CompletionResultType]::ParameterName, 'Automatically stop scanning when an excessive amount of errors are encountered')
-            [CompletionResult]::new('-D', 'D', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
-            [CompletionResult]::new('--dont-filter', 'dont-filter', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
-            [CompletionResult]::new('-E', 'E', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
-            [CompletionResult]::new('--collect-extensions', 'collect-extensions', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
-            [CompletionResult]::new('-B', 'B', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls')
-            [CompletionResult]::new('--collect-backups', 'collect-backups', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls')
-            [CompletionResult]::new('-g', 'g', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
-            [CompletionResult]::new('--collect-words', 'collect-words', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
-            [CompletionResult]::new('-v', 'v', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
-            [CompletionResult]::new('--verbosity', 'verbosity', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
-            [CompletionResult]::new('--silent', 'silent', [CompletionResultType]::ParameterName, 'Only print URLs + turn off logging (good for piping a list of urls to other commands)')
-            [CompletionResult]::new('-q', 'q', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
-            [CompletionResult]::new('--quiet', 'quiet', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
-            [CompletionResult]::new('--json', 'json', [CompletionResultType]::ParameterName, 'Emit JSON logs to --output and --debug-log instead of normal text')
-            [CompletionResult]::new('--no-state', 'no-state', [CompletionResultType]::ParameterName, 'Disable state output file (*.state)')
-            [CompletionResult]::new('-U', 'U', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
-            [CompletionResult]::new('--update', 'update', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
-            [CompletionResult]::new('-h', 'h', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
-            [CompletionResult]::new('--help', 'help', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
-            [CompletionResult]::new('-V', 'V', [CompletionResultType]::ParameterName, 'Print version')
-            [CompletionResult]::new('--version', 'version', [CompletionResultType]::ParameterName, 'Print version')
+            [CompletionResult]::new('-u', '-u', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from || --request-file] used)')
+            [CompletionResult]::new('--url', '--url', [CompletionResultType]::ParameterName, 'The target URL (required, unless [--stdin || --resume-from || --request-file] used)')
+            [CompletionResult]::new('--resume-from', '--resume-from', [CompletionResultType]::ParameterName, 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)')
+            [CompletionResult]::new('--request-file', '--request-file', [CompletionResultType]::ParameterName, 'Raw HTTP request file to use as a template for all requests')
+            [CompletionResult]::new('-p', '-p', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
+            [CompletionResult]::new('--proxy', '--proxy', [CompletionResultType]::ParameterName, 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)')
+            [CompletionResult]::new('-P', '-P ', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
+            [CompletionResult]::new('--replay-proxy', '--replay-proxy', [CompletionResultType]::ParameterName, 'Send only unfiltered requests through a Replay Proxy, instead of all requests')
+            [CompletionResult]::new('-R', '-R ', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
+            [CompletionResult]::new('--replay-codes', '--replay-codes', [CompletionResultType]::ParameterName, 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)')
+            [CompletionResult]::new('-a', '-a', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.11.0)')
+            [CompletionResult]::new('--user-agent', '--user-agent', [CompletionResultType]::ParameterName, 'Sets the User-Agent (default: feroxbuster/2.11.0)')
+            [CompletionResult]::new('-x', '-x', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)')
+            [CompletionResult]::new('--extensions', '--extensions', [CompletionResultType]::ParameterName, 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)')
+            [CompletionResult]::new('-m', '-m', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
+            [CompletionResult]::new('--methods', '--methods', [CompletionResultType]::ParameterName, 'Which HTTP request method(s) should be sent (default: GET)')
+            [CompletionResult]::new('--data', '--data', [CompletionResultType]::ParameterName, 'Request''s Body; can read data from a file if input starts with an @ (ex: @post.bin)')
+            [CompletionResult]::new('-H', '-H ', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
+            [CompletionResult]::new('--headers', '--headers', [CompletionResultType]::ParameterName, 'Specify HTTP headers to be used in each request (ex: -H Header:val -H ''stuff: things'')')
+            [CompletionResult]::new('-b', '-b', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
+            [CompletionResult]::new('--cookies', '--cookies', [CompletionResultType]::ParameterName, 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)')
+            [CompletionResult]::new('-Q', '-Q ', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
+            [CompletionResult]::new('--query', '--query', [CompletionResultType]::ParameterName, 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)')
+            [CompletionResult]::new('--protocol', '--protocol', [CompletionResultType]::ParameterName, 'Specify the protocol to use when targeting via --request-file or --url with domain only (default: https)')
+            [CompletionResult]::new('--dont-scan', '--dont-scan', [CompletionResultType]::ParameterName, 'URL(s) or Regex Pattern(s) to exclude from recursion/scans')
+            [CompletionResult]::new('-S', '-S ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
+            [CompletionResult]::new('--filter-size', '--filter-size', [CompletionResultType]::ParameterName, 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)')
+            [CompletionResult]::new('-X', '-X ', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body/headers (ex: -X ''^ignore me$'')')
+            [CompletionResult]::new('--filter-regex', '--filter-regex', [CompletionResultType]::ParameterName, 'Filter out messages via regular expression matching on the response''s body/headers (ex: -X ''^ignore me$'')')
+            [CompletionResult]::new('-W', '-W ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
+            [CompletionResult]::new('--filter-words', '--filter-words', [CompletionResultType]::ParameterName, 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)')
+            [CompletionResult]::new('-N', '-N ', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
+            [CompletionResult]::new('--filter-lines', '--filter-lines', [CompletionResultType]::ParameterName, 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)')
+            [CompletionResult]::new('-C', '-C ', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
+            [CompletionResult]::new('--filter-status', '--filter-status', [CompletionResultType]::ParameterName, 'Filter out status codes (deny list) (ex: -C 200 -C 401)')
+            [CompletionResult]::new('--filter-similar-to', '--filter-similar-to', [CompletionResultType]::ParameterName, 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)')
+            [CompletionResult]::new('-s', '-s', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
+            [CompletionResult]::new('--status-codes', '--status-codes', [CompletionResultType]::ParameterName, 'Status Codes to include (allow list) (default: All Status Codes)')
+            [CompletionResult]::new('-T', '-T ', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
+            [CompletionResult]::new('--timeout', '--timeout', [CompletionResultType]::ParameterName, 'Number of seconds before a client''s request times out (default: 7)')
+            [CompletionResult]::new('--server-certs', '--server-certs', [CompletionResultType]::ParameterName, 'Add custom root certificate(s) for servers with unknown certificates')
+            [CompletionResult]::new('--client-cert', '--client-cert', [CompletionResultType]::ParameterName, 'Add a PEM encoded certificate for mutual authentication (mTLS)')
+            [CompletionResult]::new('--client-key', '--client-key', [CompletionResultType]::ParameterName, 'Add a PEM encoded private key for mutual authentication (mTLS)')
+            [CompletionResult]::new('-t', '-t', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
+            [CompletionResult]::new('--threads', '--threads', [CompletionResultType]::ParameterName, 'Number of concurrent threads (default: 50)')
+            [CompletionResult]::new('-d', '-d', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
+            [CompletionResult]::new('--depth', '--depth', [CompletionResultType]::ParameterName, 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)')
+            [CompletionResult]::new('-L', '-L ', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
+            [CompletionResult]::new('--scan-limit', '--scan-limit', [CompletionResultType]::ParameterName, 'Limit total number of concurrent scans (default: 0, i.e. no limit)')
+            [CompletionResult]::new('--parallel', '--parallel', [CompletionResultType]::ParameterName, 'Run parallel feroxbuster instances (one child process per url passed via stdin)')
+            [CompletionResult]::new('--rate-limit', '--rate-limit', [CompletionResultType]::ParameterName, 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)')
+            [CompletionResult]::new('--time-limit', '--time-limit', [CompletionResultType]::ParameterName, 'Limit total run time of all scans (ex: --time-limit 10m)')
+            [CompletionResult]::new('-w', '-w', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
+            [CompletionResult]::new('--wordlist', '--wordlist', [CompletionResultType]::ParameterName, 'Path or URL of the wordlist')
+            [CompletionResult]::new('-B', '-B ', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)')
+            [CompletionResult]::new('--collect-backups', '--collect-backups', [CompletionResultType]::ParameterName, 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)')
+            [CompletionResult]::new('-I', '-I ', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
+            [CompletionResult]::new('--dont-collect', '--dont-collect', [CompletionResultType]::ParameterName, 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)')
+            [CompletionResult]::new('-o', '-o', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--output', '--output', [CompletionResultType]::ParameterName, 'Output file to write results to (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--debug-log', '--debug-log', [CompletionResultType]::ParameterName, 'Output file to write log entries (use w/ --json for JSON entries)')
+            [CompletionResult]::new('--limit-bars', '--limit-bars', [CompletionResultType]::ParameterName, 'Number of directory scan bars to show at any given time (default: no limit)')
+            [CompletionResult]::new('--stdin', '--stdin', [CompletionResultType]::ParameterName, 'Read url(s) from STDIN')
+            [CompletionResult]::new('--burp', '--burp', [CompletionResultType]::ParameterName, 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true')
+            [CompletionResult]::new('--burp-replay', '--burp-replay', [CompletionResultType]::ParameterName, 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true')
+            [CompletionResult]::new('--smart', '--smart', [CompletionResultType]::ParameterName, 'Set --auto-tune, --collect-words, and --collect-backups to true')
+            [CompletionResult]::new('--thorough', '--thorough', [CompletionResultType]::ParameterName, 'Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true')
+            [CompletionResult]::new('-A', '-A ', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
+            [CompletionResult]::new('--random-agent', '--random-agent', [CompletionResultType]::ParameterName, 'Use a random User-Agent')
+            [CompletionResult]::new('-f', '-f', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
+            [CompletionResult]::new('--add-slash', '--add-slash', [CompletionResultType]::ParameterName, 'Append / to each request''s URL')
+            [CompletionResult]::new('-r', '-r', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
+            [CompletionResult]::new('--redirects', '--redirects', [CompletionResultType]::ParameterName, 'Allow client to follow redirects')
+            [CompletionResult]::new('-k', '-k', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
+            [CompletionResult]::new('--insecure', '--insecure', [CompletionResultType]::ParameterName, 'Disables TLS certificate validation in the client')
+            [CompletionResult]::new('-n', '-n', [CompletionResultType]::ParameterName, 'Do not scan recursively')
+            [CompletionResult]::new('--no-recursion', '--no-recursion', [CompletionResultType]::ParameterName, 'Do not scan recursively')
+            [CompletionResult]::new('--force-recursion', '--force-recursion', [CompletionResultType]::ParameterName, 'Force recursion attempts on all ''found'' endpoints (still respects recursion depth)')
+            [CompletionResult]::new('-e', '-e', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
+            [CompletionResult]::new('--extract-links', '--extract-links', [CompletionResultType]::ParameterName, 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)')
+            [CompletionResult]::new('--dont-extract-links', '--dont-extract-links', [CompletionResultType]::ParameterName, 'Don''t extract links from response body (html, javascript, etc...)')
+            [CompletionResult]::new('--auto-tune', '--auto-tune', [CompletionResultType]::ParameterName, 'Automatically lower scan rate when an excessive amount of errors are encountered')
+            [CompletionResult]::new('--auto-bail', '--auto-bail', [CompletionResultType]::ParameterName, 'Automatically stop scanning when an excessive amount of errors are encountered')
+            [CompletionResult]::new('-D', '-D ', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
+            [CompletionResult]::new('--dont-filter', '--dont-filter', [CompletionResultType]::ParameterName, 'Don''t auto-filter wildcard responses')
+            [CompletionResult]::new('-E', '-E ', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
+            [CompletionResult]::new('--collect-extensions', '--collect-extensions', [CompletionResultType]::ParameterName, 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)')
+            [CompletionResult]::new('-g', '-g', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
+            [CompletionResult]::new('--collect-words', '--collect-words', [CompletionResultType]::ParameterName, 'Automatically discover important words from within responses and add them to the wordlist')
+            [CompletionResult]::new('--scan-dir-listings', '--scan-dir-listings', [CompletionResultType]::ParameterName, 'Force scans to recurse into directory listings')
+            [CompletionResult]::new('-v', '-v', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
+            [CompletionResult]::new('--verbosity', '--verbosity', [CompletionResultType]::ParameterName, 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)')
+            [CompletionResult]::new('--silent', '--silent', [CompletionResultType]::ParameterName, 'Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)')
+            [CompletionResult]::new('-q', '-q', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
+            [CompletionResult]::new('--quiet', '--quiet', [CompletionResultType]::ParameterName, 'Hide progress bars and banner (good for tmux windows w/ notifications)')
+            [CompletionResult]::new('--json', '--json', [CompletionResultType]::ParameterName, 'Emit JSON logs to --output and --debug-log instead of normal text')
+            [CompletionResult]::new('--no-state', '--no-state', [CompletionResultType]::ParameterName, 'Disable state output file (*.state)')
+            [CompletionResult]::new('-U', '-U ', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
+            [CompletionResult]::new('--update', '--update', [CompletionResultType]::ParameterName, 'Update feroxbuster to the latest version')
+            [CompletionResult]::new('-h', '-h', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
+            [CompletionResult]::new('--help', '--help', [CompletionResultType]::ParameterName, 'Print help (see more with ''--help'')')
+            [CompletionResult]::new('-V', '-V ', [CompletionResultType]::ParameterName, 'Print version')
+            [CompletionResult]::new('--version', '--version', [CompletionResultType]::ParameterName, 'Print version')
             break
         }
     })

shell_completions/feroxbuster.bash

@@ -19,7 +19,7 @@ _feroxbuster() {
 
     case "${cmd}" in
         feroxbuster)
-            opts="-u -p -P -R -a -A -x -m -H -b -Q -f -S -X -W -N -C -s -T -r -k -t -n -d -e -L -w -D -E -B -g -I -v -q -o -U -h -V --url --stdin --resume-from --burp --burp-replay --smart --thorough --proxy --replay-proxy --replay-codes --user-agent --random-agent --extensions --methods --data --headers --cookies --query --add-slash --dont-scan --filter-size --filter-regex --filter-words --filter-lines --filter-status --filter-similar-to --status-codes --timeout --redirects --insecure --threads --no-recursion --depth --force-recursion --extract-links --dont-extract-links --scan-limit --parallel --rate-limit --time-limit --wordlist --auto-tune --auto-bail --dont-filter --collect-extensions --collect-backups --collect-words --dont-collect --verbosity --silent --quiet --json --output --debug-log --no-state --update --help --version"
+            opts="-u -p -P -R -a -A -x -m -H -b -Q -f -S -X -W -N -C -s -T -r -k -t -n -d -e -L -w -D -E -B -g -I -v -q -o -U -h -V --url --stdin --resume-from --request-file --burp --burp-replay --smart --thorough --proxy --replay-proxy --replay-codes --user-agent --random-agent --extensions --methods --data --headers --cookies --query --add-slash --protocol --dont-scan --filter-size --filter-regex --filter-words --filter-lines --filter-status --filter-similar-to --status-codes --timeout --redirects --insecure --server-certs --client-cert --client-key --threads --no-recursion --depth --force-recursion --extract-links --dont-extract-links --scan-limit --parallel --rate-limit --time-limit --wordlist --auto-tune --auto-bail --dont-filter --collect-extensions --collect-backups --collect-words --dont-collect --scan-dir-listings --verbosity --silent --quiet --json --output --debug-log --no-state --limit-bars --update --help --version"
             if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]] ; then
                 COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
                 return 0
@@ -34,7 +34,33 @@ _feroxbuster() {
                     return 0
                     ;;
                 --resume-from)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
                     COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
+                --request-file)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
                     return 0
                     ;;
                 --proxy)
@@ -113,6 +139,10 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
+                --protocol)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
                 --dont-scan)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
@@ -177,6 +207,51 @@ _feroxbuster() {
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
+                --server-certs)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
+                --client-cert)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
+                --client-key)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
                 --threads)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
@@ -214,10 +289,40 @@ _feroxbuster() {
                     return 0
                     ;;
                 --wordlist)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
                     COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
                     return 0
                     ;;
                 -w)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
+                --collect-backups)
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    return 0
+                    ;;
+                -B)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -230,14 +335,51 @@ _feroxbuster() {
                     return 0
                     ;;
                 --output)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
                     COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
                     return 0
                     ;;
                 -o)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
                     COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
                     return 0
                     ;;
                 --debug-log)
+                    local oldifs
+                    if [ -n "${IFS+x}" ]; then
+                        oldifs="$IFS"
+                    fi
+                    IFS=$'\n'
+                    COMPREPLY=($(compgen -f "${cur}"))
+                    if [ -n "${oldifs+x}" ]; then
+                        IFS="$oldifs"
+                    fi
+                    if [[ "${BASH_VERSINFO[0]}" -ge 4 ]]; then
+                        compopt -o filenames
+                    fi
+                    return 0
+                    ;;
+                --limit-bars)
                     COMPREPLY=($(compgen -f "${cur}"))
                     return 0
                     ;;
@@ -251,4 +393,8 @@ _feroxbuster() {
     esac
 }
 
-complete -F _feroxbuster -o bashdefault -o default -o plusdirs feroxbuster
+if [[ "${BASH_VERSINFO[0]}" -eq 4 && "${BASH_VERSINFO[1]}" -ge 4 || "${BASH_VERSINFO[0]}" -gt 4 ]]; then
+    complete -F _feroxbuster -o nosort -o bashdefault -o default -o plusdirs feroxbuster
+else
+    complete -F _feroxbuster -o bashdefault -o default -o plusdirs feroxbuster
+fi

shell_completions/feroxbuster.elv

@@ -18,19 +18,20 @@ set edit:completion:arg-completer[feroxbuster] = {|@words|
     }
     var completions = [
         &'feroxbuster'= {
-            cand -u 'The target URL (required, unless [--stdin || --resume-from] used)'
-            cand --url 'The target URL (required, unless [--stdin || --resume-from] used)'
+            cand -u 'The target URL (required, unless [--stdin || --resume-from || --request-file] used)'
+            cand --url 'The target URL (required, unless [--stdin || --resume-from || --request-file] used)'
             cand --resume-from 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)'
+            cand --request-file 'Raw HTTP request file to use as a template for all requests'
             cand -p 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)'
             cand --proxy 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)'
             cand -P 'Send only unfiltered requests through a Replay Proxy, instead of all requests'
             cand --replay-proxy 'Send only unfiltered requests through a Replay Proxy, instead of all requests'
             cand -R 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)'
             cand --replay-codes 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)'
-            cand -a 'Sets the User-Agent (default: feroxbuster/2.9.3)'
-            cand --user-agent 'Sets the User-Agent (default: feroxbuster/2.9.3)'
-            cand -x 'File extension(s) to search for (ex: -x php -x pdf js)'
-            cand --extensions 'File extension(s) to search for (ex: -x php -x pdf js)'
+            cand -a 'Sets the User-Agent (default: feroxbuster/2.11.0)'
+            cand --user-agent 'Sets the User-Agent (default: feroxbuster/2.11.0)'
+            cand -x 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)'
+            cand --extensions 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)'
             cand -m 'Which HTTP request method(s) should be sent (default: GET)'
             cand --methods 'Which HTTP request method(s) should be sent (default: GET)'
             cand --data 'Request''s Body; can read data from a file if input starts with an @ (ex: @post.bin)'
@@ -40,11 +41,12 @@ set edit:completion:arg-completer[feroxbuster] = {|@words|
             cand --cookies 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)'
             cand -Q 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)'
             cand --query 'Request''s URL query parameters (ex: -Q token=stuff -Q secret=key)'
+            cand --protocol 'Specify the protocol to use when targeting via --request-file or --url with domain only (default: https)'
             cand --dont-scan 'URL(s) or Regex Pattern(s) to exclude from recursion/scans'
             cand -S 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
             cand --filter-size 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
-            cand -X 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')'
-            cand --filter-regex 'Filter out messages via regular expression matching on the response''s body (ex: -X ''^ignore me$'')'
+            cand -X 'Filter out messages via regular expression matching on the response''s body/headers (ex: -X ''^ignore me$'')'
+            cand --filter-regex 'Filter out messages via regular expression matching on the response''s body/headers (ex: -X ''^ignore me$'')'
             cand -W 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)'
             cand --filter-words 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)'
             cand -N 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)'
@@ -56,6 +58,9 @@ set edit:completion:arg-completer[feroxbuster] = {|@words|
             cand --status-codes 'Status Codes to include (allow list) (default: All Status Codes)'
             cand -T 'Number of seconds before a client''s request times out (default: 7)'
             cand --timeout 'Number of seconds before a client''s request times out (default: 7)'
+            cand --server-certs 'Add custom root certificate(s) for servers with unknown certificates'
+            cand --client-cert 'Add a PEM encoded certificate for mutual authentication (mTLS)'
+            cand --client-key 'Add a PEM encoded private key for mutual authentication (mTLS)'
             cand -t 'Number of concurrent threads (default: 50)'
             cand --threads 'Number of concurrent threads (default: 50)'
             cand -d 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)'
@@ -67,16 +72,19 @@ set edit:completion:arg-completer[feroxbuster] = {|@words|
             cand --time-limit 'Limit total run time of all scans (ex: --time-limit 10m)'
             cand -w 'Path or URL of the wordlist'
             cand --wordlist 'Path or URL of the wordlist'
+            cand -B 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)'
+            cand --collect-backups 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)'
             cand -I 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)'
             cand --dont-collect 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)'
             cand -o 'Output file to write results to (use w/ --json for JSON entries)'
             cand --output 'Output file to write results to (use w/ --json for JSON entries)'
             cand --debug-log 'Output file to write log entries (use w/ --json for JSON entries)'
+            cand --limit-bars 'Number of directory scan bars to show at any given time (default: no limit)'
             cand --stdin 'Read url(s) from STDIN'
             cand --burp 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true'
             cand --burp-replay 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true'
             cand --smart 'Set --auto-tune, --collect-words, and --collect-backups to true'
-            cand --thorough 'Use the same settings as --smart and set --collect-extensions to true'
+            cand --thorough 'Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true'
             cand -A 'Use a random User-Agent'
             cand --random-agent 'Use a random User-Agent'
             cand -f 'Append / to each request''s URL'
@@ -97,13 +105,12 @@ set edit:completion:arg-completer[feroxbuster] = {|@words|
             cand --dont-filter 'Don''t auto-filter wildcard responses'
             cand -E 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)'
             cand --collect-extensions 'Automatically discover extensions and add them to --extensions (unless they''re in --dont-collect)'
-            cand -B 'Automatically request likely backup extensions for "found" urls'
-            cand --collect-backups 'Automatically request likely backup extensions for "found" urls'
             cand -g 'Automatically discover important words from within responses and add them to the wordlist'
             cand --collect-words 'Automatically discover important words from within responses and add them to the wordlist'
+            cand --scan-dir-listings 'Force scans to recurse into directory listings'
             cand -v 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)'
             cand --verbosity 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v''s is probably too much)'
-            cand --silent 'Only print URLs + turn off logging (good for piping a list of urls to other commands)'
+            cand --silent 'Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)'
             cand -q 'Hide progress bars and banner (good for tmux windows w/ notifications)'
             cand --quiet 'Hide progress bars and banner (good for tmux windows w/ notifications)'
             cand --json 'Emit JSON logs to --output and --debug-log instead of normal text'

shell_completions/feroxbuster.fish

@@ -1,46 +1,65 @@
-complete -c feroxbuster -n "__fish_use_subcommand" -s w -l wordlist -d 'Path to the wordlist'
-complete -c feroxbuster -n "__fish_use_subcommand" -s u -l url -d 'The target URL(s) (required, unless --stdin used)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s t -l threads -d 'Number of concurrent threads (default: 50)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s d -l depth -d 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s T -l timeout -d 'Number of seconds before a request times out (default: 7)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s p -l proxy -d 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s P -l replay-proxy -d 'Send only unfiltered requests through a Replay Proxy, instead of all requests'
-complete -c feroxbuster -n "__fish_use_subcommand" -s R -l replay-codes -d 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s s -l status-codes -d 'Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s o -l output -d 'Output file to write results to (use w/ --json for JSON entries)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l resume-from -d 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l debug-log -d 'Output file to write log entries (use w/ --json for JSON entries)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s a -l user-agent -d 'Sets the User-Agent (default: feroxbuster/VERSION)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s x -l extensions -d 'File extension(s) to search for (ex: -x php -x pdf js)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s m -l methods -d 'HTTP request method(s) (default: GET)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l data -d 'HTTP Body data; can read data from a file if input starts with an @ (ex: @post.bin)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l dont-scan -d 'URL(s) or Regex Pattern(s) to exclude from recursion/scans'
-complete -c feroxbuster -n "__fish_use_subcommand" -s H -l headers -d 'Specify HTTP headers (ex: -H Header:val \'stuff: things\')'
-complete -c feroxbuster -n "__fish_use_subcommand" -s b -l cookies -d 'Specify HTTP cookies (ex: -b stuff=things)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s Q -l query -d 'Specify URL query parameters (ex: -Q token=stuff -Q secret=key)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s S -l filter-size -d 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s X -l filter-regex -d 'Filter out messages via regular expression matching on the response\'s body (ex: -X \'^ignore me$\')'
-complete -c feroxbuster -n "__fish_use_subcommand" -s W -l filter-words -d 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s N -l filter-lines -d 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s C -l filter-status -d 'Filter out status codes (deny list) (ex: -C 200 -C 401)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l filter-similar-to -d 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s L -l scan-limit -d 'Limit total number of concurrent scans (default: 0, i.e. no limit)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l parallel -d 'Run parallel feroxbuster instances (one child process per url passed via stdin)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l rate-limit -d 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l time-limit -d 'Limit total run time of all scans (ex: --time-limit 10m)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s v -l verbosity -d 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v\'s is probably too much)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l silent -d 'Only print URLs + turn off logging (good for piping a list of urls to other commands)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s q -l quiet -d 'Hide progress bars and banner (good for tmux windows w/ notifications)'
-complete -c feroxbuster -n "__fish_use_subcommand" -l auto-tune -d 'Automatically lower scan rate when an excessive amount of errors are encountered'
-complete -c feroxbuster -n "__fish_use_subcommand" -l auto-bail -d 'Automatically stop scanning when an excessive amount of errors are encountered'
-complete -c feroxbuster -n "__fish_use_subcommand" -l json -d 'Emit JSON logs to --output and --debug-log instead of normal text'
-complete -c feroxbuster -n "__fish_use_subcommand" -s D -l dont-filter -d 'Don\'t auto-filter wildcard responses'
-complete -c feroxbuster -n "__fish_use_subcommand" -s A -l random-agent -d 'Use a random User-Agent'
-complete -c feroxbuster -n "__fish_use_subcommand" -s r -l redirects -d 'Follow redirects'
-complete -c feroxbuster -n "__fish_use_subcommand" -s k -l insecure -d 'Disables TLS certificate validation'
-complete -c feroxbuster -n "__fish_use_subcommand" -s n -l no-recursion -d 'Do not scan recursively'
-complete -c feroxbuster -n "__fish_use_subcommand" -s f -l add-slash -d 'Append / to each request'
-complete -c feroxbuster -n "__fish_use_subcommand" -l stdin -d 'Read url(s) from STDIN'
-complete -c feroxbuster -n "__fish_use_subcommand" -s e -l extract-links -d 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: false)'
-complete -c feroxbuster -n "__fish_use_subcommand" -s h -l help -d 'Prints help information'
-complete -c feroxbuster -n "__fish_use_subcommand" -s V -l version -d 'Prints version information'
+complete -c feroxbuster -s u -l url -d 'The target URL (required, unless [--stdin || --resume-from || --request-file] used)' -r -f
+complete -c feroxbuster -l resume-from -d 'State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)' -r -F
+complete -c feroxbuster -l request-file -d 'Raw HTTP request file to use as a template for all requests' -r -F
+complete -c feroxbuster -s p -l proxy -d 'Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)' -r -f
+complete -c feroxbuster -s P -l replay-proxy -d 'Send only unfiltered requests through a Replay Proxy, instead of all requests' -r -f
+complete -c feroxbuster -s R -l replay-codes -d 'Status Codes to send through a Replay Proxy when found (default: --status-codes value)' -r
+complete -c feroxbuster -s a -l user-agent -d 'Sets the User-Agent (default: feroxbuster/2.11.0)' -r
+complete -c feroxbuster -s x -l extensions -d 'File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)' -r
+complete -c feroxbuster -s m -l methods -d 'Which HTTP request method(s) should be sent (default: GET)' -r
+complete -c feroxbuster -l data -d 'Request\'s Body; can read data from a file if input starts with an @ (ex: @post.bin)' -r
+complete -c feroxbuster -s H -l headers -d 'Specify HTTP headers to be used in each request (ex: -H Header:val -H \'stuff: things\')' -r
+complete -c feroxbuster -s b -l cookies -d 'Specify HTTP cookies to be used in each request (ex: -b stuff=things)' -r
+complete -c feroxbuster -s Q -l query -d 'Request\'s URL query parameters (ex: -Q token=stuff -Q secret=key)' -r
+complete -c feroxbuster -l protocol -d 'Specify the protocol to use when targeting via --request-file or --url with domain only (default: https)' -r
+complete -c feroxbuster -l dont-scan -d 'URL(s) or Regex Pattern(s) to exclude from recursion/scans' -r
+complete -c feroxbuster -s S -l filter-size -d 'Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)' -r
+complete -c feroxbuster -s X -l filter-regex -d 'Filter out messages via regular expression matching on the response\'s body/headers (ex: -X \'^ignore me$\')' -r
+complete -c feroxbuster -s W -l filter-words -d 'Filter out messages of a particular word count (ex: -W 312 -W 91,82)' -r
+complete -c feroxbuster -s N -l filter-lines -d 'Filter out messages of a particular line count (ex: -N 20 -N 31,30)' -r
+complete -c feroxbuster -s C -l filter-status -d 'Filter out status codes (deny list) (ex: -C 200 -C 401)' -r
+complete -c feroxbuster -l filter-similar-to -d 'Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)' -r -f
+complete -c feroxbuster -s s -l status-codes -d 'Status Codes to include (allow list) (default: All Status Codes)' -r
+complete -c feroxbuster -s T -l timeout -d 'Number of seconds before a client\'s request times out (default: 7)' -r
+complete -c feroxbuster -l server-certs -d 'Add custom root certificate(s) for servers with unknown certificates' -r -F
+complete -c feroxbuster -l client-cert -d 'Add a PEM encoded certificate for mutual authentication (mTLS)' -r -F
+complete -c feroxbuster -l client-key -d 'Add a PEM encoded private key for mutual authentication (mTLS)' -r -F
+complete -c feroxbuster -s t -l threads -d 'Number of concurrent threads (default: 50)' -r
+complete -c feroxbuster -s d -l depth -d 'Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)' -r
+complete -c feroxbuster -s L -l scan-limit -d 'Limit total number of concurrent scans (default: 0, i.e. no limit)' -r
+complete -c feroxbuster -l parallel -d 'Run parallel feroxbuster instances (one child process per url passed via stdin)' -r
+complete -c feroxbuster -l rate-limit -d 'Limit number of requests per second (per directory) (default: 0, i.e. no limit)' -r
+complete -c feroxbuster -l time-limit -d 'Limit total run time of all scans (ex: --time-limit 10m)' -r
+complete -c feroxbuster -s w -l wordlist -d 'Path or URL of the wordlist' -r -F
+complete -c feroxbuster -s B -l collect-backups -d 'Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)' -r
+complete -c feroxbuster -s I -l dont-collect -d 'File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)' -r
+complete -c feroxbuster -s o -l output -d 'Output file to write results to (use w/ --json for JSON entries)' -r -F
+complete -c feroxbuster -l debug-log -d 'Output file to write log entries (use w/ --json for JSON entries)' -r -F
+complete -c feroxbuster -l limit-bars -d 'Number of directory scan bars to show at any given time (default: no limit)' -r
+complete -c feroxbuster -l stdin -d 'Read url(s) from STDIN'
+complete -c feroxbuster -l burp -d 'Set --proxy to http://127.0.0.1:8080 and set --insecure to true'
+complete -c feroxbuster -l burp-replay -d 'Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true'
+complete -c feroxbuster -l smart -d 'Set --auto-tune, --collect-words, and --collect-backups to true'
+complete -c feroxbuster -l thorough -d 'Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true'
+complete -c feroxbuster -s A -l random-agent -d 'Use a random User-Agent'
+complete -c feroxbuster -s f -l add-slash -d 'Append / to each request\'s URL'
+complete -c feroxbuster -s r -l redirects -d 'Allow client to follow redirects'
+complete -c feroxbuster -s k -l insecure -d 'Disables TLS certificate validation in the client'
+complete -c feroxbuster -s n -l no-recursion -d 'Do not scan recursively'
+complete -c feroxbuster -l force-recursion -d 'Force recursion attempts on all \'found\' endpoints (still respects recursion depth)'
+complete -c feroxbuster -s e -l extract-links -d 'Extract links from response body (html, javascript, etc...); make new requests based on findings (default: true)'
+complete -c feroxbuster -l dont-extract-links -d 'Don\'t extract links from response body (html, javascript, etc...)'
+complete -c feroxbuster -l auto-tune -d 'Automatically lower scan rate when an excessive amount of errors are encountered'
+complete -c feroxbuster -l auto-bail -d 'Automatically stop scanning when an excessive amount of errors are encountered'
+complete -c feroxbuster -s D -l dont-filter -d 'Don\'t auto-filter wildcard responses'
+complete -c feroxbuster -s E -l collect-extensions -d 'Automatically discover extensions and add them to --extensions (unless they\'re in --dont-collect)'
+complete -c feroxbuster -s g -l collect-words -d 'Automatically discover important words from within responses and add them to the wordlist'
+complete -c feroxbuster -l scan-dir-listings -d 'Force scans to recurse into directory listings'
+complete -c feroxbuster -s v -l verbosity -d 'Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v\'s is probably too much)'
+complete -c feroxbuster -l silent -d 'Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)'
+complete -c feroxbuster -s q -l quiet -d 'Hide progress bars and banner (good for tmux windows w/ notifications)'
+complete -c feroxbuster -l json -d 'Emit JSON logs to --output and --debug-log instead of normal text'
+complete -c feroxbuster -l no-state -d 'Disable state output file (*.state)'
+complete -c feroxbuster -s U -l update -d 'Update feroxbuster to the latest version'
+complete -c feroxbuster -s h -l help -d 'Print help (see more with \'--help\')'
+complete -c feroxbuster -s V -l version -d 'Print version'

src/banner/container.rs

@@ -1,14 +1,15 @@
 use super::entry::BannerEntry;
 use crate::{
+    client,
     config::Configuration,
     event_handlers::Handles,
-    utils::{logged_request, status_colorizer},
+    utils::{make_request, parse_url_with_raw_path, status_colorizer},
     DEFAULT_IGNORED_EXTENSIONS, DEFAULT_METHOD, DEFAULT_STATUS_CODES, VERSION,
 };
 use anyhow::{bail, Result};
 use console::{style, Emoji};
-use reqwest::Url;
 use serde_json::Value;
+use std::collections::HashMap;
 use std::{io::Write, sync::Arc};
 
 /// Url used to query github's api; specifically used to look for the latest tagged release name
@@ -59,6 +60,15 @@ pub struct Banner {
     /// represents Configuration.proxy
     proxy: BannerEntry,
 
+    /// represents Configuration.client_key
+    client_key: BannerEntry,
+
+    /// represents Configuration.client_cert
+    client_cert: BannerEntry,
+
+    /// represents Configuration.server_certs
+    server_certs: BannerEntry,
+
     /// represents Configuration.replay_proxy
     replay_proxy: BannerEntry,
 
@@ -166,6 +176,15 @@ pub struct Banner {
 
     /// represents Configuration.collect_words
     force_recursion: BannerEntry,
+
+    /// represents Configuration.protocol
+    protocol: BannerEntry,
+
+    /// represents Configuration.scan_dir_listings
+    scan_dir_listings: BannerEntry,
+
+    /// represents Configuration.limit_bars
+    limit_bars: BannerEntry,
 }
 
 /// implementation of Banner
@@ -310,6 +329,12 @@ impl Banner {
             BannerEntry::new("🚫", "Do Not Recurse", &config.no_recursion.to_string())
         };
 
+        let protocol = if config.protocol.to_lowercase() == "http" {
+            BannerEntry::new("🔓", "Default Protocol", &config.protocol)
+        } else {
+            BannerEntry::new("🔒", "Default Protocol", &config.protocol)
+        };
+
         let scan_limit = BannerEntry::new(
             "🦥",
             "Concurrent Scan Limit",
@@ -321,9 +346,23 @@ impl Banner {
         let replay_proxy = BannerEntry::new("🎥", "Replay Proxy", &config.replay_proxy);
         let auto_tune = BannerEntry::new("🎶", "Auto Tune", &config.auto_tune.to_string());
         let auto_bail = BannerEntry::new("🙅", "Auto Bail", &config.auto_bail.to_string());
+        let scan_dir_listings = BannerEntry::new(
+            "📂",
+            "Scan Dir Listings",
+            &config.scan_dir_listings.to_string(),
+        );
         let cfg = BannerEntry::new("💉", "Config File", &config.config);
         let proxy = BannerEntry::new("💎", "Proxy", &config.proxy);
+        let server_certs = BannerEntry::new(
+            "🏅",
+            "Server Certificates",
+            &format!("[{}]", config.server_certs.join(", ")),
+        );
+        let client_cert = BannerEntry::new("🏅", "Client Certificate", &config.client_cert);
+        let client_key = BannerEntry::new("🔑", "Client Key", &config.client_key);
         let threads = BannerEntry::new("🚀", "Threads", &config.threads.to_string());
+        let limit_bars =
+            BannerEntry::new("📊", "Limit Dir Scan Bars", &config.limit_bars.to_string());
         let wordlist = BannerEntry::new("📖", "Wordlist", &config.wordlist);
         let timeout = BannerEntry::new("💥", "Timeout (secs)", &config.timeout.to_string());
         let user_agent = BannerEntry::new("🦡", "User-Agent", &config.user_agent);
@@ -402,6 +441,9 @@ impl Banner {
             auto_bail,
             auto_tune,
             proxy,
+            client_cert,
+            client_key,
+            server_certs,
             replay_codes,
             replay_proxy,
             headers,
@@ -435,6 +477,9 @@ impl Banner {
             collect_words,
             dont_collect,
             config: cfg,
+            scan_dir_listings,
+            protocol,
+            limit_bars,
             version: VERSION.to_string(),
             update_status: UpdateStatus::Unknown,
         }
@@ -478,9 +523,36 @@ by Ben "epi" Risher {}                 ver: {}"#,
     pub async fn check_for_updates(&mut self, url: &str, handles: Arc<Handles>) -> Result<()> {
         log::trace!("enter: needs_update({}, {:?})", url, handles);
 
-        let api_url = Url::parse(url)?;
+        let api_url = parse_url_with_raw_path(url)?;
+
+        // we don't want to leak sensitive header info / include auth headers
+        // with the github api request, so we'll build a client specifically
+        // for this task. thanks to @stuhlmann for the suggestion!
+        let client = client::initialize(
+            handles.config.timeout,
+            "feroxbuster-update-check",
+            handles.config.redirects,
+            handles.config.insecure,
+            &HashMap::new(),
+            Some(&handles.config.proxy),
+            &handles.config.server_certs,
+            Some(&handles.config.client_cert),
+            Some(&handles.config.client_key),
+        )?;
+        let level = handles.config.output_level;
+        let tx_stats = handles.stats.tx.clone();
+
+        let result = make_request(
+            &client,
+            &api_url,
+            DEFAULT_METHOD,
+            None,
+            level,
+            &handles.config,
+            tx_stats,
+        )
+        .await?;
 
-        let result = logged_request(&api_url, DEFAULT_METHOD, None, handles.clone()).await?;
         let body = result.text().await?;
 
         let json_response: Value = serde_json::from_str(&body)?;
@@ -548,6 +620,14 @@ by Ben "epi" Risher {}                 ver: {}"#,
         }
 
         // followed by the maybe printed or variably displayed values
+        if !config.request_file.is_empty() || !config.target_url.starts_with("http") {
+            writeln!(&mut writer, "{}", self.protocol)?;
+        }
+
+        if config.limit_bars > 0 {
+            writeln!(&mut writer, "{}", self.limit_bars)?;
+        }
+
         if !config.config.is_empty() {
             writeln!(&mut writer, "{}", self.config)?;
         }
@@ -556,6 +636,18 @@ by Ben "epi" Risher {}                 ver: {}"#,
             writeln!(&mut writer, "{}", self.proxy)?;
         }
 
+        if !config.client_cert.is_empty() {
+            writeln!(&mut writer, "{}", self.client_cert)?;
+        }
+
+        if !config.client_key.is_empty() {
+            writeln!(&mut writer, "{}", self.client_key)?;
+        }
+
+        if !config.server_certs.is_empty() {
+            writeln!(&mut writer, "{}", self.server_certs)?;
+        }
+
         if !config.replay_proxy.is_empty() {
             // i include replay codes logic here because in config.rs, replay codes are set to the
             // value in status codes, meaning it's never empty
@@ -603,6 +695,10 @@ by Ben "epi" Risher {}                 ver: {}"#,
             writeln!(&mut writer, "{}", self.output)?;
         }
 
+        if config.scan_dir_listings {
+            writeln!(&mut writer, "{}", self.scan_dir_listings)?;
+        }
+
         if !config.debug_log.is_empty() {
             writeln!(&mut writer, "{}", self.debug_log)?;
         }

src/client.rs

@@ -1,19 +1,29 @@
-use anyhow::Result;
+use anyhow::{Context, Result};
 use reqwest::header::HeaderMap;
 use reqwest::{redirect::Policy, Client, Proxy};
 use std::collections::HashMap;
 use std::convert::TryInto;
+use std::path::Path;
 use std::time::Duration;
 
 /// Create and return an instance of [reqwest::Client](https://docs.rs/reqwest/latest/reqwest/struct.Client.html)
-pub fn initialize(
+/// For now, silence clippy for this one
+#[allow(clippy::too_many_arguments)]
+pub fn initialize<I>(
     timeout: u64,
     user_agent: &str,
     redirects: bool,
     insecure: bool,
     headers: &HashMap<String, String>,
     proxy: Option<&str>,
-) -> Result<Client> {
+    server_certs: I,
+    client_cert: Option<&str>,
+    client_key: Option<&str>,
+) -> Result<Client>
+where
+    I: IntoIterator,
+    I::Item: AsRef<Path> + std::fmt::Debug,
+{
     let policy = if redirects {
         Policy::limited(10)
     } else {
@@ -22,7 +32,7 @@ pub fn initialize(
 
     let header_map: HeaderMap = headers.try_into()?;
 
-    let client = Client::builder()
+    let mut client = Client::builder()
         .timeout(Duration::new(timeout, 0))
         .user_agent(user_agent)
         .danger_accept_invalid_certs(insecure)
@@ -34,7 +44,41 @@ pub fn initialize(
         if !some_proxy.is_empty() {
             // it's not an empty string; set the proxy
             let proxy_obj = Proxy::all(some_proxy)?;
-            return Ok(client.proxy(proxy_obj).build()?);
+            // just add the proxy to the client
+            // don't build and return it just yet
+            client = client.proxy(proxy_obj);
+        }
+    }
+
+    for cert_path in server_certs {
+        let buf = std::fs::read(&cert_path)?;
+
+        let cert = match reqwest::Certificate::from_pem(&buf) {
+            Ok(cert) => cert,
+            Err(err) => reqwest::Certificate::from_der(&buf).with_context(|| {
+                format!(
+                    "{:?} does not contain a valid PEM or DER certificate\n{}",
+                    &cert_path, err
+                )
+            })?,
+        };
+
+        client = client.add_root_certificate(cert);
+    }
+
+    if let (Some(cert_path), Some(key_path)) = (client_cert, client_key) {
+        if !cert_path.is_empty() && !key_path.is_empty() {
+            let cert = std::fs::read(cert_path)?;
+            let key = std::fs::read(key_path)?;
+
+            let identity = reqwest::Identity::from_pkcs8_pem(&cert, &key).with_context(|| {
+                format!(
+                    "either {} or {} are invalid; expecting PEM encoded certificate and key",
+                    cert_path, key_path
+                )
+            })?;
+
+            client = client.identity(identity);
         }
     }
 
@@ -50,7 +94,18 @@ mod tests {
     /// create client with a bad proxy, expect panic
     fn client_with_bad_proxy() {
         let headers = HashMap::new();
-        initialize(0, "stuff", true, false, &headers, Some("not a valid proxy")).unwrap();
+        initialize(
+            0,
+            "stuff",
+            true,
+            false,
+            &headers,
+            Some("not a valid proxy"),
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .unwrap();
     }
 
     #[test]
@@ -58,6 +113,99 @@ mod tests {
     fn client_with_good_proxy() {
         let headers = HashMap::new();
         let proxy = "http://127.0.0.1:8080";
-        initialize(0, "stuff", true, true, &headers, Some(proxy)).unwrap();
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            Some(proxy),
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with a server cert in pem format, expect no error
+    fn client_with_valid_server_pem() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/server/server.crt.1".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with a server cert in der format, expect no error
+    fn client_with_valid_server_der() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/server/server.der".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    #[test]
+    /// create client with two server certs (pem and der), expect no error
+    fn client_with_valid_server_pem_and_der() {
+        let headers = HashMap::new();
+
+        println!("{}", std::env::current_dir().unwrap().display());
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec![
+                "tests/mutual-auth/certs/server/server.crt.1".to_string(),
+                "tests/mutual-auth/certs/server/server.der".to_string(),
+            ],
+            None,
+            None,
+        )
+        .unwrap();
+    }
+
+    /// create client with invalid certificate, expect panic
+    #[test]
+    #[should_panic]
+    fn client_with_invalid_server_cert() {
+        let headers = HashMap::new();
+
+        initialize(
+            0,
+            "stuff",
+            true,
+            true,
+            &headers,
+            None,
+            vec!["tests/mutual-auth/certs/client/client.key".to_string()],
+            None,
+            None,
+        )
+        .unwrap();
     }
 }

src/config/container.rs

@@ -1,12 +1,16 @@
 use super::utils::{
-    depth, extract_links, ignored_extensions, methods, report_and_exit, save_state,
-    serialized_type, status_codes, threads, timeout, user_agent, wordlist, OutputLevel,
+    backup_extensions, depth, determine_requester_policy, extract_links, ignored_extensions,
+    methods, parse_request_file, report_and_exit, request_protocol, save_state, serialized_type,
+    split_header, split_query, status_codes, threads, timeout, user_agent, wordlist, OutputLevel,
     RequesterPolicy,
 };
+
 use crate::config::determine_output_level;
-use crate::config::utils::determine_requester_policy;
 use crate::{
-    client, parser, scan_manager::resume_scan, traits::FeroxSerialize, utils::fmt_err,
+    client, parser,
+    scan_manager::resume_scan,
+    traits::FeroxSerialize,
+    utils::{fmt_err, module_colorizer, parse_url_with_raw_path, status_colorizer},
     DEFAULT_CONFIG_NAME,
 };
 use anyhow::{anyhow, Context, Result};
@@ -18,7 +22,7 @@ use std::{
     collections::HashMap,
     env::{current_dir, current_exe},
     fs::read_to_string,
-    path::PathBuf,
+    path::{Path, PathBuf},
 };
 
 /// macro helper to abstract away repetitive configuration updates
@@ -101,6 +105,18 @@ pub struct Configuration {
     #[serde(default)]
     pub replay_proxy: String,
 
+    /// Path to a custom root certificate for connecting to servers with a self-signed certificate
+    #[serde(default)]
+    pub server_certs: Vec<String>,
+
+    /// Path to a client's PEM encoded X509 certificate used during mutual authentication
+    #[serde(default)]
+    pub client_cert: String,
+
+    /// Path to a client's PEM encoded PKSC #8 private key used during mutual authentication
+    #[serde(default)]
+    pub client_key: String,
+
     /// The target URL
     #[serde(default)]
     pub target_url: String,
@@ -303,6 +319,9 @@ pub struct Configuration {
     #[serde(default)]
     pub collect_backups: bool,
 
+    #[serde(default = "backup_extensions")]
+    pub backup_extensions: Vec<String>,
+
     /// Automatically discover important words from within responses and add them to the wordlist
     #[serde(default)]
     pub collect_words: bool,
@@ -314,6 +333,22 @@ pub struct Configuration {
     /// Auto update app feature
     #[serde(skip)]
     pub update_app: bool,
+
+    /// whether to recurse into directory listings or not
+    #[serde(default)]
+    pub scan_dir_listings: bool,
+
+    /// path to a raw request file generated by burp or similar
+    #[serde(skip)]
+    pub request_file: String,
+
+    /// default request protocol
+    #[serde(default = "request_protocol")]
+    pub protocol: String,
+
+    /// number of directory scan bars to show at any given time, 0 is no limit
+    #[serde(default)]
+    pub limit_bars: usize,
 }
 
 impl Default for Configuration {
@@ -321,8 +356,18 @@ impl Default for Configuration {
     fn default() -> Self {
         let timeout = timeout();
         let user_agent = user_agent();
-        let client = client::initialize(timeout, &user_agent, false, false, &HashMap::new(), None)
-            .expect("Could not build client");
+        let client = client::initialize(
+            timeout,
+            &user_agent,
+            false,
+            false,
+            &HashMap::new(),
+            None,
+            Vec::<String>::new(),
+            None,
+            None,
+        )
+        .expect("Could not build client");
         let replay_client = None;
         let status_codes = status_codes();
         let replay_codes = status_codes.clone();
@@ -350,10 +395,12 @@ impl Default for Configuration {
             resumed: false,
             stdin: false,
             json: false,
+            scan_dir_listings: false,
             verbosity: 0,
             scan_limit: 0,
             parallel: 0,
             rate_limit: 0,
+            limit_bars: 0,
             add_slash: false,
             insecure: false,
             redirects: false,
@@ -366,6 +413,8 @@ impl Default for Configuration {
             force_recursion: false,
             update_app: false,
             proxy: String::new(),
+            client_cert: String::new(),
+            client_key: String::new(),
             config: String::new(),
             output: String::new(),
             debug_log: String::new(),
@@ -373,6 +422,9 @@ impl Default for Configuration {
             time_limit: String::new(),
             resume_from: String::new(),
             replay_proxy: String::new(),
+            request_file: String::new(),
+            protocol: request_protocol(),
+            server_certs: Vec::new(),
             queries: Vec::new(),
             extensions: Vec::new(),
             methods: methods(),
@@ -390,6 +442,7 @@ impl Default for Configuration {
             threads: threads(),
             wordlist: wordlist(),
             dont_collect: ignored_extensions(),
+            backup_extensions: backup_extensions(),
         }
     }
 }
@@ -422,6 +475,7 @@ impl Configuration {
     /// - **extensions**: `None`
     /// - **collect_extensions**: `false`
     /// - **collect_backups**: `false`
+    /// - **backup_extensions**: [`DEFAULT_BACKUP_EXTENSIONS`](constant.DEFAULT_BACKUP_EXTENSIONS.html)
     /// - **collect_words**: `false`
     /// - **dont_collect**: [`DEFAULT_IGNORED_EXTENSIONS`](constant.DEFAULT_RESPONSE_CODES.html)
     /// - **methods**: [`DEFAULT_METHOD`](constant.DEFAULT_METHOD.html)
@@ -443,12 +497,16 @@ impl Configuration {
     /// - **depth**: `4` (maximum recursion depth)
     /// - **force_recursion**: `false` (still respects recursion depth)
     /// - **scan_limit**: `0` (no limit on concurrent scans imposed)
+    /// - **limit_bars**: `0` (no limit on number of directory scan bars shown)
     /// - **parallel**: `0` (no limit on parallel scans imposed)
     /// - **rate_limit**: `0` (no limit on requests per second imposed)
     /// - **time_limit**: `None` (no limit on length of scan imposed)
     /// - **replay_proxy**: `None` (no limit on concurrent scans imposed)
     /// - **replay_codes**: [`DEFAULT_RESPONSE_CODES`](constant.DEFAULT_RESPONSE_CODES.html)
     /// - **update_app**: `false`
+    /// - **scan_dir_listings**: `false`
+    /// - **request_file**: `None`
+    /// - **protocol**: `https`
     ///
     /// After which, any values defined in a
     /// [ferox-config.toml](constant.DEFAULT_CONFIG_NAME.html) config file will override the
@@ -522,6 +580,18 @@ impl Configuration {
         // merge the cli options into the config file options and return the result
         Self::merge_config(&mut config, cli_config);
 
+        // if the user provided a raw request file as the target, we'll need to parse out
+        // the provided info and update the config with those values. This call needs to
+        // come after the cli/config merge so we can allow the cli options to override
+        // the raw request values (i.e. --headers "stuff: things" should override a "stuff"
+        // header from the raw request).
+        //
+        // Additionally, this call needs to come before client rebuild so that the things
+        // like user-agent can be set at the client level instead of the header level.
+        if !config.request_file.is_empty() {
+            parse_request_file(&mut config)?;
+        }
+
         // rebuild clients is the last step in either code branch
         Self::try_rebuild_clients(&mut config);
 
@@ -543,9 +613,7 @@ impl Configuration {
         //   - current directory
 
         // merge a config found at /etc/feroxbuster/ferox-config.toml
-        let config_file = PathBuf::new()
-            .join("/etc/feroxbuster")
-            .join(DEFAULT_CONFIG_NAME);
+        let config_file = Path::new("/etc/feroxbuster").join(DEFAULT_CONFIG_NAME);
         Self::parse_and_merge_config(config_file, config)?;
 
         // merge a config found at ~/.config/feroxbuster/ferox-config.toml
@@ -583,13 +651,16 @@ impl Configuration {
         update_config_with_num_type_if_present!(&mut config.depth, args, "depth", usize);
         update_config_with_num_type_if_present!(&mut config.scan_limit, args, "scan_limit", usize);
         update_config_with_num_type_if_present!(&mut config.rate_limit, args, "rate_limit", usize);
+        update_config_with_num_type_if_present!(&mut config.limit_bars, args, "limit_bars", usize);
         update_config_if_present!(&mut config.wordlist, args, "wordlist", String);
         update_config_if_present!(&mut config.output, args, "output", String);
         update_config_if_present!(&mut config.debug_log, args, "debug_log", String);
         update_config_if_present!(&mut config.resume_from, args, "resume_from", String);
+        update_config_if_present!(&mut config.request_file, args, "request_file", String);
+        update_config_if_present!(&mut config.protocol, args, "protocol", String);
 
         if let Ok(Some(inner)) = args.try_get_one::<String>("time_limit") {
-            config.time_limit = inner.to_owned();
+            inner.clone_into(&mut config.time_limit);
         }
 
         if let Some(arg) = args.get_many::<String>("status_codes") {
@@ -613,7 +684,7 @@ impl Configuration {
                 .collect();
         } else {
             // not passed in by the user, use whatever value is held in status_codes
-            config.replay_codes = config.status_codes.clone();
+            config.replay_codes.clone_from(&config.status_codes);
         }
 
         if let Some(arg) = args.get_many::<String>("filter_status") {
@@ -627,9 +698,27 @@ impl Configuration {
         }
 
         if let Some(arg) = args.get_many::<String>("extensions") {
-            config.extensions = arg
-                .map(|val| val.trim_start_matches('.').to_string())
-                .collect();
+            let mut extensions = Vec::<String>::new();
+            for ext in arg {
+                if let Some(stripped) = ext.strip_prefix('@') {
+                    let contents = read_to_string(stripped)
+                        .unwrap_or_else(|e| report_and_exit(&e.to_string()));
+                    let exts_from_file = contents.split('\n').filter_map(|s| {
+                        let trimmed = s.trim().trim_start_matches('.');
+
+                        if trimmed.is_empty() || trimmed.starts_with('#') {
+                            None
+                        } else {
+                            Some(trimmed.to_string())
+                        }
+                    });
+
+                    extensions.extend(exts_from_file);
+                } else {
+                    extensions.push(ext.trim().trim_start_matches('.').to_string());
+                }
+            }
+            config.extensions = extensions;
         }
 
         if let Some(arg) = args.get_many::<String>("dont_collect") {
@@ -655,6 +744,11 @@ impl Configuration {
             } else {
                 config.data = arg.as_bytes().to_vec();
             }
+
+            if config.methods == methods() {
+                // if the user didn't specify a method, we're going to assume they meant to use POST
+                config.methods = vec![Method::POST.as_str().to_string()];
+            }
         }
 
         if came_from_cli!(args, "stdin") {
@@ -673,7 +767,7 @@ impl Configuration {
             for denier in arg {
                 // could be an absolute url or a regex, need to determine which and populate the
                 // appropriate vector
-                match Url::parse(denier.trim_end_matches('/')) {
+                match parse_url_with_raw_path(denier.trim_end_matches('/')) {
                     Ok(absolute) => {
                         // denier is an absolute url and can be parsed as such
                         config.url_denylist.push(absolute);
@@ -742,18 +836,22 @@ impl Configuration {
                 .collect();
         }
 
-        if came_from_cli!(args, "silent") {
+        if came_from_cli!(args, "quiet") {
+            config.quiet = true;
+            config.output_level = OutputLevel::Quiet;
+        }
+
+        if came_from_cli!(args, "silent") || (config.parallel > 0 && !config.quiet) {
             // the reason this is protected by an if statement:
             // consider a user specifying silent = true in ferox-config.toml
             // if the line below is outside of the if, we'd overwrite true with
             // false if no --silent is used on the command line
             config.silent = true;
-            config.output_level = OutputLevel::Silent;
-        }
-
-        if came_from_cli!(args, "quiet") {
-            config.quiet = true;
-            config.output_level = OutputLevel::Quiet;
+            config.output_level = if config.json {
+                OutputLevel::SilentJSON
+            } else {
+                OutputLevel::Silent
+            };
         }
 
         if came_from_cli!(args, "auto_tune")
@@ -773,6 +871,10 @@ impl Configuration {
             config.save_state = false;
         }
 
+        if came_from_cli!(args, "scan_dir_listings") || came_from_cli!(args, "thorough") {
+            config.scan_dir_listings = true;
+        }
+
         if came_from_cli!(args, "dont_filter") {
             config.dont_filter = true;
         }
@@ -786,6 +888,20 @@ impl Configuration {
             || came_from_cli!(args, "thorough")
         {
             config.collect_backups = true;
+            config.backup_extensions = backup_extensions();
+
+            if came_from_cli!(args, "collect_backups") {
+                if let Some(arg) = args.get_many::<String>("collect_backups") {
+                    let backup_exts = arg
+                        .map(|ext| ext.trim().to_string())
+                        .collect::<Vec<String>>();
+
+                    if !backup_exts.is_empty() {
+                        // have at least one cli backup, override the defaults
+                        config.backup_extensions = backup_exts;
+                    }
+                }
+            }
         }
 
         if came_from_cli!(args, "collect_words")
@@ -799,6 +915,25 @@ impl Configuration {
             // occurrences_of returns 0 if none are found; this is protected in
             // an if block for the same reason as the quiet option
             config.verbosity = args.get_count("verbosity");
+
+            // todo: starting on 2.11.0 (907-dont-skip-dir-listings), trace-level
+            //   logging started causing the following error:
+            //
+            // thread 'tokio-runtime-worker' has overflowed its stack
+            // fatal runtime error: stack overflow
+            // Aborted (core dumped)
+            //
+            // as a temporary fix, we'll disable trace logging to prevent the stack
+            // overflow until I get time to investigate the root cause
+            if config.verbosity > 3 {
+                eprintln!(
+                    "{} {}: Trace level logging is disabled; setting log level to debug",
+                    status_colorizer("WRN"),
+                    module_colorizer("Configuration::parse_cli_args"),
+                );
+
+                config.verbosity = 3;
+            }
         }
 
         if came_from_cli!(args, "no_recursion") {
@@ -829,6 +964,8 @@ impl Configuration {
         // organizational breakpoint; all options below alter the Client configuration
         ////
         update_config_if_present!(&mut config.proxy, args, "proxy", String);
+        update_config_if_present!(&mut config.client_cert, args, "client_cert", String);
+        update_config_if_present!(&mut config.client_key, args, "client_key", String);
         update_config_if_present!(&mut config.replay_proxy, args, "replay_proxy", String);
         update_config_if_present!(&mut config.user_agent, args, "user_agent", String);
         update_config_with_num_type_if_present!(&mut config.timeout, args, "timeout", u64);
@@ -858,15 +995,11 @@ impl Configuration {
 
         if let Some(headers) = args.get_many::<String>("headers") {
             for val in headers {
-                let mut split_val = val.split(':');
-
-                // explicitly take first split value as header's name
-                let name = split_val.next().unwrap().trim();
-
-                // all other items in the iterator returned by split, when combined with the
-                // original split deliminator (:), make up the header's final value
-                let value = split_val.collect::<Vec<&str>>().join(":");
-                config.headers.insert(name.to_string(), value.to_string());
+                let Ok((name, value)) = split_header(val) else {
+                    log::warn!("Invalid header: {}", val);
+                    continue;
+                };
+                config.headers.insert(name, value);
             }
         }
 
@@ -874,28 +1007,46 @@ impl Configuration {
             config.headers.insert(
                 // we know the header name is always "cookie"
                 "Cookie".to_string(),
-                // on splitting, there should be only two elements,
-                // a key and a value
                 cookies
-                    .map(|cookie| cookie.split('=').collect::<Vec<&str>>()[..].to_owned())
-                    .filter(|parts| parts.len() == 2)
-                    .map(|parts| format!("{}={}", parts[0].trim(), parts[1].trim()))
-                    // trim the spaces, join with an equals sign
+                    .flat_map(|cookie| {
+                        cookie.split(';').filter_map(|part| {
+                            // trim the spaces
+                            let trimmed = part.trim();
+                            if trimmed.is_empty() {
+                                None
+                            } else {
+                                // Find the position of the first equals sign
+                                if let Some(pos) = trimmed.find('=') {
+                                    // Split into name and value at the first equals sign
+                                    let name = &trimmed[..pos].trim();
+                                    let value = &trimmed[pos + 1..].trim();
+                                    Some(format!("{}={}", name, value))
+                                } else {
+                                    // Handle the case where there's no equals sign
+                                    Some(trimmed.to_string())
+                                }
+                            }
+                        })
+                    })
                     .collect::<Vec<String>>()
-                    .join("; "), // join all the cookies with semicolons for the final header
+                    // join all the cookies with semicolons for the final header
+                    .join("; "),
             );
         }
 
         if let Some(queries) = args.get_many::<String>("queries") {
             for val in queries {
-                // same basic logic used as reading in the headers HashMap above
-                let mut split_val = val.split('=');
+                let Ok((name, value)) = split_query(val) else {
+                    log::warn!("Invalid query string: {}", val);
+                    continue;
+                };
+                config.queries.push((name, value));
+            }
+        }
 
-                let name = split_val.next().unwrap().trim();
-
-                let value = split_val.collect::<Vec<&str>>().join("=");
-
-                config.queries.push((name.to_string(), value.to_string()));
+        if let Some(certs) = args.get_many::<String>("server_certs") {
+            for val in certs {
+                config.server_certs.push(val.to_string());
             }
         }
 
@@ -906,35 +1057,53 @@ impl Configuration {
     /// either the config file or command line arguments; if we have, we need to rebuild
     /// the client and store it in the config struct
     fn try_rebuild_clients(configuration: &mut Configuration) {
-        if !configuration.proxy.is_empty()
+        // check if the proxy and certificate fields are empty
+        // and parse them into Some or None variants ahead of time
+        // so we may use the is_some method on them instead of
+        // multiple initializations
+        let proxy = if configuration.proxy.is_empty() {
+            None
+        } else {
+            Some(configuration.proxy.as_str())
+        };
+
+        let server_certs = &configuration.server_certs;
+
+        let client_cert = if configuration.client_cert.is_empty() {
+            None
+        } else {
+            Some(configuration.client_cert.as_str())
+        };
+
+        let client_key = if configuration.client_key.is_empty() {
+            None
+        } else {
+            Some(configuration.client_key.as_str())
+        };
+
+        if proxy.is_some()
             || configuration.timeout != timeout()
             || configuration.user_agent != user_agent()
             || configuration.redirects
             || configuration.insecure
             || !configuration.headers.is_empty()
             || configuration.resumed
+            || !server_certs.is_empty()
+            || client_cert.is_some()
+            || client_key.is_some()
         {
-            if configuration.proxy.is_empty() {
-                configuration.client = client::initialize(
-                    configuration.timeout,
-                    &configuration.user_agent,
-                    configuration.redirects,
-                    configuration.insecure,
-                    &configuration.headers,
-                    None,
-                )
-                .expect("Could not rebuild client")
-            } else {
-                configuration.client = client::initialize(
-                    configuration.timeout,
-                    &configuration.user_agent,
-                    configuration.redirects,
-                    configuration.insecure,
-                    &configuration.headers,
-                    Some(&configuration.proxy),
-                )
-                .expect("Could not rebuild client")
-            }
+            configuration.client = client::initialize(
+                configuration.timeout,
+                &configuration.user_agent,
+                configuration.redirects,
+                configuration.insecure,
+                &configuration.headers,
+                proxy,
+                server_certs,
+                client_cert,
+                client_key,
+            )
+            .expect("Could not rebuild client");
         }
 
         if !configuration.replay_proxy.is_empty() {
@@ -947,6 +1116,9 @@ impl Configuration {
                     configuration.insecure,
                     &configuration.headers,
                     Some(&configuration.replay_proxy),
+                    server_certs,
+                    client_cert,
+                    client_key,
                 )
                 .expect("Could not rebuild client"),
             );
@@ -955,7 +1127,7 @@ impl Configuration {
 
     /// Given a configuration file's location and an instance of `Configuration`, read in
     /// the config file if found and update the current settings with the settings found therein
-    fn parse_and_merge_config(config_file: PathBuf, mut config: &mut Self) -> Result<()> {
+    fn parse_and_merge_config(config_file: PathBuf, config: &mut Self) -> Result<()> {
         if config_file.exists() {
             // save off a string version of the path before it goes out of scope
             let conf_str = config_file.to_str().unwrap_or("").to_string();
@@ -981,7 +1153,16 @@ impl Configuration {
         update_if_not_default!(&mut conf.target_url, new.target_url, "");
         update_if_not_default!(&mut conf.time_limit, new.time_limit, "");
         update_if_not_default!(&mut conf.proxy, new.proxy, "");
+        update_if_not_default!(
+            &mut conf.server_certs,
+            new.server_certs,
+            Vec::<String>::new()
+        );
+        update_if_not_default!(&mut conf.json, new.json, false);
+        update_if_not_default!(&mut conf.client_cert, new.client_cert, "");
+        update_if_not_default!(&mut conf.client_key, new.client_key, "");
         update_if_not_default!(&mut conf.verbosity, new.verbosity, 0);
+        update_if_not_default!(&mut conf.limit_bars, new.limit_bars, 0);
         update_if_not_default!(&mut conf.silent, new.silent, false);
         update_if_not_default!(&mut conf.quiet, new.quiet, false);
         update_if_not_default!(&mut conf.auto_bail, new.auto_bail, false);
@@ -990,7 +1171,7 @@ impl Configuration {
         update_if_not_default!(&mut conf.collect_backups, new.collect_backups, false);
         update_if_not_default!(&mut conf.collect_words, new.collect_words, false);
         // use updated quiet/silent values to determine output level; same for requester policy
-        conf.output_level = determine_output_level(conf.quiet, conf.silent);
+        conf.output_level = determine_output_level(conf.quiet, conf.silent, conf.json);
         conf.requester_policy = determine_requester_policy(conf.auto_tune, conf.auto_bail);
         update_if_not_default!(&mut conf.output, new.output, "");
         update_if_not_default!(&mut conf.redirects, new.redirects, false);
@@ -1042,16 +1223,23 @@ impl Configuration {
             Vec::<u16>::new()
         );
         update_if_not_default!(&mut conf.dont_filter, new.dont_filter, false);
+        update_if_not_default!(&mut conf.scan_dir_listings, new.scan_dir_listings, false);
         update_if_not_default!(&mut conf.scan_limit, new.scan_limit, 0);
         update_if_not_default!(&mut conf.parallel, new.parallel, 0);
         update_if_not_default!(&mut conf.rate_limit, new.rate_limit, 0);
         update_if_not_default!(&mut conf.replay_proxy, new.replay_proxy, "");
         update_if_not_default!(&mut conf.debug_log, new.debug_log, "");
         update_if_not_default!(&mut conf.resume_from, new.resume_from, "");
-        update_if_not_default!(&mut conf.json, new.json, false);
+        update_if_not_default!(&mut conf.request_file, new.request_file, "");
+        update_if_not_default!(&mut conf.protocol, new.protocol, request_protocol());
 
         update_if_not_default!(&mut conf.timeout, new.timeout, timeout());
         update_if_not_default!(&mut conf.user_agent, new.user_agent, user_agent());
+        update_if_not_default!(
+            &mut conf.backup_extensions,
+            new.backup_extensions,
+            backup_extensions()
+        );
         update_if_not_default!(&mut conf.random_agent, new.random_agent, false);
         update_if_not_default!(&mut conf.threads, new.threads, threads());
         update_if_not_default!(&mut conf.depth, new.depth, depth());

src/config/tests.rs

@@ -49,6 +49,10 @@ fn setup_config_test() -> Configuration {
             json = true
             save_state = false
             depth = 1
+            limit_bars = 3
+            protocol = "http"
+            request_file = "/some/request/file"
+            scan_dir_listings = true
             force_recursion = true
             filter_size = [4120]
             filter_regex = ["^ignore me$"]
@@ -56,6 +60,10 @@ fn setup_config_test() -> Configuration {
             filter_word_count = [994, 992]
             filter_line_count = [34]
             filter_status = [201]
+            server_certs = ["/some/cert.pem", "/some/other/cert.pem"]
+            client_cert = "/some/client/cert.pem"
+            client_key = "/some/client/key.pem"
+            backup_extensions = [".save"]
         "#;
     let tmp_dir = TempDir::new().unwrap();
     let file = tmp_dir.path().join(DEFAULT_CONFIG_NAME);
@@ -83,6 +91,7 @@ fn default_configuration() {
     assert_eq!(config.timeout, timeout());
     assert_eq!(config.verbosity, 0);
     assert_eq!(config.scan_limit, 0);
+    assert_eq!(config.limit_bars, 0);
     assert!(!config.silent);
     assert!(!config.quiet);
     assert_eq!(config.output_level, OutputLevel::Default);
@@ -103,6 +112,7 @@ fn default_configuration() {
     assert!(!config.collect_extensions);
     assert!(!config.collect_backups);
     assert!(!config.collect_words);
+    assert!(!config.scan_dir_listings);
     assert!(config.regex_denylist.is_empty());
     assert_eq!(config.queries, Vec::new());
     assert_eq!(config.filter_size, Vec::<u64>::new());
@@ -117,6 +127,12 @@ fn default_configuration() {
     assert_eq!(config.filter_line_count, Vec::<usize>::new());
     assert_eq!(config.filter_status, Vec::<u16>::new());
     assert_eq!(config.headers, HashMap::new());
+    assert_eq!(config.server_certs, Vec::<String>::new());
+    assert_eq!(config.client_cert, String::new());
+    assert_eq!(config.client_key, String::new());
+    assert_eq!(config.backup_extensions, backup_extensions());
+    assert_eq!(config.protocol, request_protocol());
+    assert_eq!(config.request_file, String::new());
 }
 
 #[test]
@@ -252,6 +268,13 @@ fn config_reads_verbosity() {
     assert_eq!(config.verbosity, 1);
 }
 
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_limit_bars() {
+    let config = setup_config_test();
+    assert_eq!(config.limit_bars, 3);
+}
+
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_output() {
@@ -436,6 +459,27 @@ fn config_reads_time_limit() {
     assert_eq!(config.time_limit, "10m");
 }
 
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_scan_dir_listings() {
+    let config = setup_config_test();
+    assert!(config.scan_dir_listings);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_protocol() {
+    let config = setup_config_test();
+    assert_eq!(config.protocol, "http");
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_request_file() {
+    let config = setup_config_test();
+    assert_eq!(config.request_file, String::new());
+}
+
 #[test]
 /// parse the test config and see that the value parsed is correct
 fn config_reads_resume_from() {
@@ -443,6 +487,37 @@ fn config_reads_resume_from() {
     assert_eq!(config.resume_from, "/some/state/file");
 }
 
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_server_certs() {
+    let config = setup_config_test();
+    assert_eq!(
+        config.server_certs,
+        ["/some/cert.pem", "/some/other/cert.pem"]
+    );
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_backup_extensions() {
+    let config = setup_config_test();
+    assert_eq!(config.backup_extensions, [".save"]);
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_client_cert() {
+    let config = setup_config_test();
+    assert_eq!(config.client_cert, "/some/client/cert.pem");
+}
+
+#[test]
+/// parse the test config and see that the value parsed is correct
+fn config_reads_client_key() {
+    let config = setup_config_test();
+    assert_eq!(config.client_key, "/some/client/key.pem");
+}
+
 #[test]
 /// parse the test config and see that the values parsed are correct
 fn config_reads_headers() {

src/event_handlers/command.rs

@@ -1,4 +1,5 @@
 use std::sync::Arc;
+use std::time::Duration;
 
 use reqwest::StatusCode;
 use tokio::sync::oneshot::Sender;
@@ -85,4 +86,10 @@ pub enum Command {
     /// Give a handler access to an Arc<Handles> instance after the handler has
     /// already been initialized
     AddHandles(Arc<Handles>),
+
+    /// inform the Stats object about which targets are being scanned
+    UpdateTargets(Vec<String>),
+
+    /// query the Stats handler about the position of the overall progress bar
+    QueryOverallBarEta(Sender<Duration>),
 }

src/event_handlers/inputs.rs

@@ -12,6 +12,7 @@ use anyhow::Result;
 use console::style;
 use crossterm::event::{self, Event, KeyCode};
 use std::{
+    env::temp_dir,
     sync::{
         atomic::{AtomicBool, Ordering},
         Arc,
@@ -103,10 +104,36 @@ impl TermInputHandler {
 
         // User didn't set the --no-state flag (so saved_state is still the default true)
         if handles.config.save_state {
-            let state_file = open_file(&filename);
+            let Ok(mut state_file) = open_file(&filename) else {
+                // couldn't open the file, let the user know we're going to try again
+                let error = format!(
+                    "❌ Could not save {}, falling back to {}",
+                    filename,
+                    temp_dir().to_string_lossy()
+                );
+                PROGRESS_PRINTER.println(error);
 
-            let mut buffered_file = state_file?;
-            write_to(&state, &mut buffered_file, true)?;
+                let temp_filename = temp_dir().join(&filename);
+
+                let Ok(mut state_file) = open_file(&temp_filename.to_string_lossy()) else {
+                    // couldn't open the fallback file, let the user know
+                    let error = format!("❌❌ Could not save {:?}, giving up...", temp_filename);
+                    PROGRESS_PRINTER.println(error);
+
+                    log::trace!("exit: sigint_handler (failed to write)");
+                    std::process::exit(1);
+                };
+
+                write_to(&state, &mut state_file, true)?;
+
+                let msg = format!("✅ Saved scan state to {:?}", temp_filename);
+                PROGRESS_PRINTER.println(msg);
+
+                log::trace!("exit: sigint_handler (saved to temp folder)");
+                std::process::exit(1);
+            };
+
+            write_to(&state, &mut state_file, true)?;
         }
 
         log::trace!("exit: sigint_handler (end of program)");

src/event_handlers/outputs.rs

@@ -98,6 +98,8 @@ impl FileOutHandler {
 
         log::info!("Writing scan results to {}", self.config.output);
 
+        write_to(&*self.config, &mut file, self.config.json)?;
+
         while let Some(command) = self.receiver.recv().await {
             match command {
                 Command::Report(response) => {
@@ -209,8 +211,12 @@ impl TermOutHandler {
         while let Some(command) = self.receiver.recv().await {
             match command {
                 Command::Report(resp) => {
-                    self.process_response(tx_stats.clone(), resp, ProcessResponseCall::Recursive)
-                        .await?;
+                    if let Err(err) = self
+                        .process_response(tx_stats.clone(), resp, ProcessResponseCall::Recursive)
+                        .await
+                    {
+                        log::warn!("{}", err);
+                    }
                 }
                 Command::Sync(sender) => {
                     sender.send(true).unwrap_or_default();
@@ -242,14 +248,6 @@ impl TermOutHandler {
         log::trace!("enter: process_response({:?}, {:?})", resp, call_type);
 
         async move {
-            let should_filter = self
-                .handles
-                .as_ref()
-                .unwrap()
-                .filters
-                .data
-                .should_filter_response(&resp, tx_stats.clone());
-
             let contains_sentry = if !self.config.filter_status.is_empty() {
                 // -C was used, meaning -s was not and we should ignore the defaults
                 // https://github.com/epi052/feroxbuster/issues/535
@@ -261,7 +259,7 @@ impl TermOutHandler {
             };
 
             let unknown_sentry = !RESPONSES.contains(&resp); // !contains == unknown
-            let should_process_response = contains_sentry && unknown_sentry && !should_filter;
+            let should_process_response = contains_sentry && unknown_sentry;
 
             if should_process_response {
                 // print to stdout
@@ -336,6 +334,21 @@ impl TermOutHandler {
                     )
                     .await;
 
+                    let Some(handles) = self.handles.as_ref() else {
+                        // shouldn't ever happen, but we'll log and return early if it does
+                        log::error!("handles were unexpectedly None, this shouldn't happen");
+                        return Ok(());
+                    };
+
+                    if handles
+                        .filters
+                        .data
+                        .should_filter_response(&ferox_response, tx_stats.clone())
+                    {
+                        // response was filtered for one reason or another, don't process it
+                        continue;
+                    }
+
                     self.process_response(
                         tx_stats.clone(),
                         Box::new(ferox_response),
@@ -393,7 +406,7 @@ impl TermOutHandler {
 
         if !filename.is_empty() {
             // append rules
-            for suffix in ["~", ".bak", ".bak2", ".old", ".1"] {
+            for suffix in &self.config.backup_extensions {
                 self.add_new_url_to_vec(url, &format!("{filename}{suffix}"), &mut urls);
             }
 

src/event_handlers/scans.rs

@@ -16,7 +16,7 @@ use crate::{
 use super::command::Command::AddToUsizeField;
 use super::*;
 use crate::statistics::StatField;
-use reqwest::Url;
+use crate::utils::parse_url_with_raw_path;
 use tokio::time::Duration;
 
 #[derive(Debug)]
@@ -120,7 +120,10 @@ impl ScanHandler {
     pub fn initialize(handles: Arc<Handles>) -> (Joiner, ScanHandle) {
         log::trace!("enter: initialize");
 
-        let data = Arc::new(FeroxScans::new(handles.config.output_level));
+        let data = Arc::new(FeroxScans::new(
+            handles.config.output_level,
+            handles.config.limit_bars,
+        ));
         let (tx, rx): FeroxChannel<Command> = mpsc::unbounded_channel();
 
         let max_depth = handles.config.depth;
@@ -266,7 +269,7 @@ impl ScanHandler {
                         let bar = scan.progress_bar();
 
                         // (4000 - 3000) / 2 => 500 words left to send
-                        let length = bar.length();
+                        let length = bar.length().unwrap_or(1);
                         let num_words_left = (length - bar.position()) / divisor;
 
                         // accumulate each bar's increment value for incrementing the total bar
@@ -322,10 +325,14 @@ impl ScanHandler {
             let scan = if let Some(ferox_scan) = self.data.get_scan_by_url(&target) {
                 ferox_scan // scan already known
             } else {
-                self.data.add_directory_scan(&target, order).1 // add the new target; return FeroxScan
+                self.data
+                    .add_directory_scan(&target, order, self.handles.clone())
+                    .1 // add the new target; return FeroxScan
             };
 
-            if should_test_deny && should_deny_url(&Url::parse(&target)?, self.handles.clone())? {
+            if should_test_deny
+                && should_deny_url(&parse_url_with_raw_path(&target)?, self.handles.clone())?
+            {
                 // response was caught by a user-provided deny list
                 // checking this last, since it's most susceptible to longer runtimes due to what
                 // input is received

src/event_handlers/statistics.rs

@@ -125,6 +125,12 @@ impl StatsHandler {
                 Command::Sync(sender) => {
                     sender.send(true).unwrap_or_default();
                 }
+                Command::QueryOverallBarEta(sender) => {
+                    sender.send(self.bar.eta()).unwrap_or_default();
+                }
+                Command::UpdateTargets(targets) => {
+                    self.stats.update_targets(targets);
+                }
                 Command::Exit => break,
                 _ => {} // no more commands needed
             }
@@ -132,7 +138,7 @@ impl StatsHandler {
 
         self.bar.finish();
 
-        log::debug!("{:#?}", *self.stats);
+        log::info!("{:#?}", *self.stats);
         log::trace!("exit: start");
         Ok(())
     }
@@ -147,7 +153,7 @@ impl StatsHandler {
             self.stats.errors(),
         );
 
-        self.bar.set_message(&msg);
+        self.bar.set_message(msg);
 
         if self.bar.position() < self.stats.total_expected() as u64 {
             // don't run off the end when we're a few requests over the expected total

src/extractor/container.rs

@@ -11,16 +11,60 @@ use crate::{
         StatField::{LinksExtracted, TotalExpected},
     },
     url::FeroxUrl,
-    utils::{logged_request, make_request, send_try_recursion_command, should_deny_url},
+    utils::{
+        logged_request, make_request, parse_url_with_raw_path, send_try_recursion_command,
+        should_deny_url,
+    },
     ExtractionResult, DEFAULT_METHOD,
 };
 use anyhow::{bail, Context, Result};
-use reqwest::{Client, StatusCode, Url};
+use futures::StreamExt;
+use reqwest::{Client, Response, StatusCode, Url};
 use scraper::{Html, Selector};
 use std::{borrow::Cow, collections::HashSet};
 
+/// Wrapper around link extraction logic
+///   - create a new Url object based on cli options/args
+///   - check if the new Url has already been seen/scanned -> None
+///   - make a request to the new Url ? -> Some(response) : None
+pub(super) async fn request_link(url: &str, handles: Arc<Handles>) -> Result<Response> {
+    log::trace!("enter: request_link({})", url);
+
+    let ferox_url = FeroxUrl::from_string(url, handles.clone());
+
+    // create a url based on the given command line options
+    let new_url = ferox_url.format("", None)?;
+
+    let scanned_urls = handles.ferox_scans()?;
+
+    if scanned_urls.get_scan_by_url(new_url.as_ref()).is_some() {
+        //we've seen the url before and don't need to scan again
+        log::trace!("exit: request_link -> None");
+        bail!("previously seen url");
+    }
+
+    if (!handles.config.url_denylist.is_empty() || !handles.config.regex_denylist.is_empty())
+        && should_deny_url(&new_url, handles.clone())?
+    {
+        // can't allow a denied url to be requested
+        bail!(
+            "prevented request to {} due to {:?} || {:?}",
+            url,
+            handles.config.url_denylist,
+            handles.config.regex_denylist,
+        );
+    }
+
+    // make the request and store the response
+    let new_response = logged_request(&new_url, DEFAULT_METHOD, None, handles.clone()).await?;
+
+    log::trace!("exit: request_link -> {:?}", new_response);
+
+    Ok(new_response)
+}
+
 /// Whether an active scan is recursive or not
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone)]
 enum RecursionStatus {
     /// Scan is recursive
     Recursive,
@@ -81,7 +125,7 @@ impl<'a> Extractor<'a> {
     ) -> Result<()> {
         log::trace!("enter: parse_url_and_add_subpaths({:?})", links);
 
-        match Url::parse(url_to_parse) {
+        match parse_url_with_raw_path(url_to_parse) {
             Ok(absolute) => {
                 if absolute.domain() != original_url.domain()
                     || absolute.host() != original_url.host()
@@ -121,91 +165,143 @@ impl<'a> Extractor<'a> {
 
     /// given a set of links from a normal http body response, task the request handler to make
     /// the requests
-    pub async fn request_links(&mut self, links: HashSet<String>) -> Result<()> {
+    pub async fn request_links(
+        &mut self,
+        links: HashSet<String>,
+    ) -> Result<Option<tokio::task::JoinHandle<()>>> {
         log::trace!("enter: request_links({:?})", links);
 
         if links.is_empty() {
-            return Ok(());
+            return Ok(None);
         }
 
+        self.update_stats(links.len())?;
+
+        // create clones/remove use of self of/from everything the async move block will need to function
+        let cloned_scanned_urls = self.handles.ferox_scans()?;
+        let cloned_handles = self.handles.clone();
+        let cloned_url = self.url.clone();
+        let threads = self.handles.config.threads;
         let recursive = if self.handles.config.no_recursion {
             RecursionStatus::NotRecursive
         } else {
             RecursionStatus::Recursive
         };
 
-        let scanned_urls = self.handles.ferox_scans()?;
-        self.update_stats(links.len())?;
+        let link_request_task = tokio::spawn(async move {
+            let producers = futures::stream::iter(links.into_iter())
+                .map(|link| {
+                    // another clone to satisfy the async move block
+                    let inner_clone = cloned_handles.clone();
 
-        for link in links {
-            let mut resp = match self.request_link(&link).await {
-                Ok(resp) => resp,
-                Err(_) => continue,
-            };
+                    (
+                        tokio::spawn(async move { request_link(&link, inner_clone).await }),
+                        cloned_handles.clone(),
+                        cloned_scanned_urls.clone(),
+                        recursive,
+                        cloned_url.clone(),
+                    )
+                })
+                .for_each_concurrent(
+                    threads,
+                    |(join_handle, c_handles, c_scanned_urls, c_recursive, og_url)| async move {
+                        match join_handle.await {
+                            Ok(Ok(reqwest_response)) => {
+                                let mut resp = FeroxResponse::from(
+                                    reqwest_response,
+                                    &og_url,
+                                    DEFAULT_METHOD,
+                                    c_handles.config.output_level,
+                                )
+                                .await;
 
-            // filter if necessary
-            if self
-                .handles
-                .filters
-                .data
-                .should_filter_response(&resp, self.handles.stats.tx.clone())
-            {
-                continue;
-            }
+                                // filter if necessary
+                                if c_handles
+                                    .filters
+                                    .data
+                                    .should_filter_response(&resp, c_handles.stats.tx.clone())
+                                {
+                                    return;
+                                }
 
-            // request and report assumed file
-            if resp.is_file() || !resp.is_directory() {
-                log::debug!("Extracted File: {}", resp);
+                                // request and report assumed file
+                                if resp.is_file() || !resp.is_directory() {
+                                    log::debug!("Extracted File: {}", resp);
 
-                scanned_urls.add_file_scan(resp.url().as_str(), ScanOrder::Latest);
+                                    c_scanned_urls.add_file_scan(
+                                        resp.url().as_str(),
+                                        ScanOrder::Latest,
+                                        c_handles.clone(),
+                                    );
 
-                if self.handles.config.collect_extensions {
-                    resp.parse_extension(self.handles.clone())?;
-                }
+                                    if c_handles.config.collect_extensions {
+                                        // no real reason this should fail
+                                        resp.parse_extension(c_handles.clone()).unwrap();
+                                    }
 
-                if let Err(e) = resp.send_report(self.handles.output.tx.clone()) {
-                    log::warn!("Could not send FeroxResponse to output handler: {}", e);
-                }
+                                    if let Err(e) = resp.send_report(c_handles.output.tx.clone()) {
+                                        log::warn!(
+                                            "Could not send FeroxResponse to output handler: {}",
+                                            e
+                                        );
+                                    }
 
-                continue;
-            }
+                                    return;
+                                }
 
-            if matches!(recursive, RecursionStatus::Recursive) {
-                log::debug!("Extracted Directory: {}", resp);
+                                if matches!(c_recursive, RecursionStatus::Recursive) {
+                                    log::debug!("Extracted Directory: {}", resp);
 
-                if !resp.url().as_str().ends_with('/')
-                    && (resp.status().is_success()
-                        || matches!(resp.status(), &StatusCode::FORBIDDEN))
-                {
-                    // if the url doesn't end with a /
-                    // and the response code is either a 2xx or 403
+                                    if !resp.url().as_str().ends_with('/')
+                                        && (resp.status().is_success()
+                                            || matches!(resp.status(), &StatusCode::FORBIDDEN))
+                                    {
+                                        // if the url doesn't end with a /
+                                        // and the response code is either a 2xx or 403
 
-                    // since all of these are 2xx or 403, recursion is only attempted if the
-                    // url ends in a /. I am actually ok with adding the slash and not
-                    // adding it, as both have merit.  Leaving it in for now to see how
-                    // things turn out (current as of: v1.1.0)
-                    resp.set_url(&format!("{}/", resp.url()));
-                }
+                                        // since all of these are 2xx or 403, recursion is only attempted if the
+                                        // url ends in a /. I am actually ok with adding the slash and not
+                                        // adding it, as both have merit.  Leaving it in for now to see how
+                                        // things turn out (current as of: v1.1.0)
+                                        resp.set_url(&format!("{}/", resp.url()));
+                                    }
+
+                                    if c_handles.config.filter_status.is_empty() {
+                                        // -C wasn't used, so -s is the only 'filter' left to account for
+                                        if c_handles
+                                            .config
+                                            .status_codes
+                                            .contains(&resp.status().as_u16())
+                                        {
+                                            send_try_recursion_command(c_handles.clone(), resp)
+                                                .await
+                                                .unwrap_or_default();
+                                        }
+                                    } else {
+                                        // -C was used, that means the filters above would have removed
+                                        // those responses, and anything else should be let through
+                                        send_try_recursion_command(c_handles.clone(), resp)
+                                            .await
+                                            .unwrap_or_default();
+                                    }
+                                }
+                            }
+                            Ok(Err(err)) => {
+                                log::warn!("Error during link extraction: {}", err);
+                            }
+                            Err(err) => {
+                                log::warn!("JoinError during link extraction: {}", err);
+                            }
+                        }
+                    },
+                );
+
+            // wait for the requests to finish
+            producers.await;
+        });
 
-                if self.handles.config.filter_status.is_empty() {
-                    // -C wasn't used, so -s is the only 'filter' left to account for
-                    if self
-                        .handles
-                        .config
-                        .status_codes
-                        .contains(&resp.status().as_u16())
-                    {
-                        send_try_recursion_command(self.handles.clone(), resp).await?;
-                    }
-                } else {
-                    // -C was used, that means the filters above would have removed
-                    // those responses, and anything else should be let through
-                    send_try_recursion_command(self.handles.clone(), resp).await?;
-                }
-            }
-        }
         log::trace!("exit: request_links");
-        Ok(())
+        Ok(Some(link_request_task))
     }
 
     /// wrapper around link extraction via html attributes
@@ -385,7 +481,7 @@ impl<'a> Extractor<'a> {
             ExtractionTarget::ResponseBody | ExtractionTarget::DirectoryListing => {
                 self.response.unwrap().url().clone()
             }
-            ExtractionTarget::RobotsTxt => match Url::parse(&self.url) {
+            ExtractionTarget::RobotsTxt => match parse_url_with_raw_path(&self.url) {
                 Ok(u) => u,
                 Err(e) => {
                     bail!("Could not parse {}: {}", self.url, e);
@@ -415,56 +511,6 @@ impl<'a> Extractor<'a> {
         Ok(())
     }
 
-    /// Wrapper around link extraction logic
-    ///   - create a new Url object based on cli options/args
-    ///   - check if the new Url has already been seen/scanned -> None
-    ///   - make a request to the new Url ? -> Some(response) : None
-    pub(super) async fn request_link(&self, url: &str) -> Result<FeroxResponse> {
-        log::trace!("enter: request_link({})", url);
-
-        let ferox_url = FeroxUrl::from_string(url, self.handles.clone());
-
-        // create a url based on the given command line options
-        let new_url = ferox_url.format("", None)?;
-
-        let scanned_urls = self.handles.ferox_scans()?;
-
-        if scanned_urls.get_scan_by_url(new_url.as_ref()).is_some() {
-            //we've seen the url before and don't need to scan again
-            log::trace!("exit: request_link -> None");
-            bail!("previously seen url");
-        }
-
-        if (!self.handles.config.url_denylist.is_empty()
-            || !self.handles.config.regex_denylist.is_empty())
-            && should_deny_url(&new_url, self.handles.clone())?
-        {
-            // can't allow a denied url to be requested
-            bail!(
-                "prevented request to {} due to {:?} || {:?}",
-                url,
-                self.handles.config.url_denylist,
-                self.handles.config.regex_denylist,
-            );
-        }
-
-        // make the request and store the response
-        let new_response =
-            logged_request(&new_url, DEFAULT_METHOD, None, self.handles.clone()).await?;
-
-        let new_ferox_response = FeroxResponse::from(
-            new_response,
-            url,
-            DEFAULT_METHOD,
-            self.handles.config.output_level,
-        )
-        .await;
-
-        log::trace!("exit: request_link -> {:?}", new_ferox_response);
-
-        Ok(new_ferox_response)
-    }
-
     /// Entry point to perform link extraction from robots.txt
     ///
     /// `base_url` can have paths and subpaths, however robots.txt will be requested from the
@@ -484,7 +530,7 @@ impl<'a> Extractor<'a> {
 
         for capture in self.robots_regex.captures_iter(body) {
             if let Some(new_path) = capture.name("url_path") {
-                let mut new_url = Url::parse(&self.url)?;
+                let mut new_url = parse_url_with_raw_path(&self.url)?;
 
                 new_url.set_path(new_path.as_str());
 
@@ -598,6 +644,20 @@ impl<'a> Extractor<'a> {
                 Some(self.handles.config.proxy.as_str())
             };
 
+            let server_certs = &self.handles.config.server_certs;
+
+            let client_cert = if self.handles.config.client_cert.is_empty() {
+                None
+            } else {
+                Some(self.handles.config.client_cert.as_str())
+            };
+
+            let client_key = if self.handles.config.client_key.is_empty() {
+                None
+            } else {
+                Some(self.handles.config.client_key.as_str())
+            };
+
             client = client::initialize(
                 self.handles.config.timeout,
                 &self.handles.config.user_agent,
@@ -605,6 +665,9 @@ impl<'a> Extractor<'a> {
                 self.handles.config.insecure,
                 &self.handles.config.headers,
                 proxy,
+                server_certs,
+                client_cert,
+                client_key,
             )?;
         }
 
@@ -614,7 +677,7 @@ impl<'a> Extractor<'a> {
             &client
         };
 
-        let mut url = Url::parse(&self.url)?;
+        let mut url = parse_url_with_raw_path(&self.url)?;
         url.set_path(location); // overwrite existing path
 
         // purposefully not using logged_request here due to using the special client

src/extractor/tests.rs

@@ -1,4 +1,5 @@
 use super::builder::{LINKFINDER_REGEX, ROBOTS_TXT_REGEX, URL_CHARS_REGEX};
+use super::container::request_link;
 use super::*;
 use crate::config::{Configuration, OutputLevel};
 use crate::scan_manager::ScanOrder;
@@ -360,13 +361,13 @@ async fn request_link_happy_path() -> Result<()> {
         then.status(200).body("this is a test");
     });
 
-    let r_resp = ROBOTS_EXT.request_link(&srv.url("/login.php")).await?;
-    let b_resp = BODY_EXT.request_link(&srv.url("/login.php")).await?;
+    let r_resp = request_link(&srv.url("/login.php"), ROBOTS_EXT.handles.clone()).await?;
+    let b_resp = request_link(&srv.url("/login.php"), BODY_EXT.handles.clone()).await?;
 
-    assert!(matches!(r_resp.status(), &StatusCode::OK));
-    assert!(matches!(b_resp.status(), &StatusCode::OK));
-    assert_eq!(r_resp.content_length(), 14);
-    assert_eq!(b_resp.content_length(), 14);
+    assert!(matches!(r_resp.status(), StatusCode::OK));
+    assert!(matches!(b_resp.status(), StatusCode::OK));
+    assert_eq!(r_resp.content_length().unwrap(), 14);
+    assert_eq!(b_resp.content_length().unwrap(), 14);
     assert_eq!(mock.hits(), 2);
     Ok(())
 }
@@ -385,13 +386,17 @@ async fn request_link_bails_on_seen_url() -> Result<()> {
     });
 
     let scans = Arc::new(FeroxScans::default());
-    scans.add_file_scan(&served, ScanOrder::Latest);
+    scans.add_file_scan(
+        &served,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
 
     let robots = setup_extractor(ExtractionTarget::RobotsTxt, scans.clone());
     let body = setup_extractor(ExtractionTarget::ResponseBody, scans);
 
-    let r_resp = robots.request_link(&served).await;
-    let b_resp = body.request_link(&served).await;
+    let r_resp = request_link(&served, robots.handles.clone()).await;
+    let b_resp = request_link(&served, body.handles.clone()).await;
 
     assert!(r_resp.is_err());
     assert!(b_resp.is_err());

src/filters/regex.rs

@@ -30,10 +30,13 @@ impl FeroxFilter for RegexFilter {
         log::trace!("enter: should_filter_response({:?} {})", self, response);
 
         let result = self.compiled.is_match(response.text());
+        let other = response.headers().iter().any(|(k, v)| {
+            self.compiled.is_match(k.as_str()) || self.compiled.is_match(v.to_str().unwrap_or(""))
+        });
 
-        log::trace!("exit: should_filter_response -> {}", result);
+        log::trace!("exit: should_filter_response -> {}", result || other);
 
-        result
+        result || other
     }
 
     /// Compare one SizeFilter to another

src/filters/tests.rs

@@ -271,7 +271,7 @@ fn remove_function_works_as_expected() {
 
     assert_eq!(data.filters.read().unwrap().len(), 5);
 
-    let expected = vec![
+    let expected = [
         WordsFilter { word_count: 1 },
         WordsFilter { word_count: 3 },
         WordsFilter { word_count: 5 },

src/filters/utils.rs

@@ -4,11 +4,10 @@ use crate::event_handlers::Handles;
 use crate::filters::similarity::SIM_HASHER;
 use crate::nlp::preprocess;
 use crate::response::FeroxResponse;
-use crate::utils::logged_request;
+use crate::utils::{logged_request, parse_url_with_raw_path};
 use crate::DEFAULT_METHOD;
 use anyhow::Result;
 use regex::Regex;
-use reqwest::Url;
 use std::sync::Arc;
 
 /// wrapper around logic necessary to create a SimilarityFilter
@@ -23,7 +22,7 @@ pub(crate) async fn create_similarity_filter(
     handles: Arc<Handles>,
 ) -> Result<SimilarityFilter> {
     // url as-is based on input, ignores user-specified url manipulation options (add-slash etc)
-    let url = Url::parse(similarity_filter)?;
+    let url = parse_url_with_raw_path(similarity_filter)?;
 
     // attempt to request the given url
     let resp = logged_request(&url, DEFAULT_METHOD, None, handles.clone()).await?;

src/heuristics.rs

@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 
 use anyhow::{bail, Result};
+use futures::future;
 use scraper::{Html, Selector};
 use uuid::Uuid;
 
@@ -119,12 +120,15 @@ impl HeuristicTests {
                     ) {
                         if e.to_string().contains(":SSL") {
                             ferox_print(
-                                &format!("Could not connect to {target_url} due to SSL errors (run with -k to ignore), skipping..."),
+                                &format!("Could not connect to {target_url} due to SSL errors (run with -k to ignore), skipping...\n  => {}\n", e.root_cause()),
                                 &PROGRESS_PRINTER,
                             );
                         } else {
                             ferox_print(
-                                &format!("Could not connect to {target_url}, skipping..."),
+                                &format!(
+                                    "Could not connect to {target_url}, skipping...\n  => {}\n",
+                                    e.root_cause()
+                                ),
                                 &PROGRESS_PRINTER,
                             );
                         }
@@ -277,9 +281,6 @@ impl HeuristicTests {
             None
         };
 
-        // 6 is due to the array in the nested for loop below
-        let mut responses = Vec::with_capacity(6);
-
         // no matter what, we want an empty extension for the base case
         let mut extensions = vec!["".to_string()];
 
@@ -302,19 +303,26 @@ impl HeuristicTests {
         // server, so both are considered when building auto-filter rules
         for method in self.handles.config.methods.iter() {
             for extension in extensions.iter() {
-                for (prefix, length) in [
+                // build out the 6 paths we'll use
+                let paths = [
                     ("", 1),
                     ("", 3),
                     (".htaccess", 1),
                     (".htaccess", 3),
                     ("admin", 1),
                     ("admin", 3),
-                ] {
-                    let path = format!("{prefix}{}{extension}", self.unique_string(length));
+                ]
+                .map(|(prefix, length)| {
+                    format!("{prefix}{}{extension}", self.unique_string(length))
+                });
 
+                // allow all 6 requests to fly asynchronously
+                let responses = future::join_all(paths.into_iter().map(|path| async move {
                     let ferox_url = FeroxUrl::from_string(target_url, self.handles.clone());
 
-                    let nonexistent_url = ferox_url.format(&path, slash)?;
+                    let Ok(nonexistent_url) = ferox_url.format(&path, slash) else {
+                        return None;
+                    };
 
                     // example requests:
                     // - http://localhost/2fc1077836ad43ab98b7a31c2ca28fea
@@ -323,13 +331,11 @@ impl HeuristicTests {
                     // - http://localhost/.htaccess92969beae6bf4beb855d1622406d87e395c87387a9ad432e8a11245002b709b03cf609d471004154b83bcc1c6ec49f6f
                     // - http://localhost/adminf1d2541e73c44dcb9d1fb7d93334b280
                     // - http://localhost/admin92969beae6bf4beb855d1622406d87e395c87387a9ad432e8a11245002b709b03cf609d471004154b83bcc1c6ec49f6f
-                    let response =
-                        logged_request(&nonexistent_url, method, data, self.handles.clone()).await;
-
-                    req_counter += 1;
-
-                    // continue to next on error
-                    let response = skip_fail!(response);
+                    let Ok(response) =
+                        logged_request(&nonexistent_url, method, data, self.handles.clone()).await
+                    else {
+                        return None;
+                    };
 
                     if !self
                         .handles
@@ -341,30 +347,35 @@ impl HeuristicTests {
                         //
                         // the default value for -s is all status codes, so unless the user says otherwise
                         // this won't fire
-                        continue;
+                        return None;
                     }
 
-                    let ferox_response = FeroxResponse::from(
-                        response,
-                        &ferox_url.target,
-                        method,
-                        self.handles.config.output_level,
+                    Some(
+                        FeroxResponse::from(
+                            response,
+                            &ferox_url.target,
+                            method,
+                            self.handles.config.output_level,
+                        )
+                        .await,
                     )
-                    .await;
-
-                    responses.push(ferox_response);
-                }
+                }))
+                .await // await gives vector of options containing feroxresponses
+                .into_iter()
+                .flatten() // strip out the none values
+                .collect::<Vec<_>>();
 
                 if responses.len() < 2 {
                     // don't have enough responses to make a determination, continue to next method
-                    responses.clear();
+                    log::debug!("not enough responses to make a determination");
                     continue;
                 }
 
                 // check the responses for similarities on which we can filter, multiple may be returned
-                let Some((wildcard_filters, wildcard_responses)) = self.examine_404_like_responses(&responses) else {
+                let Some((wildcard_filters, wildcard_responses)) =
+                    self.examine_404_like_responses(&responses)
+                else {
                     // no match was found during analysis of responses
-                    responses.clear();
                     log::warn!("no match found for 404 responses");
                     continue;
                 };
@@ -445,15 +456,12 @@ impl HeuristicTests {
                         req_counter += 100;
                     }
                 }
-
-                // reset the responses for the next method, if it exists
-                responses.clear();
             }
         }
 
         log::trace!("exit: detect_404_like_responses");
 
-        let retval = if req_counter > 100 {
+        let retval = if req_counter >= 100 {
             WildcardResult::WildcardDirectory(req_counter)
         } else {
             WildcardResult::FourOhFourLike(req_counter)

src/lib.rs

@@ -59,6 +59,9 @@ pub(crate) const DEFAULT_IGNORED_EXTENSIONS: [&str; 38] = [
     "webm", "ogv", "oga", "flac", "aac", "3gp", "css", "zip", "xls", "xml", "gz", "tgz",
 ];
 
+/// Default set of extensions to search for when auto-collecting backups during scans
+pub(crate) const DEFAULT_BACKUP_EXTENSIONS: [&str; 5] = ["~", ".bak", ".bak2", ".old", ".1"];
+
 /// Default wordlist to use when `-w|--wordlist` isn't specified and not `wordlist` isn't set
 /// in a [ferox-config.toml](constant.DEFAULT_CONFIG_NAME.html) config file.
 ///

src/main.rs

@@ -8,7 +8,7 @@ use std::{
     io::{stderr, BufRead, BufReader},
     ops::Index,
     path::Path,
-    process::{exit, Command},
+    process::{exit, Command, Stdio},
     sync::{atomic::Ordering, Arc},
 };
 
@@ -25,13 +25,14 @@ use feroxbuster::{
     config::{Configuration, OutputLevel},
     event_handlers::{
         Command::{
-            AddHandles, CreateBar, Exit, JoinTasks, LoadStats, ScanInitialUrls, UpdateWordlist,
+            AddHandles, CreateBar, Exit, JoinTasks, LoadStats, ScanInitialUrls, UpdateTargets,
+            UpdateWordlist,
         },
         FiltersHandler, Handles, ScanHandler, StatsHandler, Tasks, TermInputHandler,
         TermOutHandler, SCAN_COMPLETE,
     },
     filters, heuristics, logger,
-    progress::{PROGRESS_BAR, PROGRESS_PRINTER},
+    progress::PROGRESS_PRINTER,
     scan_manager::{self, ScanType},
     scanner,
     utils::{fmt_err, slugify_filename},
@@ -196,9 +197,9 @@ async fn get_targets(handles: Arc<Handles>) -> Result<Vec<String>> {
             }
         }
 
-        if !target.starts_with("http") && !target.starts_with("https") {
+        if !target.starts_with("http") {
             // --url hackerone.com
-            *target = format!("https://{target}");
+            *target = format!("{}://{target}", handles.config.protocol);
         }
     }
 
@@ -220,7 +221,6 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         // PROGRESS_PRINTER and PROGRESS_BAR have been used at least once.  This call satisfies
         // that constraint
         PROGRESS_PRINTER.println("");
-        PROGRESS_BAR.join().unwrap();
     });
 
     // check if update_app is true
@@ -239,7 +239,15 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
 
     let words = if config.wordlist.starts_with("http") {
         // found a url scheme, attempt to download the wordlist
-        let response = config.client.get(&config.wordlist).send().await?;
+        let response = config
+            .client
+            .get(&config.wordlist)
+            .send()
+            .await
+            .context(format!(
+                "Unable to download wordlist from remote url: {}",
+                config.wordlist
+            ))?;
 
         if !response.status().is_success() {
             // status code isn't a 200, bail
@@ -251,14 +259,15 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         }
 
         // attempt to get the filename from the url's path
-        let Some(path_segments) = response
-            .url()
-            .path_segments() else {
-                bail!("Unable to parse path from url: {}", response.url());
-            };
+        let Some(path_segments) = response.url().path_segments() else {
+            bail!("Unable to parse path from url: {}", response.url());
+        };
 
         let Some(filename) = path_segments.last() else {
-            bail!("Unable to parse filename from url's path: {}", response.url().path());
+            bail!(
+                "Unable to parse filename from url's path: {}",
+                response.url().path()
+            );
         };
 
         let filename = filename.to_string();
@@ -317,9 +326,15 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
     // create new Tasks object, each of these handles is one that will be joined on later
     let tasks = Tasks::new(out_task, stats_task, filters_task, scan_task);
 
-    if !config.time_limit.is_empty() {
+    if !config.time_limit.is_empty() && config.parallel == 0 {
         // --time-limit value not an empty string, need to kick off the thread that enforces
         // the limit
+        //
+        // if --parallel is used, this branch won't execute in the main process, but will in the
+        // children. This is because --parallel is stripped from the children's command line
+        // arguments, so, when spawned, they won't have --parallel, the parallel value will be set
+        // to the default of 0, and will hit this branch. This makes it so that the time limit
+        // is enforced on each individual child process, instead of the main process
         let time_handles = handles.clone();
         tokio::spawn(async move { scan_manager::start_max_time_thread(time_handles).await });
     }
@@ -362,8 +377,7 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
 
         let invocation = args();
 
-        let para_regex =
-            Regex::new("--stdin|-q|--quiet|--silent|--verbosity|-v|-vv|-vvv|-vvvv").unwrap();
+        let para_regex = Regex::new("--stdin").unwrap();
 
         // remove stdin since only the original process will process targets
         // remove quiet and silent so we can force silent later to normalize output
@@ -371,8 +385,6 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
             .filter(|s| !para_regex.is_match(s))
             .collect::<Vec<String>>();
 
-        original.push("--silent".to_string()); // only output modifier allowed
-
         // we need remove --parallel from command line so we don't hit this branch over and over
         // but we must remove --parallel N manually; the filter above never sees --parallel and the
         // value passed to it at the same time, so can't filter them out in one pass
@@ -447,16 +459,32 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
 
             log::debug!("parallel exec: {} {}", bin, args.join(" "));
 
-            tokio::task::spawn_blocking(move || {
-                let result = Command::new(bin)
+            tokio::task::spawn(async move {
+                let mut output = Command::new(bin)
                     .args(&args)
+                    .stdout(Stdio::piped())
                     .spawn()
-                    .expect("failed to spawn a child process")
-                    .wait()
-                    .expect("child process errored during execution");
+                    .expect("failed to spawn a child process");
 
+                let stdout = output.stdout.take().unwrap();
+
+                let mut bufread = BufReader::new(stdout);
+                // output for a single line is a minimum of 51 bytes, so we'll start with that
+                // + a little wiggle room, and grow as needed
+                let mut buf: String = String::with_capacity(128);
+
+                while let Ok(n) = bufread.read_line(&mut buf) {
+                    if n > 0 {
+                        let trimmed = buf.trim();
+                        if !trimmed.is_empty() {
+                            println!("{}", trimmed);
+                        }
+                        buf.clear();
+                    } else {
+                        break;
+                    }
+                }
                 drop(permit);
-                result
             });
         }
 
@@ -480,6 +508,14 @@ async fn wrapped_main(config: Arc<Configuration>) -> Result<()> {
         return Ok(());
     }
 
+    // in order for the Stats object to know about which targets are being scanned, we need to
+    // wait until the parallel branch has been handled before sending the UpdateTargets command
+    // this ensures that only the targets being scanned are sent to the Stats object
+    //
+    // if sent before the parallel branch is handled, the Stats object will have duplicate
+    // targets
+    handles.stats.send(UpdateTargets(targets.clone()))?;
+
     if matches!(config.output_level, OutputLevel::Default) {
         // only print banner if output level is default (no banner on --quiet|--silent)
         let std_stderr = stderr(); // std::io::stderr
@@ -638,7 +674,7 @@ fn main() -> Result<()> {
                 // print the banner to stderr
                 let std_stderr = stderr(); // std::io::stderr
                 let banner = Banner::new(&targets, &config);
-                if !config.quiet && !config.silent {
+                if (!config.quiet && !config.silent) || config.parallel != 0 {
                     banner.print_to(std_stderr, config).unwrap();
                 }
             }

src/nlp/document.rs

@@ -35,20 +35,19 @@ impl Document {
     fn add_term(&mut self, word: &str) {
         let term = Term::new(word);
 
-        let metadata = self.terms.entry(term).or_insert_with(TermMetaData::new);
+        let metadata = self.terms.entry(term).or_default();
         *metadata.count_mut() += 1;
     }
 
     /// create a new `Document` from the given HTML string
-    pub(crate) fn from_html(raw_html: &str) -> Self {
+    pub(crate) fn from_html(raw_html: &str) -> Option<Self> {
         let selector = Selector::parse("body").unwrap();
 
         let html = Html::parse_document(raw_html);
 
-        let text = html
-            .select(&selector)
-            .next()
-            .unwrap()
+        let element = html.select(&selector).next()?;
+
+        let text = element
             .descendants()
             .filter_map(|node| {
                 if !node.value().is_text() && !node.value().is_comment() {
@@ -95,7 +94,7 @@ impl Document {
 
         // call `new` to push the parsed html through the pre-processing pipeline and process all
         // the words
-        Self::new(&text)
+        Some(Self::new(&text))
     }
 
     /// Log normalized weighting scheme for term frequency
@@ -146,19 +145,20 @@ mod tests {
     #[test]
     /// `Document::new` should preprocess html and generate a hashmap of `Term, TermMetadata`
     fn nlp_document_creation_from_html() {
-        let empty = Document::from_html("<html></html>");
+        let empty = Document::from_html("<html></html>").unwrap();
         assert_eq!(empty.number_of_terms, 0);
 
-        let other_empty = Document::from_html("<html><body><p></p></body></html>");
+        let other_empty = Document::from_html("<html><body><p></p></body></html>").unwrap();
         assert_eq!(other_empty.number_of_terms, 0);
 
-        let third_empty = Document::from_html("<!DOCTYPE html><html><!DOCTYPE html><p></p></html>");
+        let third_empty =
+            Document::from_html("<!DOCTYPE html><html><!DOCTYPE html><p></p></html>").unwrap();
         assert_eq!(third_empty.number_of_terms, 0);
 
         // p tag for is_text check and comment for is_comment
         let doc = Document::from_html(
             "<html><body><p>The air quality in Singapore.</p><!--got worse on Wednesday--></body></html>",
-        );
+        ).unwrap();
 
         let expected_terms = ["air", "quality", "singapore", "worse", "wednesday"];
 
@@ -209,7 +209,7 @@ mod tests {
     /// ensure words in script/style tags aren't processed
     fn document_creation_skips_script_and_style_tags() {
         let html = "<body><script>The air quality</script><style>in Singapore</style><p>got worse on Wednesday.</p></body>";
-        let doc = Document::from_html(html);
+        let doc = Document::from_html(html).unwrap();
         let keys = doc.terms().keys().map(|key| key.raw()).collect::<Vec<_>>();
 
         let expected = ["worse", "wednesday"];

src/nlp/term.rs

@@ -35,11 +35,6 @@ pub(super) struct TermMetaData {
 }
 
 impl TermMetaData {
-    /// create a new metadata container
-    pub(super) fn new() -> Self {
-        Self::default()
-    }
-
     /// number of times a `Term` has appeared in any `Document` within the corpus
     pub(super) fn document_frequency(&self) -> usize {
         self.term_frequencies().len()
@@ -90,7 +85,7 @@ mod tests {
     #[test]
     /// test accessors for correctness
     fn nlp_term_metadata_accessor_test() {
-        let mut metadata = TermMetaData::new();
+        let mut metadata = TermMetaData::default();
 
         *metadata.count_mut() += 1;
         assert_eq!(metadata.count(), 1);

src/parser.rs

@@ -40,12 +40,12 @@ pub fn initialize() -> Command {
             Arg::new("url")
                 .short('u')
                 .long("url")
-                .required_unless_present_any(["stdin", "resume_from", "update_app"])
+                .required_unless_present_any(["stdin", "resume_from", "update_app", "request_file"])
                 .help_heading("Target selection")
                 .value_name("URL")
                 .use_value_delimiter(true)
                 .value_hint(ValueHint::Url)
-                .help("The target URL (required, unless [--stdin || --resume-from] used)"),
+                .help("The target URL (required, unless [--stdin || --resume-from || --request-file] used)"),
         )
         .arg(
             Arg::new("stdin")
@@ -64,6 +64,15 @@ pub fn initialize() -> Command {
                 .help("State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)")
                 .conflicts_with("url")
                 .num_args(1),
+        ).arg(
+            Arg::new("request_file")
+                .long("request-file")
+                .help_heading("Target selection")
+                .value_hint(ValueHint::FilePath)
+                .conflicts_with("url")
+                .num_args(1)
+                .value_name("REQUEST_FILE")
+                .help("Raw HTTP request file to use as a template for all requests"),
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -100,7 +109,7 @@ pub fn initialize() -> Command {
                 .num_args(0)
                 .help_heading("Composite settings")
                 .conflicts_with_all(["rate_limit", "auto_bail"])
-                .help("Use the same settings as --smart and set --collect-extensions to true"),
+                .help("Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true"),
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -177,7 +186,7 @@ pub fn initialize() -> Command {
                 .use_value_delimiter(true)
                 .help_heading("Request settings")
                 .help(
-                    "File extension(s) to search for (ex: -x php -x pdf js)",
+                    "File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)",
                 ),
         )
         .arg(
@@ -211,7 +220,6 @@ pub fn initialize() -> Command {
                 .num_args(1..)
                 .action(ArgAction::Append)
                 .help_heading("Request settings")
-                .use_value_delimiter(true)
                 .help(
                     "Specify HTTP headers to be used in each request (ex: -H Header:val -H 'stuff: things')",
                 ),
@@ -249,6 +257,13 @@ pub fn initialize() -> Command {
                 .help_heading("Request settings")
                 .num_args(0)
                 .help("Append / to each request's URL")
+        ).arg(
+            Arg::new("protocol")
+                .long("protocol")
+                .value_name("PROTOCOL")
+                .num_args(1)
+                .help_heading("Request settings")
+                .help("Specify the protocol to use when targeting via --request-file or --url with domain only (default: https)"),
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -292,7 +307,7 @@ pub fn initialize() -> Command {
                 .use_value_delimiter(true)
                 .help_heading("Response filters")
                 .help(
-                    "Filter out messages via regular expression matching on the response's body (ex: -X '^ignore me$')",
+                    "Filter out messages via regular expression matching on the response's body/headers (ex: -X '^ignore me$')",
                 ),
         )
         .arg(
@@ -390,6 +405,35 @@ pub fn initialize() -> Command {
                 .num_args(0)
                 .help_heading("Client settings")
                 .help("Disables TLS certificate validation in the client"),
+        )
+        .arg(
+            Arg::new("server_certs")
+                .long("server-certs")
+                .value_name("PEM|DER")
+                .value_hint(ValueHint::FilePath)
+                .num_args(1..)
+                .help_heading("Client settings")
+                .help("Add custom root certificate(s) for servers with unknown certificates"),
+        )
+        .arg(
+            Arg::new("client_cert")
+                .long("client-cert")
+                .value_name("PEM")
+                .value_hint(ValueHint::FilePath)
+                .num_args(1)
+                .requires("client_key")
+                .help_heading("Client settings")
+                .help("Add a PEM encoded certificate for mutual authentication (mTLS)"),
+        )
+        .arg(
+            Arg::new("client_key")
+                .long("client-key")
+                .value_name("PEM")
+                .value_hint(ValueHint::FilePath)
+                .num_args(1)
+                .requires("client_cert")
+                .help_heading("Client settings")
+                .help("Add a PEM encoded private key for mutual authentication (mTLS)"),
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -457,6 +501,8 @@ pub fn initialize() -> Command {
             Arg::new("parallel")
                 .long("parallel")
                 .value_name("PARALLEL_SCANS")
+                .conflicts_with("verbosity")
+                .conflicts_with("url")
                 .num_args(1)
                 .requires("stdin")
                 .help_heading("Scan settings")
@@ -521,9 +567,9 @@ pub fn initialize() -> Command {
             Arg::new("collect_backups")
                 .short('B')
                 .long("collect-backups")
-                .num_args(0)
+                .num_args(0..)
                 .help_heading("Dynamic collection settings")
-                .help("Automatically request likely backup extensions for \"found\" urls")
+                .help("Automatically request likely backup extensions for \"found\" urls (default: ~, .bak, .bak2, .old, .1)")
         )
         .arg(
             Arg::new("collect_words")
@@ -544,6 +590,12 @@ pub fn initialize() -> Command {
                 .help(
                     "File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)",
                 ),
+        ).arg(
+            Arg::new("scan_dir_listings")
+                .long("scan-dir-listings")
+                .num_args(0)
+                .help_heading("Scan settings")
+                .help("Force scans to recurse into directory listings")
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -565,7 +617,7 @@ pub fn initialize() -> Command {
                 .num_args(0)
                 .conflicts_with("quiet")
                 .help_heading("Output settings")
-                .help("Only print URLs + turn off logging (good for piping a list of urls to other commands)")
+                .help("Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)")
         )
         .arg(
             Arg::new("quiet")
@@ -608,6 +660,13 @@ pub fn initialize() -> Command {
                 .num_args(0)
                 .help_heading("Output settings")
                 .help("Disable state output file (*.state)")
+        ).arg(
+            Arg::new("limit_bars")
+                .long("limit-bars")
+                .value_name("NUM_BARS_TO_SHOW")
+                .num_args(1)
+                .help_heading("Output settings")
+                .help("Number of directory scan bars to show at any given time (default: no limit)"),
         );
 
     /////////////////////////////////////////////////////////////////////
@@ -616,9 +675,14 @@ pub fn initialize() -> Command {
     let mut app = app
         .group(
             ArgGroup::new("output_files")
-                .args(["debug_log", "output"])
+                .args(["debug_log", "output", "silent"])
                 .multiple(true),
         )
+        .group(
+            ArgGroup::new("output_limiters")
+                .args(["quiet", "silent"])
+                .multiple(false),
+        )
         .arg(
             Arg::new("update_app")
                 .short('U')

src/progress.rs

@@ -31,30 +31,51 @@ pub enum BarType {
 /// Add an [indicatif::ProgressBar](https://docs.rs/indicatif/latest/indicatif/struct.ProgressBar.html)
 /// to the global [PROGRESS_BAR](../config/struct.PROGRESS_BAR.html)
 pub fn add_bar(prefix: &str, length: u64, bar_type: BarType) -> ProgressBar {
-    let mut style = ProgressStyle::default_bar().progress_chars("#>-");
+    let pb = ProgressBar::new(length).with_prefix(prefix.to_string());
+
+    update_style(&pb, bar_type);
+
+    PROGRESS_BAR.add(pb)
+}
+
+/// Update the style of a progress bar based on the `BarType`
+pub fn update_style(bar: &ProgressBar, bar_type: BarType) {
+    let mut style = ProgressStyle::default_bar().progress_chars("#>-").with_key(
+        "smoothed_per_sec",
+        |state: &indicatif::ProgressState, w: &mut dyn std::fmt::Write| match (
+            state.pos(),
+            state.elapsed().as_millis(),
+        ) {
+            // https://github.com/console-rs/indicatif/issues/394#issuecomment-1309971049
+            //
+            // indicatif released a change to how they reported eta/per_sec
+            // and the results looked really weird based on how we use the progress
+            // bars. this fixes that
+            (pos, elapsed_ms) if elapsed_ms > 0 => {
+                write!(w, "{:.0}/s", pos as f64 * 1000_f64 / elapsed_ms as f64).unwrap()
+            }
+            _ => write!(w, "-").unwrap(),
+        },
+    );
 
     style = match bar_type {
-        BarType::Hidden => style.template(""),
-        BarType::Default => style.template(
-            "[{bar:.cyan/blue}] - {elapsed:<4} {pos:>7}/{len:7} {per_sec:7} {prefix} {msg}",
-        ),
-        BarType::Message => style.template(&format!(
+        BarType::Hidden => style.template("").unwrap(),
+        BarType::Default => style
+            .template("[{bar:.cyan/blue}] - {elapsed:<4} {pos:>7}/{len:7} {smoothed_per_sec:7} {prefix} {msg}")
+            .unwrap(),
+        BarType::Message => style
+            .template(&format!(
             "[{{bar:.cyan/blue}}] - {{elapsed:<4}} {{pos:>7}}/{{len:7}} {:7} {{prefix}} {{msg}}",
             "-"
-        )),
-        BarType::Total => {
-            style.template("[{bar:.yellow/blue}] - {elapsed:<4} {pos:>7}/{len:7} {eta:7} {msg}")
-        }
-        BarType::Quiet => style.template("Scanning: {prefix}"),
+        ))
+            .unwrap(),
+        BarType::Total => style
+            .template("[{bar:.yellow/blue}] - {elapsed:<4} {pos:>7}/{len:7} {eta:7} {msg}")
+            .unwrap(),
+        BarType::Quiet => style.template("Scanning: {prefix}").unwrap(),
     };
 
-    let progress_bar = PROGRESS_BAR.add(ProgressBar::new(length));
-
-    progress_bar.set_style(style);
-
-    progress_bar.set_prefix(prefix);
-
-    progress_bar
+    bar.set_style(style);
 }
 
 #[cfg(test)]

src/response.rs

@@ -21,7 +21,7 @@ use crate::{
     event_handlers::{Command, Handles},
     traits::FeroxSerialize,
     url::FeroxUrl,
-    utils::{self, fmt_err, status_colorizer},
+    utils::{self, fmt_err, parse_url_with_raw_path, status_colorizer, timestamp},
     CommandSender,
 };
 
@@ -63,6 +63,9 @@ pub struct FeroxResponse {
 
     /// Url's file extension, if one exists
     pub(crate) extension: Option<String>,
+
+    /// Timestamp of when this response was received
+    timestamp: f64,
 }
 
 /// implement Default trait for FeroxResponse
@@ -82,6 +85,7 @@ impl Default for FeroxResponse {
             wildcard: false,
             output_level: Default::default(),
             extension: None,
+            timestamp: timestamp(),
         }
     }
 }
@@ -138,9 +142,14 @@ impl FeroxResponse {
         self.content_length
     }
 
+    /// Get the timestamp of this response
+    pub fn timestamp(&self) -> f64 {
+        self.timestamp
+    }
+
     /// Set `FeroxResponse`'s `url` attribute, has no affect if an error occurs
     pub fn set_url(&mut self, url: &str) {
-        match Url::parse(url) {
+        match parse_url_with_raw_path(url) {
             Ok(url) => {
                 self.url = url;
             }
@@ -170,7 +179,8 @@ impl FeroxResponse {
 
     /// free the `text` data, reducing memory usage
     pub fn drop_text(&mut self) {
-        self.text = String::new();
+        self.text.clear(); // length is set to 0
+        self.text.shrink_to_fit(); // allocated capacity shrinks to reflect the new size
     }
 
     /// Make a reasonable guess at whether the response is a file or not
@@ -215,6 +225,7 @@ impl FeroxResponse {
         let status = response.status();
         let headers = response.headers().clone();
         let content_length = response.content_length().unwrap_or(0);
+        let timestamp = timestamp();
 
         // .text() consumes the response, must be called last
         let text = response
@@ -247,6 +258,7 @@ impl FeroxResponse {
             output_level,
             wildcard: false,
             extension: None,
+            timestamp,
         }
     }
 
@@ -394,7 +406,14 @@ impl FeroxResponse {
     pub fn send_report(self, report_sender: CommandSender) -> Result<()> {
         log::trace!("enter: send_report({:?}", report_sender);
 
-        report_sender.send(Command::Report(Box::new(self)))?;
+        // there's no reason to send the response body across the mpsc
+        //
+        // the only possible reason is for filtering on the body, but both `send_report`
+        // calls are gated behind checks for `should_filter_response`
+        let mut me = self;
+        me.drop_text();
+
+        report_sender.send(Command::Report(Box::new(me)))?;
 
         log::trace!("exit: send_report");
         Ok(())
@@ -415,8 +434,12 @@ impl FeroxSerialize for FeroxResponse {
         let mut url_with_redirect = match (
             self.status().is_redirection(),
             self.headers().get("Location").is_some(),
+            matches!(
+                self.output_level,
+                OutputLevel::Silent | OutputLevel::SilentJSON
+            ),
         ) {
-            (true, true) => {
+            (true, true, false) => {
                 // redirect with Location header, show where it goes if possible
                 let loc = self
                     .headers()
@@ -477,15 +500,19 @@ impl FeroxSerialize for FeroxResponse {
             message
         } else {
             // not a wildcard, just create a normal entry
-            utils::create_report_string(
-                self.status.as_str(),
-                method,
-                &lines,
-                &words,
-                &chars,
-                &url_with_redirect,
-                self.output_level,
-            )
+            if matches!(self.output_level, OutputLevel::SilentJSON) {
+                self.as_json().unwrap_or_default()
+            } else {
+                utils::create_report_string(
+                    self.status.as_str(),
+                    method,
+                    &lines,
+                    &words,
+                    &chars,
+                    &url_with_redirect,
+                    self.output_level,
+                )
+            }
         }
     }
 
@@ -558,6 +585,7 @@ impl Serialize for FeroxResponse {
             "extension",
             self.extension.as_ref().unwrap_or(&String::new()),
         )?;
+        state.serialize_field("timestamp", &self.timestamp)?;
 
         state.end()
     }
@@ -583,6 +611,7 @@ impl<'de> Deserialize<'de> for FeroxResponse {
             line_count: 0,
             word_count: 0,
             extension: None,
+            timestamp: timestamp(),
         };
 
         let map: HashMap<String, Value> = HashMap::deserialize(deserializer)?;
@@ -591,7 +620,7 @@ impl<'de> Deserialize<'de> for FeroxResponse {
             match key.as_str() {
                 "url" => {
                     if let Some(url) = value.as_str() {
-                        if let Ok(parsed) = Url::parse(url) {
+                        if let Ok(parsed) = parse_url_with_raw_path(url) {
                             response.url = parsed;
                         }
                     }
@@ -656,6 +685,11 @@ impl<'de> Deserialize<'de> for FeroxResponse {
                         response.extension = Some(result.to_string());
                     }
                 }
+                "timestamp" => {
+                    if let Some(result) = value.as_f64() {
+                        response.timestamp = result;
+                    }
+                }
                 _ => {}
             }
         }

src/scan_manager/menu.rs

@@ -1,8 +1,10 @@
+use std::time::Duration;
+
 use crate::filters::filter_lookup;
 use crate::progress::PROGRESS_BAR;
 use crate::traits::FeroxFilter;
 use console::{measure_text_width, pad_str, style, Alignment, Term};
-use indicatif::ProgressDrawTarget;
+use indicatif::{HumanDuration, ProgressDrawTarget};
 use regex::Regex;
 
 /// Data container for a command entered by the user interactively
@@ -43,6 +45,9 @@ pub(super) struct Menu {
     /// footer: instructions surrounded by separators
     footer: String,
 
+    /// length of longest displayed line (suitable for ascii/unicode)
+    longest: usize,
+
     /// unicode line border, matched to longest displayed line
     border: String,
 
@@ -110,7 +115,7 @@ impl Menu {
         commands.push_str(&valid_filters);
         commands.push_str(&rm_filter_cmd);
 
-        let longest = measure_text_width(&canx_cmd).max(measure_text_width(&name));
+        let longest = measure_text_width(&canx_cmd).max(measure_text_width(&name)) + 1;
 
         let border = separator.repeat(longest);
 
@@ -123,6 +128,7 @@ impl Menu {
             header,
             footer,
             border,
+            longest,
             term: Term::stderr(),
         }
     }
@@ -142,6 +148,13 @@ impl Menu {
         self.println(&self.footer);
     }
 
+    /// print menu footer
+    pub(super) fn print_eta(&self, eta: Duration) {
+        let inner = format!("⏳ {} remaining ⏳", HumanDuration(eta));
+        let padded_eta = pad_str(&inner, self.longest, Alignment::Center, None);
+        self.println(&format!("{padded_eta}\n{}", self.border));
+    }
+
     /// set PROGRESS_BAR bar target to hidden
     pub(super) fn hide_progress_bars(&self) {
         PROGRESS_BAR.set_draw_target(ProgressDrawTarget::hidden());

src/scan_manager/mod.rs

@@ -8,7 +8,7 @@ mod state;
 #[cfg(test)]
 mod tests;
 
-pub(self) use menu::Menu;
+use menu::Menu;
 pub use menu::{MenuCmd, MenuCmdResult};
 pub use order::ScanOrder;
 pub use response_container::FeroxResponses;

src/scan_manager/scan.rs

@@ -1,7 +1,10 @@
 use super::*;
 use crate::{
     config::OutputLevel,
+    event_handlers::Handles,
+    progress::update_style,
     progress::{add_bar, BarType},
+    scan_manager::utils::determine_bar_type,
     scanner::PolicyTrigger,
 };
 use anyhow::Result;
@@ -16,10 +19,20 @@ use std::{
     time::Instant,
 };
 
-use std::sync::atomic::{AtomicUsize, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
 use tokio::{sync, task::JoinHandle};
 use uuid::Uuid;
 
+#[derive(Debug, Default, Copy, Clone)]
+pub enum Visibility {
+    /// whether a FeroxScan's progress bar is currently shown
+    #[default]
+    Visible,
+
+    /// whether a FeroxScan's progress bar is currently hidden
+    Hidden,
+}
+
 /// Struct to hold scan-related state
 ///
 /// The purpose of this container is to open up the pathway to aborting currently running tasks and
@@ -58,7 +71,7 @@ pub struct FeroxScan {
     pub(super) task: sync::Mutex<Option<JoinHandle<()>>>,
 
     /// The progress bar associated with this scan
-    pub(super) progress_bar: Mutex<Option<ProgressBar>>,
+    pub progress_bar: Mutex<Option<ProgressBar>>,
 
     /// whether or not the user passed --silent|--quiet on the command line
     pub(super) output_level: OutputLevel,
@@ -74,6 +87,12 @@ pub struct FeroxScan {
 
     /// tracker for the time at which this scan was started
     pub(super) start_time: Instant,
+
+    /// whether the progress bar is currently visible or hidden
+    pub(super) visible: AtomicBool,
+
+    /// handles object pointer
+    pub(super) handles: Option<Arc<Handles>>,
 }
 
 /// Default implementation for FeroxScan
@@ -86,6 +105,7 @@ impl Default for FeroxScan {
             id: new_id,
             task: sync::Mutex::new(None), // tokio mutex
             status: Mutex::new(ScanStatus::default()),
+            handles: None,
             num_requests: 0,
             requests_made_so_far: 0,
             scan_order: ScanOrder::Latest,
@@ -98,23 +118,63 @@ impl Default for FeroxScan {
             status_429s: Default::default(),
             status_403s: Default::default(),
             start_time: Instant::now(),
+            visible: AtomicBool::new(true),
         }
     }
 }
 
 /// Implementation of FeroxScan
 impl FeroxScan {
+    /// return the visibility of the scan as a boolean
+    pub fn visible(&self) -> bool {
+        self.visible.load(Ordering::Relaxed)
+    }
+
+    pub fn swap_visibility(&self) {
+        // fetch_xor toggles the boolean to its opposite and returns the previous value
+        let visible = self.visible.fetch_xor(true, Ordering::Relaxed);
+
+        let Ok(bar) = self.progress_bar.lock() else {
+            log::warn!("couldn't unlock progress bar for {}", self.url);
+            return;
+        };
+
+        if bar.is_none() {
+            log::warn!("there is no progress bar for {}", self.url);
+            return;
+        }
+
+        let Some(handles) = self.handles.as_ref() else {
+            log::warn!("couldn't access handles pointer for {}", self.url);
+            return;
+        };
+
+        let bar_type = if !visible {
+            // visibility was false before we xor'd the value
+            match handles.config.output_level {
+                OutputLevel::Default => BarType::Default,
+                OutputLevel::Quiet => BarType::Quiet,
+                OutputLevel::Silent | OutputLevel::SilentJSON => BarType::Hidden,
+            }
+        } else {
+            // visibility was true before we xor'd the value
+            BarType::Hidden
+        };
+
+        update_style(bar.as_ref().unwrap(), bar_type);
+    }
+
     /// Stop a currently running scan
-    pub async fn abort(&self) -> Result<()> {
+    pub async fn abort(&self, active_bars: usize) -> Result<()> {
         log::trace!("enter: abort");
 
         match self.task.try_lock() {
             Ok(mut guard) => {
-                if let Some(task) = std::mem::replace(&mut *guard, None) {
+                if let Some(task) = guard.take() {
                     log::trace!("aborting {:?}", self);
                     task.abort();
                     self.set_status(ScanStatus::Cancelled)?;
-                    self.stop_progress_bar();
+                    self.stop_progress_bar(active_bars);
                 }
             }
             Err(e) => {
@@ -151,15 +211,26 @@ impl FeroxScan {
     }
 
     /// Simple helper to call .finish on the scan's progress bar
-    pub(super) fn stop_progress_bar(&self) {
+    pub(super) fn stop_progress_bar(&self, active_bars: usize) {
         if let Ok(guard) = self.progress_bar.lock() {
             if guard.is_some() {
                 let pb = (*guard).as_ref().unwrap();
 
-                if pb.position() > self.num_requests {
-                    pb.finish()
+                let bar_limit = if let Some(handles) = self.handles.as_ref() {
+                    handles.config.limit_bars
                 } else {
-                    pb.finish_at_current_pos()
+                    0
+                };
+
+                if bar_limit > 0 && bar_limit < active_bars {
+                    pb.finish_and_clear();
+                    return;
+                }
+
+                if pb.position() > self.num_requests {
+                    pb.finish();
+                } else {
+                    pb.abandon();
                 }
             }
         }
@@ -172,12 +243,18 @@ impl FeroxScan {
                 if guard.is_some() {
                     (*guard).as_ref().unwrap().clone()
                 } else {
-                    let bar_type = match self.output_level {
-                        OutputLevel::Default => BarType::Default,
-                        OutputLevel::Quiet => BarType::Quiet,
-                        OutputLevel::Silent => BarType::Hidden,
+                    let (active_bars, bar_limit) = if let Some(handles) = self.handles.as_ref() {
+                        if let Ok(scans) = handles.ferox_scans() {
+                            (scans.number_of_bars(), handles.config.limit_bars)
+                        } else {
+                            (0, handles.config.limit_bars)
+                        }
+                    } else {
+                        (0, 0)
                     };
 
+                    let bar_type = determine_bar_type(bar_limit, active_bars, self.output_level);
+
                     let pb = add_bar(&self.url, self.num_requests, bar_type);
                     pb.reset_elapsed();
 
@@ -191,12 +268,18 @@ impl FeroxScan {
             Err(_) => {
                 log::warn!("Could not unlock progress bar on {:?}", self);
 
-                let bar_type = match self.output_level {
-                    OutputLevel::Default => BarType::Default,
-                    OutputLevel::Quiet => BarType::Quiet,
-                    OutputLevel::Silent => BarType::Hidden,
+                let (active_bars, bar_limit) = if let Some(handles) = self.handles.as_ref() {
+                    if let Ok(scans) = handles.ferox_scans() {
+                        (scans.number_of_bars(), handles.config.limit_bars)
+                    } else {
+                        (0, handles.config.limit_bars)
+                    }
+                } else {
+                    (0, 0)
                 };
 
+                let bar_type = determine_bar_type(bar_limit, active_bars, self.output_level);
+
                 let pb = add_bar(&self.url, self.num_requests, bar_type);
                 pb.reset_elapsed();
 
@@ -206,6 +289,7 @@ impl FeroxScan {
     }
 
     /// Given a URL and ProgressBar, create a new FeroxScan, wrap it in an Arc and return it
+    #[allow(clippy::too_many_arguments)]
     pub fn new(
         url: &str,
         scan_type: ScanType,
@@ -213,6 +297,8 @@ impl FeroxScan {
         num_requests: u64,
         output_level: OutputLevel,
         pb: Option<ProgressBar>,
+        visibility: bool,
+        handles: Arc<Handles>,
     ) -> Arc<Self> {
         Arc::new(Self {
             url: url.to_string(),
@@ -222,14 +308,16 @@ impl FeroxScan {
             num_requests,
             output_level,
             progress_bar: Mutex::new(pb),
+            visible: AtomicBool::new(visibility),
+            handles: Some(handles),
             ..Default::default()
         })
     }
 
     /// Mark the scan as complete and stop the scan's progress bar
-    pub fn finish(&self) -> Result<()> {
+    pub fn finish(&self, active_bars: usize) -> Result<()> {
         self.set_status(ScanStatus::Complete)?;
-        self.stop_progress_bar();
+        self.stop_progress_bar(active_bars);
         Ok(())
     }
 
@@ -262,13 +350,29 @@ impl FeroxScan {
         false
     }
 
+    /// small wrapper to inspect ScanStatus and see if it's Running
+    pub fn is_running(&self) -> bool {
+        if let Ok(guard) = self.status.lock() {
+            return matches!(*guard, ScanStatus::Running);
+        }
+        false
+    }
+
+    /// small wrapper to inspect ScanStatus and see if it's NotStarted
+    pub fn is_not_started(&self) -> bool {
+        if let Ok(guard) = self.status.lock() {
+            return matches!(*guard, ScanStatus::NotStarted);
+        }
+        false
+    }
+
     /// await a task's completion, similar to a thread's join; perform necessary bookkeeping
     pub async fn join(&self) {
         log::trace!("enter join({:?})", self);
         let mut guard = self.task.lock().await;
 
         if guard.is_some() {
-            if let Some(task) = std::mem::replace(&mut *guard, None) {
+            if let Some(task) = guard.take() {
                 task.await.unwrap();
                 self.set_status(ScanStatus::Complete)
                     .unwrap_or_else(|e| log::warn!("Could not mark scan complete: {}", e))
@@ -507,6 +611,8 @@ mod tests {
             1000,
             OutputLevel::Default,
             None,
+            true,
+            Arc::new(Handles::for_testing(None, None).0),
         );
 
         scan.add_error();
@@ -532,6 +638,7 @@ mod tests {
             scan_order: ScanOrder::Initial,
             num_requests: 0,
             requests_made_so_far: 0,
+            visible: AtomicBool::new(true),
             status: Mutex::new(ScanStatus::Running),
             task: Default::default(),
             progress_bar: Mutex::new(None),
@@ -540,6 +647,7 @@ mod tests {
             status_429s: Default::default(),
             errors: Default::default(),
             start_time: Instant::now(),
+            handles: None,
         };
 
         let pb = scan.progress_bar();
@@ -551,7 +659,62 @@ mod tests {
 
         assert_eq!(req_sec, 100);
 
-        scan.finish().unwrap();
+        scan.finish(0).unwrap();
         assert_eq!(scan.requests_per_second(), 0);
     }
+
+    #[test]
+    fn test_swap_visibility() {
+        let scan = FeroxScan::new(
+            "http://localhost",
+            ScanType::Directory,
+            ScanOrder::Latest,
+            1000,
+            OutputLevel::Default,
+            None,
+            true,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
+
+        assert!(scan.visible());
+
+        scan.swap_visibility();
+        assert!(!scan.visible());
+
+        scan.swap_visibility();
+        assert!(scan.visible());
+
+        scan.swap_visibility();
+        assert!(!scan.visible());
+
+        scan.swap_visibility();
+        assert!(scan.visible());
+    }
+
+    #[test]
+    /// test for is_running method
+    fn test_is_running() {
+        let scan = FeroxScan::new(
+            "http://localhost",
+            ScanType::Directory,
+            ScanOrder::Latest,
+            1000,
+            OutputLevel::Default,
+            None,
+            true,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
+
+        assert!(scan.is_not_started());
+        assert!(!scan.is_running());
+        assert!(!scan.is_complete());
+        assert!(!scan.is_cancelled());
+
+        *scan.status.lock().unwrap() = ScanStatus::Running;
+
+        assert!(!scan.is_not_started());
+        assert!(scan.is_running());
+        assert!(!scan.is_complete());
+        assert!(!scan.is_cancelled());
+    }
 }

src/scan_manager/scan_container.rs

@@ -12,6 +12,7 @@ use crate::{
     config::OutputLevel,
     progress::PROGRESS_PRINTER,
     progress::{add_bar, BarType},
+    scan_manager::utils::determine_bar_type,
     scan_manager::{MenuCmd, MenuCmdResult},
     scanner::RESPONSES,
     traits::FeroxSerialize,
@@ -33,6 +34,7 @@ use std::{
     },
     thread::sleep,
 };
+use tokio::sync::oneshot;
 use tokio::time::{self, Duration};
 
 /// Single atomic number that gets incremented once, used to track first thread to interact with
@@ -60,6 +62,9 @@ pub struct FeroxScans {
 
     /// vector of extensions discovered and collected during scans
     pub(crate) collected_extensions: RwLock<HashSet<String>>,
+
+    /// stored value for Configuration.limit_bars
+    bar_limit: usize,
 }
 
 /// Serialize implementation for FeroxScans
@@ -92,9 +97,10 @@ impl Serialize for FeroxScans {
 /// Implementation of `FeroxScans`
 impl FeroxScans {
     /// given an OutputLevel, create a new FeroxScans object
-    pub fn new(output_level: OutputLevel) -> Self {
+    pub fn new(output_level: OutputLevel, bar_limit: usize) -> Self {
         Self {
             output_level,
+            bar_limit,
             ..Default::default()
         }
     }
@@ -330,6 +336,13 @@ impl FeroxScans {
                     self.menu
                         .println(&format!("{}:", style("Scans").bright().blue()));
                 }
+
+                if let Ok(guard) = scan.status.lock() {
+                    if matches!(*guard, ScanStatus::Cancelled) {
+                        continue;
+                    }
+                }
+
                 // we're only interested in displaying directory scans, as those are
                 // the only ones that make sense to be stopped
                 let scan_msg = format!("{i:3}: {scan}");
@@ -360,7 +373,14 @@ impl FeroxScans {
                         sleep(menu_pause_duration);
                         continue;
                     }
-                    u_scans.index(num).clone()
+
+                    let selected = u_scans.index(num);
+
+                    if matches!(selected.scan_type, ScanType::File) {
+                        continue;
+                    }
+
+                    selected.clone()
                 }
                 Err(..) => continue,
             };
@@ -373,13 +393,14 @@ impl FeroxScans {
 
             if input == 'y' || input == '\n' {
                 self.menu.println(&format!("Stopping {}...", selected.url));
+                let active_bars = self.number_of_bars();
                 selected
-                    .abort()
+                    .abort(active_bars)
                     .await
                     .unwrap_or_else(|e| log::warn!("Could not cancel task: {}", e));
 
                 let pb = selected.progress_bar();
-                num_cancelled += pb.length() as usize - pb.position() as usize;
+                num_cancelled += pb.length().unwrap_or(0) as usize - pb.position() as usize;
             } else {
                 self.menu.println("Ok, doing nothing...");
             }
@@ -416,6 +437,13 @@ impl FeroxScans {
         self.menu.hide_progress_bars();
         self.menu.clear_screen();
         self.menu.print_header();
+        let (tx, rx) = oneshot::channel::<Duration>();
+        if handles.stats.send(Command::QueryOverallBarEta(tx)).is_ok() {
+            if let Ok(y) = rx.await {
+                self.menu.print_eta(y);
+            }
+        }
+
         self.display_scans().await;
         self.display_filters(handles.clone());
         self.menu.print_footer();
@@ -499,14 +527,22 @@ impl FeroxScans {
 
     /// if a resumed scan is already complete, display a completed progress bar to the user
     pub fn print_completed_bars(&self, bar_length: usize) -> Result<()> {
-        let bar_type = match self.output_level {
-            OutputLevel::Default => BarType::Message,
-            OutputLevel::Quiet => BarType::Quiet,
-            OutputLevel::Silent => return Ok(()), // fast exit when --silent was used
-        };
+        if self.output_level == OutputLevel::SilentJSON || self.output_level == OutputLevel::Silent
+        {
+            // fast exit when --silent was used
+            return Ok(());
+        }
+
+        let bar_type: BarType =
+            determine_bar_type(self.bar_limit, self.number_of_bars(), self.output_level);
 
         if let Ok(scans) = self.scans.read() {
             for scan in scans.iter() {
+                if matches!(bar_type, BarType::Hidden) {
+                    // no need to show hidden bars
+                    continue;
+                }
+
                 if scan.is_complete() {
                     // these scans are complete, and just need to be shown to the user
                     let pb = add_bar(
@@ -583,6 +619,7 @@ impl FeroxScans {
         url: &str,
         scan_type: ScanType,
         scan_order: ScanOrder,
+        handles: Arc<Handles>,
     ) -> (bool, Arc<FeroxScan>) {
         let bar_length = if let Ok(guard) = self.bar_length.lock() {
             *guard
@@ -590,14 +627,11 @@ impl FeroxScans {
             0
         };
 
+        let active_bars = self.number_of_bars();
+        let bar_type = determine_bar_type(self.bar_limit, active_bars, self.output_level);
+
         let bar = match scan_type {
             ScanType::Directory => {
-                let bar_type = match self.output_level {
-                    OutputLevel::Default => BarType::Default,
-                    OutputLevel::Quiet => BarType::Quiet,
-                    OutputLevel::Silent => BarType::Hidden,
-                };
-
                 let progress_bar = add_bar(url, bar_length, bar_type);
 
                 progress_bar.reset_elapsed();
@@ -607,6 +641,8 @@ impl FeroxScans {
             ScanType::File => None,
         };
 
+        let is_visible = !matches!(bar_type, BarType::Hidden);
+
         let ferox_scan = FeroxScan::new(
             url,
             scan_type,
@@ -614,6 +650,8 @@ impl FeroxScans {
             bar_length,
             self.output_level,
             bar,
+            is_visible,
+            handles,
         );
 
         // If the set did not contain the scan, true is returned.
@@ -628,9 +666,14 @@ impl FeroxScans {
     /// If `FeroxScans` did not already contain the scan, return true; otherwise return false
     ///
     /// Also return a reference to the new `FeroxScan`
-    pub fn add_directory_scan(&self, url: &str, scan_order: ScanOrder) -> (bool, Arc<FeroxScan>) {
+    pub fn add_directory_scan(
+        &self,
+        url: &str,
+        scan_order: ScanOrder,
+        handles: Arc<Handles>,
+    ) -> (bool, Arc<FeroxScan>) {
         let normalized = format!("{}/", url.trim_end_matches('/'));
-        self.add_scan(&normalized, ScanType::Directory, scan_order)
+        self.add_scan(&normalized, ScanType::Directory, scan_order, handles)
     }
 
     /// Given a url, create a new `FeroxScan` and add it to `FeroxScans` as a File Scan
@@ -638,8 +681,65 @@ impl FeroxScans {
     /// If `FeroxScans` did not already contain the scan, return true; otherwise return false
     ///
     /// Also return a reference to the new `FeroxScan`
-    pub fn add_file_scan(&self, url: &str, scan_order: ScanOrder) -> (bool, Arc<FeroxScan>) {
-        self.add_scan(url, ScanType::File, scan_order)
+    pub fn add_file_scan(
+        &self,
+        url: &str,
+        scan_order: ScanOrder,
+        handles: Arc<Handles>,
+    ) -> (bool, Arc<FeroxScan>) {
+        self.add_scan(url, ScanType::File, scan_order, handles)
+    }
+
+    /// returns the number of active AND visible scans; supports --limit-bars functionality
+    pub fn number_of_bars(&self) -> usize {
+        let Ok(scans) = self.scans.read() else {
+            return 0;
+        };
+
+        // starting at one ensures we don't have an extra bar
+        // due to counting up from 0 when there's actually 1 bar
+        let mut count = 1;
+
+        for scan in &*scans {
+            if scan.is_active() && scan.visible() {
+                count += 1;
+            }
+        }
+
+        count
+    }
+
+    /// make one hidden bar visible; supports --limit-bars functionality
+    pub fn make_visible(&self) {
+        if let Ok(guard) = self.scans.read() {
+            // when swapping visibility, we'll prefer an actively running scan
+            // if none are found, we'll
+            let mut queued = None;
+
+            for scan in &*guard {
+                if !matches!(scan.scan_type, ScanType::Directory) {
+                    // visibility only makes sense for directory scans
+                    continue;
+                }
+
+                if scan.visible() {
+                    continue;
+                }
+
+                if scan.is_running() {
+                    scan.swap_visibility();
+                    return;
+                }
+
+                if queued.is_none() && scan.is_not_started() {
+                    queued = Some(scan.clone());
+                }
+            }
+
+            if let Some(scan) = queued {
+                scan.swap_visibility();
+            }
+        }
     }
 
     /// small helper to determine whether any scans are active or not
@@ -704,7 +804,7 @@ mod tests {
     #[test]
     /// unknown extension should be added to collected_extensions
     fn unknown_extension_is_added_to_collected_extensions() {
-        let scans = FeroxScans::new(OutputLevel::Default);
+        let scans = FeroxScans::new(OutputLevel::Default, 0);
 
         assert_eq!(0, scans.collected_extensions.read().unwrap().len());
 
@@ -717,7 +817,7 @@ mod tests {
     #[test]
     /// known extension should not be added to collected_extensions
     fn known_extension_is_added_to_collected_extensions() {
-        let scans = FeroxScans::new(OutputLevel::Default);
+        let scans = FeroxScans::new(OutputLevel::Default, 0);
         scans
             .collected_extensions
             .write()

src/scan_manager/tests.rs

@@ -15,6 +15,7 @@ use crate::{
 use indicatif::ProgressBar;
 use predicates::prelude::*;
 use regex::Regex;
+use std::sync::atomic::AtomicBool;
 use std::sync::{atomic::Ordering, Arc};
 use std::thread::sleep;
 use std::time::Instant;
@@ -57,7 +58,12 @@ async fn scanner_pause_scan_with_finished_spinner() {
 fn add_url_to_list_of_scanned_urls_with_unknown_url() {
     let urls = FeroxScans::default();
     let url = "http://unknown_url";
-    let (result, _scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
+    let (result, _scan) = urls.add_scan(
+        url,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
     assert!(result);
 }
 
@@ -72,14 +78,21 @@ fn add_url_to_list_of_scanned_urls_with_known_url() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
 
     assert!(urls.insert(scan));
 
-    let (result, _scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
+    let (result, _scan) = urls.add_scan(
+        url,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
 
     assert!(!result);
 }
@@ -94,9 +107,11 @@ fn stop_progress_bar_stops_bar() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
 
     assert!(!scan
@@ -107,7 +122,7 @@ fn stop_progress_bar_stops_bar() {
         .unwrap()
         .is_finished());
 
-    scan.stop_progress_bar();
+    scan.stop_progress_bar(0);
 
     assert!(scan
         .progress_bar
@@ -124,18 +139,25 @@ fn add_url_to_list_of_scanned_urls_with_known_url_without_slash() {
     let urls = FeroxScans::default();
     let url = "http://unknown_url";
 
-    let scan = FeroxScan::new(
+    let scan: Arc<FeroxScan> = FeroxScan::new(
         url,
         ScanType::File,
         ScanOrder::Latest,
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
 
     assert!(urls.insert(scan));
 
-    let (result, _scan) = urls.add_scan(url, ScanType::File, ScanOrder::Latest);
+    let (result, _scan) = urls.add_scan(
+        url,
+        ScanType::File,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
 
     assert!(!result);
 }
@@ -152,20 +174,24 @@ async fn call_display_scans() {
         url,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb.length(),
+        pb.length().unwrap(),
         OutputLevel::Default,
         Some(pb),
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
     let scan_two = FeroxScan::new(
         url_two,
         ScanType::Directory,
         ScanOrder::Latest,
-        pb_two.length(),
+        pb_two.length().unwrap(),
         OutputLevel::Default,
         Some(pb_two),
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
 
-    scan_two.finish().unwrap(); // one complete, one incomplete
+    scan_two.finish(0).unwrap(); // one complete, one incomplete
     scan_two
         .set_task(tokio::spawn(async move {
             sleep(Duration::from_millis(SLEEP_DURATION));
@@ -190,6 +216,8 @@ fn partial_eq_compares_the_id_field() {
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
     let scan_two = FeroxScan::new(
         url,
@@ -198,10 +226,13 @@ fn partial_eq_compares_the_id_field() {
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
 
     assert!(!scan.eq(&scan_two));
 
+    #[allow(clippy::redundant_clone)]
     let scan_two = scan.clone();
 
     assert!(scan.eq(&scan_two));
@@ -279,6 +310,8 @@ fn ferox_scan_serialize() {
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
     let fs_json = format!(
         r#"{{"id":"{}","url":"https://spiritanimal.com","normalized_url":"https://spiritanimal.com/","scan_type":"Directory","status":"NotStarted","num_requests":0,"requests_made_so_far":0}}"#,
@@ -297,6 +330,8 @@ fn ferox_scans_serialize() {
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
     let ferox_scans = FeroxScans::default();
     let ferox_scans_json = format!(
@@ -313,7 +348,7 @@ fn ferox_scans_serialize() {
 #[test]
 /// given a FeroxResponses, test that it serializes into the proper JSON entry
 fn ferox_responses_serialize() {
-    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":""}"#;
+    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":"","timestamp":1711796681.3455093}"#;
     let response: FeroxResponse = serde_json::from_str(json_response).unwrap();
 
     let responses = FeroxResponses::default();
@@ -331,7 +366,7 @@ fn ferox_responses_serialize() {
 /// given a FeroxResponse, test that it serializes into the proper JSON entry
 fn ferox_response_serialize_and_deserialize() {
     // deserialize
-    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":""}"#;
+    let json_response = r#"{"type":"response","url":"https://nerdcore.com/css","original_url":"https://nerdcore.com","path":"/css","wildcard":true,"status":301,"method":"GET","content_length":173,"line_count":10,"word_count":16,"headers":{"server":"nginx/1.16.1"},"extension":"","timestamp":1711796681.3455093}"#;
     let response: FeroxResponse = serde_json::from_str(json_response).unwrap();
 
     assert_eq!(response.url().as_str(), "https://nerdcore.com/css");
@@ -342,6 +377,7 @@ fn ferox_response_serialize_and_deserialize() {
     assert_eq!(response.line_count(), 10);
     assert_eq!(response.word_count(), 16);
     assert_eq!(response.headers().get("server").unwrap(), "nginx/1.16.1");
+    assert_eq!(response.timestamp(), 1711796681.3455093);
 
     // serialize, however, this can fail when headers are out of order
     let new_json = serde_json::to_string(&response).unwrap();
@@ -358,6 +394,8 @@ fn feroxstates_feroxserialize_implementation() {
         0,
         OutputLevel::Default,
         None,
+        true,
+        Arc::new(Handles::for_testing(None, None).0),
     );
     let ferox_scans = FeroxScans::default();
     let saved_id = ferox_scan.id.clone();
@@ -489,6 +527,9 @@ fn feroxstates_feroxserialize_implementation() {
         r#""url_denylist":[]"#,
         r#""responses""#,
         r#""type":"response""#,
+        r#""client_cert":"""#,
+        r#""client_key":"""#,
+        r#""server_certs":[]"#,
         r#""url":"https://nerdcore.com/css""#,
         r#""path":"/css""#,
         r#""wildcard":true"#,
@@ -496,12 +537,15 @@ fn feroxstates_feroxserialize_implementation() {
         r#""method":"GET""#,
         r#""content_length":173"#,
         r#""line_count":10"#,
+        r#""limit_bars":0"#,
         r#""word_count":16"#,
         r#""headers""#,
         r#""server":"nginx/1.16.1"#,
         r#""collect_extensions":true"#,
         r#""collect_backups":false"#,
         r#""collect_words":false"#,
+        r#""scan_dir_listings":false"#,
+        r#""protocol":"https""#,
         r#""filters":[{"filter_code":100},{"word_count":200},{"content_length":300},{"line_count":400},{"compiled":".*","raw_string":".*"},{"hash":1,"original_url":"http://localhost:12345/"}]"#,
         r#""collected_extensions":["php"]"#,
         r#""dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"]"#,
@@ -562,8 +606,10 @@ fn feroxscan_display() {
         normalized_url: String::from("http://localhost/"),
         scan_order: ScanOrder::Latest,
         scan_type: Default::default(),
+        handles: Some(Arc::new(Handles::for_testing(None, None).0)),
         num_requests: 0,
         requests_made_so_far: 0,
+        visible: AtomicBool::new(true),
         start_time: Instant::now(),
         output_level: OutputLevel::Default,
         status_403s: Default::default(),
@@ -612,6 +658,7 @@ async fn ferox_scan_abort() {
         requests_made_so_far: 0,
         start_time: Instant::now(),
         output_level: OutputLevel::Default,
+        visible: AtomicBool::new(true),
         status_403s: Default::default(),
         status_429s: Default::default(),
         status: std::sync::Mutex::new(ScanStatus::Running),
@@ -620,9 +667,10 @@ async fn ferox_scan_abort() {
         }))),
         progress_bar: std::sync::Mutex::new(None),
         errors: Default::default(),
+        handles: Some(Arc::new(Handles::for_testing(None, None).0)),
     };
 
-    scan.abort().await.unwrap();
+    scan.abort(0).await.unwrap();
 
     assert!(matches!(
         *scan.status.lock().unwrap(),
@@ -713,15 +761,26 @@ fn split_to_nums_is_correct() {
 #[test]
 /// given a deep url, find the correct scan
 fn get_base_scan_by_url_finds_correct_scan() {
+    let handles = Arc::new(Handles::for_testing(None, None).0);
     let urls = FeroxScans::default();
     let url = "http://localhost";
     let url1 = "http://localhost/stuff";
     let url2 = "http://shlocalhost/stuff/things";
     let url3 = "http://shlocalhost/stuff/things/mostuff";
-    let (_, scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
-    let (_, scan1) = urls.add_scan(url1, ScanType::Directory, ScanOrder::Latest);
-    let (_, scan2) = urls.add_scan(url2, ScanType::Directory, ScanOrder::Latest);
-    let (_, scan3) = urls.add_scan(url3, ScanType::Directory, ScanOrder::Latest);
+    let (_, scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest, handles.clone());
+    let (_, scan1) = urls.add_scan(
+        url1,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        handles.clone(),
+    );
+    let (_, scan2) = urls.add_scan(
+        url2,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        handles.clone(),
+    );
+    let (_, scan3) = urls.add_scan(url3, ScanType::Directory, ScanOrder::Latest, handles);
 
     assert_eq!(
         urls.get_base_scan_by_url("http://localhost/things.php")
@@ -754,7 +813,12 @@ fn get_base_scan_by_url_finds_correct_scan() {
 fn get_base_scan_by_url_finds_correct_scan_without_trailing_slash() {
     let urls = FeroxScans::default();
     let url = "http://localhost";
-    let (_, scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
+    let (_, scan) = urls.add_scan(
+        url,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
     assert_eq!(
         urls.get_base_scan_by_url("http://localhost/BKPMiherrortBPKcw")
             .unwrap()
@@ -768,7 +832,12 @@ fn get_base_scan_by_url_finds_correct_scan_without_trailing_slash() {
 fn get_base_scan_by_url_finds_correct_scan_with_trailing_slash() {
     let urls = FeroxScans::default();
     let url = "http://127.0.0.1:41971/";
-    let (_, scan) = urls.add_scan(url, ScanType::Directory, ScanOrder::Latest);
+    let (_, scan) = urls.add_scan(
+        url,
+        ScanType::Directory,
+        ScanOrder::Latest,
+        Arc::new(Handles::for_testing(None, None).0),
+    );
     assert_eq!(
         urls.get_base_scan_by_url("http://127.0.0.1:41971/BKPMiherrortBPKcw")
             .unwrap()

src/scan_manager/utils.rs

@@ -1,7 +1,12 @@
 #[cfg(not(test))]
 use crate::event_handlers::TermInputHandler;
 use crate::{
-    config::Configuration, event_handlers::Handles, parser::TIMESPEC_REGEX, scanner::RESPONSES,
+    config::{Configuration, OutputLevel},
+    event_handlers::Handles,
+    parser::TIMESPEC_REGEX,
+    progress::BarType,
+    scan_manager::scan::Visibility,
+    scanner::RESPONSES,
 };
 
 use std::{fs::File, io::BufReader, sync::Arc};
@@ -90,3 +95,79 @@ pub fn resume_scan(filename: &str) -> Configuration {
     log::trace!("exit: resume_scan -> {:?}", config);
     config
 }
+
+/// determine the type of progress bar to display
+/// takes both --limit-bars and output-level (--quiet|--silent|etc)
+/// into account to arrive at a `BarType`
+pub fn determine_bar_type(
+    bar_limit: usize,
+    number_of_bars: usize,
+    output_level: OutputLevel,
+) -> BarType {
+    let visibility = if bar_limit == 0 {
+        // no limit from cli, just set the value to visible
+        // this protects us from a mutex unlock in number_of_bars
+        // in the normal case
+        Visibility::Visible
+    } else if bar_limit < number_of_bars {
+        // active bars exceed limit; hidden
+        Visibility::Hidden
+    } else {
+        Visibility::Visible
+    };
+
+    match (output_level, visibility) {
+        (OutputLevel::Default, Visibility::Visible) => BarType::Default,
+        (OutputLevel::Quiet, Visibility::Visible) => BarType::Quiet,
+        (OutputLevel::Default, Visibility::Hidden) => BarType::Hidden,
+        (OutputLevel::Quiet, Visibility::Hidden) => BarType::Hidden,
+        (OutputLevel::Silent | OutputLevel::SilentJSON, _) => BarType::Hidden,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_no_limit_visible() {
+        let bar_type = determine_bar_type(0, 1, OutputLevel::Default);
+        assert!(matches!(bar_type, BarType::Default));
+    }
+
+    #[test]
+    fn test_limit_exceeded_hidden() {
+        let bar_type = determine_bar_type(1, 2, OutputLevel::Default);
+        assert!(matches!(bar_type, BarType::Hidden));
+    }
+
+    #[test]
+    fn test_limit_not_exceeded_visible() {
+        let bar_type = determine_bar_type(2, 1, OutputLevel::Default);
+        assert!(matches!(bar_type, BarType::Default));
+    }
+
+    #[test]
+    fn test_quiet_visible() {
+        let bar_type = determine_bar_type(0, 1, OutputLevel::Quiet);
+        assert!(matches!(bar_type, BarType::Quiet));
+    }
+
+    #[test]
+    fn test_quiet_hidden() {
+        let bar_type = determine_bar_type(1, 2, OutputLevel::Quiet);
+        assert!(matches!(bar_type, BarType::Hidden));
+    }
+
+    #[test]
+    fn test_silent_hidden() {
+        let bar_type = determine_bar_type(0, 1, OutputLevel::Silent);
+        assert!(matches!(bar_type, BarType::Hidden));
+    }
+
+    #[test]
+    fn test_silent_json_hidden() {
+        let bar_type = determine_bar_type(0, 1, OutputLevel::SilentJSON);
+        assert!(matches!(bar_type, BarType::Hidden));
+    }
+}

src/scanner/ferox_scanner.rs

@@ -203,6 +203,9 @@ impl FeroxScanner {
         log::info!("Starting scan against: {}", self.target_url);
 
         let mut scan_timer = Instant::now();
+        // every time we extract links we'll need to await the task to make sure
+        // it completes before the scan ends
+        let mut extraction_tasks = Vec::new();
 
         if self.handles.config.extract_links && matches!(self.order, ScanOrder::Initial) {
             // check for robots.txt (cannot be in sub-directories, so limited to Initial)
@@ -211,9 +214,9 @@ impl FeroxScanner {
                 .url(&self.target_url)
                 .handles(self.handles.clone())
                 .build()?;
-
-            let result = extractor.extract().await?;
-            extractor.request_links(result).await?;
+            if let Ok(result) = extractor.extract().await {
+                extraction_tasks.push(extractor.request_links(result).await?)
+            }
         }
 
         let scanned_urls = self.handles.ferox_scans()?;
@@ -248,56 +251,72 @@ impl FeroxScanner {
             // heuristics test block:
             let test = heuristics::HeuristicTests::new(self.handles.clone());
 
-            if let Ok(dirlist_result) = test.directory_listing(&self.target_url).await {
-                if dirlist_result.is_some() {
-                    let dirlist_result = dirlist_result.unwrap();
-                    // at this point, we have a DirListingType, and it's not the None variant
-                    // which means we found directory listing based on the heuristic; now we need
-                    // to process the links that are available if --extract-links was used
+            if let Ok(Some(dirlist_result)) = test.directory_listing(&self.target_url).await {
+                // at this point, we have a DirListingType, and it's not the None variant
+                // which means we found directory listing based on the heuristic; now we need
+                // to process the links that are available if --extract-links was used
 
-                    if self.handles.config.extract_links {
-                        let mut extractor = ExtractorBuilder::default()
-                            .response(&dirlist_result.response)
-                            .target(ExtractionTarget::DirectoryListing)
-                            .url(&self.target_url)
-                            .handles(self.handles.clone())
-                            .build()?;
+                if self.handles.config.extract_links {
+                    let mut extractor = ExtractorBuilder::default()
+                        .response(&dirlist_result.response)
+                        .target(ExtractionTarget::DirectoryListing)
+                        .url(&self.target_url)
+                        .handles(self.handles.clone())
+                        .build()?;
 
-                        let result = extractor.extract_from_dir_listing().await?;
+                    let result = extractor.extract_from_dir_listing().await?;
 
-                        extractor.request_links(result).await?;
+                    extraction_tasks.push(extractor.request_links(result).await?);
 
-                        log::trace!("exit: scan_url -> Directory listing heuristic");
+                    log::trace!("exit: scan_url -> Directory listing heuristic");
 
-                        self.handles.stats.send(AddToF64Field(
-                            DirScanTimes,
-                            scan_timer.elapsed().as_secs_f64(),
-                        ))?;
+                    self.handles.stats.send(AddToF64Field(
+                        DirScanTimes,
+                        scan_timer.elapsed().as_secs_f64(),
+                    ))?;
 
-                        self.handles.stats.send(SubtractFromUsizeField(
-                            TotalExpected,
-                            progress_bar.length() as usize,
-                        ))?;
+                    self.handles.stats.send(SubtractFromUsizeField(
+                        TotalExpected,
+                        progress_bar.length().unwrap_or(0) as usize,
+                    ))?;
+                }
+
+                let mut message = format!("=> {}", style("Directory listing").blue().bright());
+
+                if !self.handles.config.scan_dir_listings {
+                    write!(
+                        message,
+                        " (add {} to scan)",
+                        style("--scan-dir-listings").bright().yellow()
+                    )?;
+                }
+
+                if !self.handles.config.extract_links {
+                    write!(
+                        message,
+                        " (remove {} to scan)",
+                        style("--dont-extract-links").bright().yellow()
+                    )?;
+                }
+
+                if !self.handles.config.force_recursion && !self.handles.config.scan_dir_listings {
+                    for handle in extraction_tasks.into_iter().flatten() {
+                        _ = handle.await;
                     }
 
-                    let mut message = format!("=> {}", style("Directory listing").blue().bright());
+                    progress_bar.reset_eta();
+                    progress_bar.finish_with_message(message);
 
-                    if !self.handles.config.extract_links {
-                        write!(
-                            message,
-                            " (remove {} to scan)",
-                            style("--dont-extract-links").bright().yellow()
-                        )?;
+                    if self.handles.config.limit_bars > 0 {
+                        let scans = self.handles.ferox_scans()?;
+                        let num_bars = scans.number_of_bars();
+                        ferox_scan.finish(num_bars)?;
+                        scans.make_visible();
+                    } else {
+                        ferox_scan.finish(0)?;
                     }
 
-                    if !self.handles.config.force_recursion {
-                        progress_bar.reset_eta();
-                        progress_bar.finish_with_message(&message);
-
-                        ferox_scan.finish()?;
-
-                        return Ok(()); // nothing left to do if we found a dir listing
-                    }
+                    return Ok(()); // nothing left to do if we found a dir listing
                 }
             }
 
@@ -317,7 +336,7 @@ impl FeroxScanner {
                         style("Wildcard").blue().bright(),
                         style("stopped").red()
                     );
-                    progress_bar.set_message(&message);
+                    progress_bar.set_message(message);
                     progress_bar.inc(num_reqs as u64);
                 }
                 Some(WildcardResult::FourOhFourLike(num_reqs)) => {
@@ -344,7 +363,7 @@ impl FeroxScanner {
             let new_words = TF_IDF.read().unwrap().all_words();
             let new_words_len = new_words.len();
 
-            let cur_length = progress_bar.length();
+            let cur_length = progress_bar.length().unwrap_or(0);
             let new_length = cur_length + new_words_len as u64;
 
             progress_bar.set_length(new_length);
@@ -374,7 +393,18 @@ impl FeroxScanner {
             scan_timer.elapsed().as_secs_f64(),
         ))?;
 
-        ferox_scan.finish()?;
+        for handle in extraction_tasks.into_iter().flatten() {
+            _ = handle.await;
+        }
+
+        if self.handles.config.limit_bars > 0 {
+            let scans = self.handles.ferox_scans()?;
+            let num_bars = scans.number_of_bars();
+            ferox_scan.finish(num_bars)?;
+            scans.make_visible();
+        } else {
+            ferox_scan.finish(0)?;
+        }
 
         log::trace!("exit: scan_url");
 

src/scanner/requester.rs

@@ -217,7 +217,7 @@ impl Requester {
 
                     self.ferox_scan
                         .progress_bar()
-                        .set_message(&format!("=> 🚦 {styled_direction} scan speed",));
+                        .set_message(format!("=> 🚦 {styled_direction} scan speed",));
                 }
                 self.policy_data.set_errors(scan_errors);
             } else {
@@ -230,7 +230,7 @@ impl Requester {
 
                 self.ferox_scan
                     .progress_bar()
-                    .set_message(&format!("=> 🚦 {styled_direction} scan speed",));
+                    .set_message(format!("=> 🚦 {styled_direction} scan speed",));
             }
         }
 
@@ -286,7 +286,7 @@ impl Requester {
             self.set_rate_limiter(Some(new_limit)).await?;
             self.ferox_scan
                 .progress_bar()
-                .set_message(&format!("=> 🚦 set rate limit ({new_limit}/s)"));
+                .set_message(format!("=> 🚦 set rate limit ({new_limit}/s)"));
         }
 
         self.adjust_limit(trigger, true).await?;
@@ -313,19 +313,22 @@ impl Requester {
                 .set_status(ScanStatus::Cancelled)
                 .unwrap_or_else(|e| log::warn!("Could not set scan status: {}", e));
 
+            let scans = self.handles.ferox_scans()?;
+            let active_bars = scans.number_of_bars();
+
             // kill the scan
             self.ferox_scan
-                .abort()
+                .abort(active_bars)
                 .await
                 .unwrap_or_else(|e| log::warn!("Could not bail on scan: {}", e));
 
             // figure out how many requests are skipped as a result
             let pb = self.ferox_scan.progress_bar();
-            let num_skipped = pb.length().saturating_sub(pb.position()) as usize;
+            let num_skipped = pb.length().unwrap_or(0).saturating_sub(pb.position()) as usize;
 
             let styled_trigger = style(format!("{trigger:?}")).red();
 
-            pb.set_message(&format!(
+            pb.set_message(format!(
                 "=> 💀 too many {} ({}) 💀 bailing",
                 styled_trigger,
                 self.ferox_scan.num_errors(trigger),
@@ -475,12 +478,13 @@ impl Requester {
 
                 if self.handles.config.collect_words {
                     if let Ok(mut guard) = TF_IDF.write() {
-                        let doc = Document::from_html(ferox_response.text());
-                        guard.add_document(doc);
-                        if guard.num_documents() % 12 == 0
-                            || (guard.num_documents() < 5 && guard.num_documents() % 2 == 0)
-                        {
-                            guard.calculate_tf_idf_scores();
+                        if let Some(doc) = Document::from_html(ferox_response.text()) {
+                            guard.add_document(doc);
+                            if guard.num_documents() % 12 == 0
+                                || (guard.num_documents() < 5 && guard.num_documents() % 2 == 0)
+                            {
+                                guard.calculate_tf_idf_scores();
+                            }
                         }
                     }
                 }
@@ -490,6 +494,7 @@ impl Requester {
                         .target(ExtractionTarget::ResponseBody)
                         .response(&ferox_response)
                         .handles(self.handles.clone())
+                        .url(self.ferox_scan.url())
                         .build()?;
 
                     let new_links: HashSet<_>;
@@ -513,7 +518,11 @@ impl Requester {
                     }
 
                     if !new_links.is_empty() {
-                        extractor.request_links(new_links).await?;
+                        let extraction_task = extractor.request_links(new_links).await?;
+
+                        if let Some(task) = extraction_task {
+                            _ = task.await;
+                        }
                     }
                 }
 
@@ -640,6 +649,8 @@ mod tests {
             1000,
             OutputLevel::Default,
             None,
+            true,
+            handles.clone(),
         );
 
         scan.set_status(ScanStatus::Running).unwrap();
@@ -1138,6 +1149,8 @@ mod tests {
             1000,
             OutputLevel::Default,
             None,
+            true,
+            Arc::new(Handles::for_testing(None, None).0),
         );
         scan.set_status(ScanStatus::Running).unwrap();
         scan.add_429();
@@ -1171,7 +1184,7 @@ mod tests {
             200
         );
 
-        scan.finish().unwrap();
+        scan.finish(0).unwrap();
         assert!(start.elapsed().as_millis() >= 2000);
     }
 }

src/scanner/tests.rs

@@ -15,7 +15,7 @@ use super::*;
 /// try to hit struct field coverage of FileOutHandler
 async fn get_scan_by_url_bails_on_unfound_url() {
     let sem = Semaphore::new(10);
-    let urls = FeroxScans::new(OutputLevel::Default);
+    let urls = FeroxScans::new(OutputLevel::Default, 0);
 
     let scanner = FeroxScanner::new(
         "http://localhost",

src/statistics/container.rs

@@ -132,6 +132,9 @@ pub struct Stats {
 
     /// tracker for whether to use json during serialization or not
     json: bool,
+
+    /// tracker for the initial targets that were passed in to the scan
+    targets: Mutex<Vec<String>>,
 }
 
 /// FeroxSerialize implementation for Stats
@@ -196,6 +199,7 @@ impl Serialize for Stats {
         state.serialize_field("request_errors", &atomic_load!(self.request_errors))?;
         state.serialize_field("directory_scan_times", &self.directory_scan_times)?;
         state.serialize_field("total_runtime", &self.total_runtime)?;
+        state.serialize_field("targets", &self.targets)?;
 
         state.end()
     }
@@ -446,6 +450,17 @@ impl<'a> Deserialize<'a> for Stats {
                         }
                     }
                 }
+                "targets" => {
+                    if let Some(arr) = value.as_array() {
+                        for val in arr {
+                            if let Some(parsed) = val.as_str() {
+                                if let Ok(mut guard) = stats.targets.lock() {
+                                    guard.push(parsed.to_string())
+                                }
+                            }
+                        }
+                    }
+                }
                 _ => {}
             }
         }
@@ -514,6 +529,13 @@ impl Stats {
         }
     }
 
+    /// update targets with the given vector of strings
+    pub fn update_targets(&self, targets: Vec<String>) {
+        if let Ok(mut locked_targets) = self.targets.lock() {
+            *locked_targets = targets;
+        }
+    }
+
     /// save an instance of `Stats` to disk after updating the total runtime for the scan
     pub fn save(&self, seconds: f64, location: &str) -> Result<()> {
         let mut file = open_file(location)?;

src/statistics/tests.rs

@@ -55,7 +55,7 @@ fn save_writes_stats_object_to_disk() {
     stats.add_status_code(StatusCode::OK);
     stats.add_status_code(StatusCode::OK);
     let outfile = NamedTempFile::new().unwrap();
-    if stats.save(174.33, outfile.path().to_str().unwrap()).is_ok() {}
+    assert!(stats.save(174.33, outfile.path().to_str().unwrap()).is_ok());
 
     assert!(stats.as_json().unwrap().contains("statistics"));
     assert!(stats.as_json().unwrap().contains("11")); // requests made

src/url.rs

@@ -1,3 +1,4 @@
+use crate::utils::parse_url_with_raw_path;
 use crate::{event_handlers::Handles, statistics::StatError::UrlFormat, Command::AddError};
 use anyhow::{anyhow, bail, Result};
 use reqwest::Url;
@@ -142,19 +143,19 @@ impl FeroxUrl {
             word = word.trim_start_matches('/').to_string();
         };
 
-        let base_url = Url::parse(&url)?;
-        let joined = base_url.join(&word)?;
+        let base_url = parse_url_with_raw_path(&url)?;
+        let mut joined = base_url.join(&word)?;
 
-        if self.handles.config.queries.is_empty() {
-            // no query params to process
-            log::trace!("exit: format -> {}", joined);
-            Ok(joined)
-        } else {
-            let with_params =
-                Url::parse_with_params(joined.as_str(), &self.handles.config.queries)?;
-            log::trace!("exit: format_url -> {}", with_params);
-            Ok(with_params) // request with params attached
+        if !self.handles.config.queries.is_empty() {
+            // if called, this adds a '?' to the url, whether or not there are queries to be added
+            // so we need to check if there are queries to be added before blindly adding the '?'
+            joined
+                .query_pairs_mut()
+                .extend_pairs(self.handles.config.queries.iter());
         }
+
+        log::trace!("exit: format_url -> {}", joined);
+        Ok(joined)
     }
 
     /// Simple helper to abstract away adding a forward-slash to a url if not present
@@ -189,7 +190,7 @@ impl FeroxUrl {
 
         let target = self.normalize();
 
-        let parsed = Url::parse(&target)?;
+        let parsed = parse_url_with_raw_path(&target)?;
         let parts = parsed
             .path_segments()
             .ok_or_else(|| anyhow!("No path segments found"))?;
@@ -269,7 +270,7 @@ mod tests {
         let pdf = Url::parse("http://localhost/turbo.pdf").unwrap();
         let tar = Url::parse("http://localhost/turbo.tar.gz").unwrap();
 
-        let expected = vec![
+        let expected = [
             vec![base.clone(), js.clone()],
             vec![base.clone(), js.clone(), php.clone()],
             vec![base.clone(), js.clone(), php.clone(), pdf.clone()],

src/utils.rs

@@ -68,6 +68,20 @@ pub fn fmt_err(msg: &str) -> String {
     format!("{}: {}", status_colorizer("ERROR"), msg)
 }
 
+/// simple wrapper to get the current system time as
+/// time elapsed from unix epoch
+pub fn timestamp() -> f64 {
+    let since_the_epoch = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_else(|_| Duration::from_secs(0));
+
+    let secs = since_the_epoch.as_secs() as f64;
+    let nanos = since_the_epoch.subsec_nanos() as f64;
+
+    // Convert nanoseconds to fractional seconds and add to secs
+    secs + (nanos / 1_000_000_000.0)
+}
+
 /// given a FeroxResponse, send a TryRecursion command
 ///
 /// moved to utils to allow for calls from extractor and scanner
@@ -75,7 +89,12 @@ pub(crate) async fn send_try_recursion_command(
     handles: Arc<Handles>,
     response: FeroxResponse,
 ) -> Result<()> {
-    handles.send_scan_command(Command::TryRecursion(Box::new(response.clone())))?;
+    // make the response mutable so we can drop the body before
+    // sending it over the mpsc
+    let mut response = response;
+    response.drop_text();
+
+    handles.send_scan_command(Command::TryRecursion(Box::new(response)))?;
     let (tx, rx) = oneshot::channel::<bool>();
     handles.send_scan_command(Command::Sync(tx))?;
     rx.await?;
@@ -420,9 +439,14 @@ fn should_deny_absolute(url_to_test: &Url, denier: &Url, handles: Arc<Handles>)
         // current deny-url, now we just need to check to see if this deny-url is a parent
         // to a scanned url that is also a parent of the given url
         for ferox_scan in handles.ferox_scans()?.get_active_scans() {
-            let scanner = Url::parse(ferox_scan.url().trim_end_matches('/'))
+            let scanner = parse_url_with_raw_path(ferox_scan.url().trim_end_matches('/'))
                 .with_context(|| format!("Could not parse {ferox_scan} as a url"))?;
 
+            // by calling the new parse_url_with_raw_path, and reaching this point without an
+            // error, we know we have an authority and therefore a host. leaving the code
+            // below, but we should never hit the else condition. leaving it in so if we find
+            // a case where i'm mistaken, we'll know about it and can address it
+
             if let Some(scan_host) = scanner.host() {
                 // same domain/ip check we perform on the denier above
                 if tested_host != scan_host {
@@ -431,7 +455,7 @@ fn should_deny_absolute(url_to_test: &Url, denier: &Url, handles: Arc<Handles>)
                 }
             } else {
                 // couldn't process .host from scanner
-                continue;
+                unreachable!("should_deny_absolute: scanner.host() returned None, which shouldn't be possible");
             };
 
             let scan_path = scanner.path();
@@ -482,7 +506,7 @@ pub fn should_deny_url(url: &Url, handles: Arc<Handles>) -> Result<bool> {
 
     // normalization for comparison is to remove the trailing / if one exists, this is done for
     // the given url and any url to which it's compared
-    let normed_url = Url::parse(url.to_string().trim_end_matches('/'))?;
+    let normed_url = parse_url_with_raw_path(url.to_string().trim_end_matches('/'))?;
 
     for denier in &handles.config.url_denylist {
         // note to self: it may seem as though we can use regex only for --dont-scan, however, in
@@ -532,6 +556,194 @@ pub fn slugify_filename(url: &str, prefix: &str, suffix: &str) -> String {
     filename
 }
 
+/// This function takes a url string and returns a `url::Url`
+///
+/// It is primarily used to detect url paths that `url::Url::parse` will
+/// silently transform, such as /path/../file.html -> /file.html
+///
+/// # Warning
+///
+/// In the instance of a url with encoded path traversal strings, such as
+/// /path/%2e%2e/file.html, the underlying `url::Url::parse` will
+/// further encode the %-signs and return /path/%252e%252e/file.html
+pub fn parse_url_with_raw_path(url: &str) -> Result<Url> {
+    log::trace!("enter: parse_url_with_raw_path({})", url);
+
+    let parsed = Url::parse(url)?;
+
+    if !parsed.has_authority() {
+        // parsed correctly, but no authority, meaning mailto: or tel: or
+        // some other url that we don't care about
+        bail!("url to parse has no authority and is therefore invalid");
+    }
+
+    // thanks to @devx00: the possibility exists for Url to return true for
+    // has_authority, but not have a host/port, so we'll check for that
+    // and bail if it's the case
+    if parsed.host().is_none() {
+        bail!("url to parse doesn't have a host");
+    }
+
+    // we have a valid url, the next step is to check the path and see if it's
+    // something that url::Url::parse would silently transform
+    //
+    // i.e. if the path is /path/../file.html, url::Url::parse will transform it
+    // to /file.html, which is not what we want
+
+    let farthest_right_authority_part;
+
+    // we want to find the farthest right authority component, which is the
+    // component that is the furthest right in the url that is part of the
+    // authority
+    //
+    // per RFC 3986, the authority is defined as:
+    // - authority = [ userinfo "@" ] host [ ":" port ]
+    //
+    // so the farthest right authority component is either the port or the host
+    //
+    // i.e. in http://example.com:80/path/file.html, the farthest right authority
+    // component is :80
+    //
+    // in http://example.com/path/file.html, the farthest right authority component
+    // is example.com
+    //
+    // the farthest right authority component is used to split the url into two
+    // parts: the part before the authority and the part after the authority
+    if let Some(port) = parsed.port() {
+        // if the url has a port, then the farthest right authority component is
+        // the port
+        farthest_right_authority_part = format!(":{}", port);
+    } else if parsed.has_host() {
+        // if the url has a host, then the farthest right authority component is
+        // the host
+        farthest_right_authority_part = parsed.host_str().unwrap().to_owned();
+    } else {
+        // if the url has neither a port nor a host, then the url is invalid
+        // and we can't do anything with it, but i don't think this is possible
+        unreachable!("url has an authority, but has neither a port nor a host");
+    }
+
+    // split the original url string into two parts: the part before the authority and the part
+    // after the authority (i.e. the path + query + fragment)
+
+    let Some((_, after_authority)) = url.split_once(&farthest_right_authority_part) else {
+        // if we can't split the url string into two parts, then the url doesn't conform to our
+        // expectations, and we can't continue processing it, so we'll return the parsed url
+        return Ok(parsed);
+    };
+
+    // when there is a port, but it matches the default port for the scheme,
+    // url::Url::parse will mark the port as None, giving us a
+    // `after_authority` that looks something like this:
+    // - :80/path/file.html
+    let after_authority = after_authority
+        .replacen(":80", "", 1)
+        .replacen(":443", "", 1);
+
+    // snippets from rfc-3986:
+    //
+    //          foo://example.com:8042/over/there?name=ferret#nose
+    //          \_/   \______________/\_________/ \_________/ \__/
+    //           |           |            |            |        |
+    //        scheme     authority       path        query   fragment
+    //
+    // The path component is terminated
+    //    by the first question mark ("?") or number sign ("#") character, or
+    //    by the end of the URI.
+    //
+    // The query component is indicated by the first question
+    //    mark ("?") character and terminated by a number sign ("#") character
+    //    or by the end of the URI.
+    let (path, _discarded) = after_authority
+        .split_once('?')
+        // if there isn't a '?', try to remove a fragment
+        .unwrap_or_else(|| {
+            // if there isn't a '#', return (original, empty)
+            after_authority
+                .split_once('#')
+                .unwrap_or((&after_authority, ""))
+        });
+
+    // at this point, we have the path, all by itself
+
+    // each of the following is a string that we can expect url::Url::parse to
+    // transform. The variety is to ensure we cover most common path traversal
+    // encodings
+    let transformation_detectors = [
+        // ascii
+        "..",
+        // single url encoded
+        "%2e%2e",
+        // double url encoded
+        "%25%32%65%25%32%65",
+        // utf-8 encoded
+        "%c0%ae%c0%ae",
+        "%e0%40%ae%e0%40%ae",
+        "%c0ae%c0ae",
+        // 16 bit shenanigans
+        "%uff0e%uff0e",
+        "%u002e%u002e",
+    ];
+
+    let parsing_will_transform_path = transformation_detectors
+        .iter()
+        .any(|detector| path.to_lowercase().contains(detector));
+
+    if !parsing_will_transform_path {
+        // there's no string in the path of the url that will trigger a transformation
+        // so, we can return it as-is
+        return Ok(parsed);
+    }
+
+    // if we reach this point, the path contains a string that will trigger a transformation
+    // so we need to manually create a Url that doesn't have the transformation
+    // and return that
+    //
+    // special thanks to github user @lavafroth for this workaround
+
+    let mut hacked_url = if path.ends_with('/') {
+        // from_file_path silently strips trailing slashes, and
+        // from_directory_path adds them, so we'll choose the appropriate
+        // constructor based on the presence of a path's trailing slash
+
+        // according to from_file_path docs:
+        //   from_file_path returns `Err` if the given path is not absolute or,
+        //   on Windows, if the prefix is not a disk prefix (e.g. `C:`) or a UNC prefix (`\\`).
+        //
+        // since we parsed out a valid url path, we know it is absolute, so on non-windows
+        // platforms, we can safely unwrap. On windows, we need to fix up the path
+        #[cfg(target_os = "windows")]
+        {
+            let path = format!("\\/IGNOREME{path}");
+            Url::from_directory_path(path).unwrap()
+        }
+        #[cfg(not(target_os = "windows"))]
+        Url::from_directory_path(path).unwrap()
+    } else {
+        #[cfg(target_os = "windows")]
+        {
+            let path = format!("\\/IGNOREME{path}");
+            Url::from_file_path(path).unwrap()
+        }
+        #[cfg(not(target_os = "windows"))]
+        Url::from_file_path(path).unwrap()
+    };
+
+    // host must be set first, otherwise multiple components may return Err
+    hacked_url.set_host(parsed.host_str())?;
+    // scheme/port/username/password can fail, but in this instance, we know they won't
+    hacked_url.set_scheme(parsed.scheme()).unwrap();
+    hacked_url.set_port(parsed.port()).unwrap();
+    hacked_url.set_username(parsed.username()).unwrap();
+    hacked_url.set_password(parsed.password()).unwrap();
+    // query/fragment can't fail
+    hacked_url.set_query(parsed.query());
+    hacked_url.set_fragment(parsed.fragment());
+
+    log::trace!("exit: parse_url_with_raw_path -> {}", hacked_url);
+    Ok(hacked_url)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -539,31 +751,171 @@ mod tests {
     use crate::scan_manager::{FeroxScans, ScanOrder};
 
     #[test]
-    /// set_open_file_limit with a low requested limit succeeds
-    fn utils_set_open_file_limit_with_low_requested_limit() {
-        let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
-        let lower_limit = hard - 1;
-        assert!(set_open_file_limit(lower_limit));
+    /// parse_url_with_raw_path with javascript:// should not throw an unimplemented! error
+    fn utils_parse_url_with_raw_path_javascript() {
+        let url = "javascript://";
+        let parsed = parse_url_with_raw_path(url);
+        assert!(parsed.is_err());
+        assert!(parsed
+            .unwrap_err()
+            .to_string()
+            .contains("url to parse doesn't have a host"));
     }
 
     #[test]
-    /// set_open_file_limit with a high requested limit succeeds
-    fn utils_set_open_file_limit_with_high_requested_limit() {
-        let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
-        let higher_limit = hard + 1;
-        // calculate a new soft to ensure soft != hard and hit that logic branch
-        let new_soft = hard - 1;
-        setrlimit(Resource::NOFILE, new_soft, hard).unwrap();
-        assert!(set_open_file_limit(higher_limit));
+    /// multiple tests for parse_url_with_raw_path
+    fn utils_parse_url_with_raw_path() {
+        // ../.. is preserved
+        let url = "https://www.google.com/../../stuff";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.as_str(), url);
+
+        // ../.. is preserved as well as the trailing slash
+        let url = "https://www.google.com/../../stuff/";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.as_str(), url);
+
+        // no trailing slash is preserved
+        let url = "https://www.google.com/stuff";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.as_str(), url);
+
+        // trailing slash is preserved
+        let url = "https://www.google.com/stuff/";
+        let parsed: Url = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.as_str(), url);
+
+        // mailto is an error
+        let url = "mailto:user@example.com";
+        let parsed = parse_url_with_raw_path(url);
+        assert!(parsed.is_err());
+
+        // relative url is an error
+        let url = "../../stuff";
+        let parsed = parse_url_with_raw_path(url);
+        assert!(parsed.is_err());
+
+        // absolute without host is an error
+        let url = "/../../stuff";
+        let parsed = parse_url_with_raw_path(url);
+        assert!(parsed.is_err());
+
+        // default ports are parsed correctly
+        for url in [
+            "http://example.com:80/path/file.html",
+            "https://example.com:443/path/file.html",
+        ] {
+            let parsed = parse_url_with_raw_path(url).unwrap();
+            assert!(parsed.port().is_none());
+            assert_eq!(parsed.host().unwrap().to_string().as_str(), "example.com");
+        }
+
+        // non-default ports are parsed correctly
+        for url in [
+            "http://example.com:8080/path/file.html",
+            "https://example.com:4433/path/file.html",
+        ] {
+            let parsed = parse_url_with_raw_path(url).unwrap();
+            assert!(parsed.port().is_some());
+            assert_eq!(parsed.as_str(), url);
+        }
+
+        // different encodings are respected if found in doubles
+        //
+        // note that the % sign is encoded as %25...
+        let url = "http://user:pass@example.com/%2e%2e/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%252e%252e/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%25%32%65%25%32%65/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%2525%2532%2565%2525%2532%2565/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%c0%ae%c0%ae/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%25c0%25ae%25c0%25ae/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%e0%40%ae%e0%40%ae/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%25e0%2540%25ae%25e0%2540%25ae/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%c0ae%c0ae/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%25c0ae%25c0ae/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%uff0e%uff0e/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%25uff0e%25uff0e/stuff.php"
+        );
+
+        let url = "http://user:pass@example.com/%u002e%u002e/stuff.php";
+        let parsed = parse_url_with_raw_path(url).unwrap();
+        assert_eq!(parsed.username(), "user");
+        assert_eq!(parsed.password().unwrap(), "pass");
+        assert_eq!(
+            parsed.as_str(),
+            "http://user:pass@example.com/%25u002e%25u002e/stuff.php"
+        );
     }
 
-    #[test]
-    /// set_open_file_limit should fail when hard == soft
-    fn utils_set_open_file_limit_with_fails_when_both_limits_are_equal() {
-        let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
-        // calculate a new soft to ensure soft == hard and hit the failure logic branch
-        setrlimit(Resource::NOFILE, hard, hard).unwrap();
-        assert!(!set_open_file_limit(hard)); // returns false
+    #[cfg(not(target_os = "windows"))]
+    mod nix_only_tests {
+        use super::*;
+
+        #[test]
+        /// set_open_file_limit with a low requested limit succeeds
+        fn utils_set_open_file_limit_with_low_requested_limit() {
+            let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
+            let lower_limit = hard - 1;
+            assert!(set_open_file_limit(lower_limit));
+        }
+
+        #[test]
+        /// set_open_file_limit with a high requested limit succeeds
+        fn utils_set_open_file_limit_with_high_requested_limit() {
+            let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
+            let higher_limit = hard + 1;
+            // calculate a new soft to ensure soft != hard and hit that logic branch
+            let new_soft = hard - 1;
+            setrlimit(Resource::NOFILE, new_soft, hard).unwrap();
+            assert!(set_open_file_limit(higher_limit));
+        }
+
+        #[test]
+        /// set_open_file_limit should fail when hard == soft
+        fn utils_set_open_file_limit_with_fails_when_both_limits_are_equal() {
+            let (_, hard) = getrlimit(Resource::NOFILE).unwrap();
+            // calculate a new soft to ensure soft == hard and hit the failure logic branch
+            setrlimit(Resource::NOFILE, hard, hard).unwrap();
+            assert!(!set_open_file_limit(hard)); // returns false
+        }
     }
 
     #[test]
@@ -623,7 +975,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -642,7 +998,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -661,7 +1021,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -682,7 +1046,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -697,21 +1065,31 @@ mod tests {
     /// provide a denier from which we can't check a host, which results in no comparison, expect false
     /// because the denier is a parent to the tested, even tho the scanned doesn't compare, it
     /// still returns true
+    ///
+    /// note: adding parse_url_with_raw_path changed the behavior of this test, it used to return
+    /// true, now it returns false. see my note in should_deny_absolute and the unreachable!
+    /// call block to see why
+    ///
+    /// leaving this test here to document the behavior change and to catch regressions in the
+    /// new expected behavior
     fn should_deny_url_doesnt_compare_non_domains_in_scanned() {
         let deny_url = "https://testdomain.com/";
         let scan_url = "unix:/run/foo.socket";
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
         let config = Arc::new(config);
 
         let handles = Arc::new(Handles::for_testing(Some(scans), Some(config)).0);
-
-        assert!(should_deny_url(&tested_url, handles).unwrap());
+        assert!(!should_deny_url(&tested_url, handles).unwrap());
     }
 
     #[test]
@@ -722,7 +1100,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/api/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -741,7 +1123,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/not-denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -760,7 +1146,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/stuff/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -779,7 +1169,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/api/not-denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.url_denylist = vec![Url::parse(deny_url).unwrap()];
@@ -799,7 +1193,11 @@ mod tests {
         let tested_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.regex_denylist = vec![Regex::new(deny_pattern).unwrap()];
@@ -820,7 +1218,11 @@ mod tests {
         let tested_https_url = Url::parse("https://testdomain.com/denied/").unwrap();
 
         let scans = Arc::new(FeroxScans::default());
-        scans.add_directory_scan(scan_url, ScanOrder::Initial);
+        scans.add_directory_scan(
+            scan_url,
+            ScanOrder::Initial,
+            Arc::new(Handles::for_testing(None, None).0),
+        );
 
         let mut config = Configuration::new().unwrap();
         config.regex_denylist = vec![Regex::new(deny_pattern).unwrap()];

tests/mutual-auth/Caddyfile

@@ -0,0 +1,17 @@
+(mTLS) {
+	tls {
+		client_auth {
+			mode require_and_verify
+			trusted_ca_cert_file certs/server/ca.crt
+		}
+	}
+}
+
+https://localhost:8001 {
+	import mTLS
+	log
+
+	handle / {
+		file_server browse
+	}
+}

tests/mutual-auth/README.md

@@ -0,0 +1,6 @@
+# Testing mTLS
+
+- run `gen-certs.sh`
+- run `sudo /path/to/caddy run`
+- expect listener on port 8001
+- run `feroxbuster -u https://localhost:8001 --client-key certs/client/client.key --client-cert certs/client/client.crt`

tests/mutual-auth/certs/client/client.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICqzCCAZMCFE22XDzrLwkJIkb3EdP333d4HoXQMA0GCSqGSIb3DQEBCwUAMBMx
+ETAPBgNVBAMMCFNlcnZlckNBMB4XDTIzMDUwNjExMDYyM1oXDTI0MDUwNTExMDYy
+M1owETEPMA0GA1UEAwwGQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAz3EPWMsh+dfPdbHtpNhizZZs+r0djzdHHgkbnNQ1PodWDnv0Rf1YgNEa
+umQuUvIgjMtorRqbz9HLG4+H2aR5KHgPwBNHyKS4PEiQvWDV88aJxdMbgL/IfzAt
+di85UcBUkyqUe1r6vIS0smJo1wVwxLEmD6kdt1BEI3LaK1j99JeG8TAS8f+/xf4s
+ouE4lA+y3bJQP18wUGuyudntFQBKgjY2Tx+RWbBcx0zW68M7IMQ5bDz0oK9MYw8G
+q2vwcRyMLuoyNpbDT5mI2wsQu/r2O0CCNbtkg5JxasdYR7Llw9YTl74st3dshM9e
+4V5uuVotcWXW6U518nWHOQy9qiBSOQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB4
+xOVvWrRZ4SBqzaen32COXpjddX28Q7YmNB/UKl3ZT7R1dIjUMfJz2le0mj2UpSAr
+rDT7PCsXnDP0KswGiJC3IVTa/hnkUk798jwUvp221jvebyy8/NMWfWPoIKfhELdb
+3uJfrGyQuB8Zf9Q1hc9jYDX27EbGaDSpOrpE9Ej2riVnbgBKZsS5jcfY8JDrkv+F
+4cP2pTu6mVRuU1Bzx3SB0Vg2uGi1QTJuuA905Y3zpoRfTtybKlRRkMQk+46xrdyV
+x64wq9zcL6Kq4D/UE3EjLnjbRw6H6g8jbnBjT5KRfP2tmbF9RTZs44Dl0hYvXber
+HrvWtxHG8OJ8BLQg1rQd
+-----END CERTIFICATE-----

tests/mutual-auth/certs/client/client.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPcQ9YyyH51891
+se2k2GLNlmz6vR2PN0ceCRuc1DU+h1YOe/RF/ViA0Rq6ZC5S8iCMy2itGpvP0csb
+j4fZpHkoeA/AE0fIpLg8SJC9YNXzxonF0xuAv8h/MC12LzlRwFSTKpR7Wvq8hLSy
+YmjXBXDEsSYPqR23UEQjctorWP30l4bxMBLx/7/F/iyi4TiUD7LdslA/XzBQa7K5
+2e0VAEqCNjZPH5FZsFzHTNbrwzsgxDlsPPSgr0xjDwara/BxHIwu6jI2lsNPmYjb
+CxC7+vY7QII1u2SDknFqx1hHsuXD1hOXviy3d2yEz17hXm65Wi1xZdbpTnXydYc5
+DL2qIFI5AgMBAAECggEAC8XVeoM1w4uITDxLucMnkVYgC3dj5/K5zCY1bVg8SNcO
+rt4BSh8TkKT9ZLZmjCHOb9sj7s4PqXLVOXRTAAq17xJoR2z4shYKGC7AmyTVo6MB
+AuuFGDCaMQCzlc1ejgmRqzP7jwgl6oDIDgcofsqB4MHSgIlHJNYO9emQ4OypJgJA
+xd8KT5S/hThJG1VqJ6P0oiB/WBlzcJ5wX4GSVE25RlpRX8ogqCyI9V+SRq2CrG7U
+Jqv3Kbag7derTfqmsKyjv/kckOgfKH/rm61HMrYshcPfgxL2fZe2Q8wCTexvhZwZ
+8vD8bvR++SxOxbigCIB7ReYgmoj4bocjqDX4vUhe8QKBgQD35oDdOa2uiOs7NWVf
+IV1ZwPWxxwnYFIEA8paQwsYGIxHrYNdGSsGBzwvLDPpTeOO0VdoC+sP5zytTv547
+djeOzGf9Hj6swa5tPdzkYjZV/85mnmGKaEmmCN4AvpYol5l2BTetFtX0v6QEaqvU
+uZbV5X2UcuClExA0frNUJDVHkQKBgQDWOCZq1r9X3iEkcFSBhironVNj80jFqIum
+rMbGUUcOI05U2hkmMDluSW1NNL2k+SNJXq7fmkjIQEXffqcbsXUSIQB0MU6yddt5
+7+c19ioZChx91Kl049rKQ21kPTh7D0TCUvDQLapt2xbUNg6rGCLSrkkVlWwxLnDU
+pNk/c4QcKQKBgEreedLWhabtwSV7pecKO5hM16dedpGk96UinuiPeqEF3HabI8kd
+8L1Um7oybDPjkdm4CATYWXHL6Mj9WTuaI4NkJo/in4krYZOqmFj9dG2auWpysQDN
+KFkV2n6dENqnlnh3cO48tFebvVx8HvM7Ldvh2ICKBWC1ljJUhbKG0PSRAoGBAJVy
+fNLCWKEbVbHPMBVgnaTExT2Qp29F4493MAGBCHpDhU1LDoqG0DoxvbBEIB3stYJl
+LMjQIQCbXmPKPxjh15O7NE7ba1SzRleuV3Zc8wee9zuN1l6265d6LOHml/W6NDUB
+mgESKrkTRLztrZQNdZXXgyMsqFszVAH1s55Bn6PpAoGBAN13Ev7Ynysdvkc3aHO6
+qM0hH6mAlEOAyCTk5r/0cyz9rGyYWXiVXen0ftSaBcISdzhrVkRDs3rLrHwEXdu1
+Y2Z1HhZkILw/C4t+Eaa6FOWfwwPAdOpaxYpxKxCEeCBKmkd1z0Dx0vDEDrt+AaHa
+UYIQ9wAbZpuKGfFQceyr1lBO
+-----END PRIVATE KEY-----

tests/mutual-auth/certs/server/ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAe+gAwIBAgIUG3vb4pIbvaI/+LzOpu6Z4b6s4iIwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIU2VydmVyQ0EwHhcNMjMwNTA2MTEwNjIzWhcNMzMwNTAz
+MTEwNjIzWjATMREwDwYDVQQDDAhTZXJ2ZXJDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAKazNKPaH8LDzcaZRvBLrDNJkL1pukmB36mbczj07hZVbPmS
+/hyBvAdBFom0ZTw5dIpsUtRSZbDPrsCVpdY9O1jxwhrDi6mfvyJtKLEbTW4PvARq
+WwDhpa2SYwBMI+0ilXWTAzwJuWT1NhuUsAcB6SGwkNm3iKqZUDxn3V2L2AHRcKEJ
+9Zn9ePP4BsvtAS8ZBLxTnoo7R2SHiWwjDwuTtS4fQ5bWzGkmdmeuJ7JJt4ZzQV+m
+MBqrK3XVi+MXayvt5affGvHj/KuhlVBXHnUgSvEgFpuhK9elsds2iRho8mp1d0iH
+EIMp9LHVftsIpUxbKt/Pa/JL7oG9LBIvPj/SIjsCAwEAAaNTMFEwHQYDVR0OBBYE
+FLlRKsDb/ducVIBirME0VJZ3TwfkMB8GA1UdIwQYMBaAFLlRKsDb/ducVIBirME0
+VJZ3TwfkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAD7lqNzU
+wxuyO60Gn2q6DUBb1Kseq6bSndNHeagdfMfKManKl1YObnB0ciTO3bnmNXiXktSu
+BsQzlmr3O+H6X39Vpdyqq4SoOcOt0I+bvBykk1UZqEoc7jGXdZVmnk9Q0uoKtWxJ
+rV9CHEhyPNnEh4W07y05UUn9S6EiKy5232yi4USdmk44GXhFblS5inhTTxca2vEq
+9h+FH+QZ7ehaAaWR+EaQjXNwm2mN7gWxM3Q6RfK9N67MHD9ggmfdyZmnyt5gCidC
+ys4W4stEh6d6fXZT77dcGaHKdXW3GwP3ZcAlRFYPqpAvWzndC9kDCgIULeSP1ALy
+cILcb0HQvNS0t60=
+-----END CERTIFICATE-----

tests/mutual-auth/certs/server/server.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFGMKRtmMLuut+sxC+TbWQfum7oXZMA0GCSqGSIb3DQEBCwUAMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMzA1MDYxMTA2MjNaFw0zMzA1MDMxMTA2
+MjNaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKazNKPaH8LDzcaZRvBLrDNJkL1pukmB36mbczj07hZVbPmS/hyB
+vAdBFom0ZTw5dIpsUtRSZbDPrsCVpdY9O1jxwhrDi6mfvyJtKLEbTW4PvARqWwDh
+pa2SYwBMI+0ilXWTAzwJuWT1NhuUsAcB6SGwkNm3iKqZUDxn3V2L2AHRcKEJ9Zn9
+ePP4BsvtAS8ZBLxTnoo7R2SHiWwjDwuTtS4fQ5bWzGkmdmeuJ7JJt4ZzQV+mMBqr
+K3XVi+MXayvt5affGvHj/KuhlVBXHnUgSvEgFpuhK9elsds2iRho8mp1d0iHEIMp
+9LHVftsIpUxbKt/Pa/JL7oG9LBIvPj/SIjsCAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjPAtZs1by2h/1fr/ypojw16llzbReT8J+T8YHSTf6YwjoE83I0QDOLEo1ax+
+e/8qyQLs0EnlfdomNyA4Z/ECbY5c1nY0Dp//u6WH7AwLUx5HiwUw4Fmxu9Q/oB1o
+3vhIPl5Vd/VpdxDzuO8q8WvagwjVaxsZP3PVaBDRzZZPldPgTakfk+w5XnjNfgJi
+RDRutTRe6KBOxt7PAzAVV71FtOIq0b4xCNJGNurYBhRgZ5iQ7yMw+I5Vte1TakWr
+9gfE/yoKbU1W+y0QxSDTsnTCO4i3mXmBTuceTVWELwqZcr34W7n3vD8UtZQfanML
+cHCZaLPSMDuDtS74FSamP3i+oQ==
+-----END CERTIFICATE-----

tests/mutual-auth/certs/server/server.crt.1

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFGMKRtmMLuut+sxC+TbWQfum7oXZMA0GCSqGSIb3DQEBCwUAMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMzA1MDYxMTA2MjNaFw0zMzA1MDMxMTA2
+MjNaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKazNKPaH8LDzcaZRvBLrDNJkL1pukmB36mbczj07hZVbPmS/hyB
+vAdBFom0ZTw5dIpsUtRSZbDPrsCVpdY9O1jxwhrDi6mfvyJtKLEbTW4PvARqWwDh
+pa2SYwBMI+0ilXWTAzwJuWT1NhuUsAcB6SGwkNm3iKqZUDxn3V2L2AHRcKEJ9Zn9
+ePP4BsvtAS8ZBLxTnoo7R2SHiWwjDwuTtS4fQ5bWzGkmdmeuJ7JJt4ZzQV+mMBqr
+K3XVi+MXayvt5affGvHj/KuhlVBXHnUgSvEgFpuhK9elsds2iRho8mp1d0iHEIMp
+9LHVftsIpUxbKt/Pa/JL7oG9LBIvPj/SIjsCAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjPAtZs1by2h/1fr/ypojw16llzbReT8J+T8YHSTf6YwjoE83I0QDOLEo1ax+
+e/8qyQLs0EnlfdomNyA4Z/ECbY5c1nY0Dp//u6WH7AwLUx5HiwUw4Fmxu9Q/oB1o
+3vhIPl5Vd/VpdxDzuO8q8WvagwjVaxsZP3PVaBDRzZZPldPgTakfk+w5XnjNfgJi
+RDRutTRe6KBOxt7PAzAVV71FtOIq0b4xCNJGNurYBhRgZ5iQ7yMw+I5Vte1TakWr
+9gfE/yoKbU1W+y0QxSDTsnTCO4i3mXmBTuceTVWELwqZcr34W7n3vD8UtZQfanML
+cHCZaLPSMDuDtS74FSamP3i+oQ==
+-----END CERTIFICATE-----

tests/mutual-auth/certs/server/server.crt.2

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFGMKRtmMLuut+sxC+TbWQfum7oXZMA0GCSqGSIb3DQEBCwUAMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMzA1MDYxMTA2MjNaFw0zMzA1MDMxMTA2
+MjNaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKazNKPaH8LDzcaZRvBLrDNJkL1pukmB36mbczj07hZVbPmS/hyB
+vAdBFom0ZTw5dIpsUtRSZbDPrsCVpdY9O1jxwhrDi6mfvyJtKLEbTW4PvARqWwDh
+pa2SYwBMI+0ilXWTAzwJuWT1NhuUsAcB6SGwkNm3iKqZUDxn3V2L2AHRcKEJ9Zn9
+ePP4BsvtAS8ZBLxTnoo7R2SHiWwjDwuTtS4fQ5bWzGkmdmeuJ7JJt4ZzQV+mMBqr
+K3XVi+MXayvt5affGvHj/KuhlVBXHnUgSvEgFpuhK9elsds2iRho8mp1d0iHEIMp
+9LHVftsIpUxbKt/Pa/JL7oG9LBIvPj/SIjsCAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjPAtZs1by2h/1fr/ypojw16llzbReT8J+T8YHSTf6YwjoE83I0QDOLEo1ax+
+e/8qyQLs0EnlfdomNyA4Z/ECbY5c1nY0Dp//u6WH7AwLUx5HiwUw4Fmxu9Q/oB1o
+3vhIPl5Vd/VpdxDzuO8q8WvagwjVaxsZP3PVaBDRzZZPldPgTakfk+w5XnjNfgJi
+RDRutTRe6KBOxt7PAzAVV71FtOIq0b4xCNJGNurYBhRgZ5iQ7yMw+I5Vte1TakWr
+9gfE/yoKbU1W+y0QxSDTsnTCO4i3mXmBTuceTVWELwqZcr34W7n3vD8UtZQfanML
+cHCZaLPSMDuDtS74FSamP3i+oQ==
+-----END CERTIFICATE-----

tests/mutual-auth/certs/server/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmszSj2h/Cw83G
+mUbwS6wzSZC9abpJgd+pm3M49O4WVWz5kv4cgbwHQRaJtGU8OXSKbFLUUmWwz67A
+laXWPTtY8cIaw4upn78ibSixG01uD7wEalsA4aWtkmMATCPtIpV1kwM8Cblk9TYb
+lLAHAekhsJDZt4iqmVA8Z91di9gB0XChCfWZ/Xjz+AbL7QEvGQS8U56KO0dkh4ls
+Iw8Lk7UuH0OW1sxpJnZnrieySbeGc0FfpjAaqyt11YvjF2sr7eWn3xrx4/yroZVQ
+Vx51IErxIBaboSvXpbHbNokYaPJqdXdIhxCDKfSx1X7bCKVMWyrfz2vyS+6BvSwS
+Lz4/0iI7AgMBAAECggEAKvz2u7Rh0WOWGrtnQEt7bkRv13C+8frUd1QXnB4JkefY
+sOmXrzlDiGlgCwXiv2ufopy5pXhUMgr0qUROHlfvCIpbwHQh/Y2tCA83WajNSG81
+ULwumKUYCRFBh4+bCimLemT9hguJ7D+SAv3OgRgciywRxpteWoQr3U/5lYidHSZ/
+gv13lVKbn72zD5opeGA2hS1MlLZV/xueSvhT3lzbv61hqdersACj2Tvi8O2/imVy
+XjEZnPRQhlFPtiAN5J3on6Xo+MqieuhA3yxhBrYoLsMrTCK6ePThdXfcgmpEjQ8l
+6HxNmnPri5KbxCTbGgCjMiSidnRim2IpBMEP32eN8QKBgQDLr2CoMdyliFU6Gm1P
+rxWTMnvzdVbXUp4B8YEdyNyKdWt50cqbB3UvnFX2gpELYdy3uYcXTKm+Nynruam1
+Z/Ya1HXwN+wdgQhjq9n4izLvEfUkXWDNNikQmts8Uxkp+uEK+OOp1/NjZlA6YdS3
+crq5wPxLoAP2JxiaoIJF74QMqwKBgQDRhABgZbWVHwPcLVVqZ5+MJYvQORqIqapf
+kGe/jR/CMC0Tkop2O1tY3f68bMNKkXfj7QEtDlppMswZ9MOqBBr56yGZzrQa+cB3
+lF4+hP06OvyIkdmZlP4NHm/DtF9gt1KjWPF2VcIfD3VfZO8E/XJn2n1KnKCU+4cb
+lyJYi9AgsQKBgQCWkgPy8kE5QSo3tJeAI17gnJ5SoDhdHp7dsukO2pBl7l1QBY0v
+w3iWhIxrmaOddW+ThZve1nZYvjDIKEzTZJHizZKNzNlICj3oaH7OpCA36N9+TWUk
+7le3BbLxykA870/zK4Ao6xHqNhUyw2VbY32zmX0obpbfHZGrpOIIzwGf1wKBgDlM
+U1oJls5QbBrT3w85hZ2rSwBIDaSgWfLGqEjvjGbsC/fVVL6e3w1/sMHRMNt8yv/v
+einbSgiJFt5mXPhrJQGCN28742+ZK/TIA7ovXp2FMjkbQhpJb+0gjMpF0uu9VwFL
+OsX1ECC0dpH/JYsE0TvrueYkzZnQ7BM0kvUKT4IRAoGAOPVed0zkDh3iobQ3A3IG
+JepRygabC68iOHlrD6sVxST0HdyP9pxwMe9gnz5TDAZkWvhJV0UUmaMCpbShsc+n
+ymKSNnXAxt+G6XHH3Mg9aDNi70og4HhhT6dU2579xUOBY2057ZgpWXK3rf+JKls4
+XlkplyHw0UqkEhCw+FMa3Gs=
+-----END PRIVATE KEY-----

tests/mutual-auth/gen-certs.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Create server and client certificate directories
+mkdir -p certs/server
+mkdir -p certs/client
+
+# Generate server key
+openssl genrsa -out certs/server/server.key 2048
+
+# Generate a Certificate Signing Request (CSR) for the server key
+openssl req -new -key certs/server/server.key -out certs/server/server.csr -subj "/CN=localhost"
+
+# Self-sign the server CSR to create the server certificate
+openssl x509 -req -in certs/server/server.csr -signkey certs/server/server.key -out certs/server/server.crt -days 3650
+
+# Generate server-side Certificate Authority (CA) file
+openssl req -x509 -nodes -new -key certs/server/server.key -sha256 -days 3650 -out certs/server/ca.crt -subj "/CN=ServerCA"
+
+# Generate client key
+openssl genrsa -out certs/client/client.key 2048
+
+# Generate a Certificate Signing Request (CSR) for the client key
+openssl req -new -key certs/client/client.key -out certs/client/client.csr -subj "/CN=Client"
+
+# Sign the client CSR with the server CA to create the client certificate
+openssl x509 -req -in certs/client/client.csr -CA certs/server/ca.crt -CAkey certs/server/server.key -CAcreateserial -out certs/client/client.crt -days 365
+
+# Cleanup
+rm -f certs/server/server.csr
+rm -f certs/client/client.csr
+

tests/test_banner.rs

@@ -661,6 +661,70 @@ fn banner_prints_recursion_depth() {
         );
 }
 
+#[test]
+/// test allows non-existent wordlist to trigger the banner printing to stderr
+/// expect to see all mandatory prints + server certs
+fn banner_prints_server_certs() {
+    Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg("http://localhost")
+        .arg("--server-certs")
+        .arg("tests/mutual-auth/certs/server/server.crt.1")
+        .arg("tests/mutual-auth/certs/server/server.crt.2")
+        .arg("--wordlist")
+        .arg("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+        .assert()
+        .success()
+        .stderr(
+            predicate::str::contains("─┬─")
+                .and(predicate::str::contains("Target Url"))
+                .and(predicate::str::contains("http://localhost"))
+                .and(predicate::str::contains("Threads"))
+                .and(predicate::str::contains("Wordlist"))
+                .and(predicate::str::contains("Status Codes"))
+                .and(predicate::str::contains("Timeout (secs)"))
+                .and(predicate::str::contains("User-Agent"))
+                .and(predicate::str::contains("Server Certificates"))
+                .and(predicate::str::contains("server.crt.1"))
+                .and(predicate::str::contains("server.crt.2"))
+                .and(predicate::str::contains("─┴─")),
+        );
+}
+
+#[test]
+/// test allows non-existent wordlist to trigger the banner printing to stderr
+/// expect to see all mandatory prints + server certs
+fn banner_prints_client_cert_and_key() {
+    Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg("http://localhost")
+        .arg("--client-cert")
+        .arg("tests/mutual-auth/certs/client/client.crt")
+        .arg("--client-key")
+        .arg("tests/mutual-auth/certs/client/client.key")
+        .arg("--wordlist")
+        .arg("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+        .assert()
+        .success()
+        .stderr(
+            predicate::str::contains("─┬─")
+                .and(predicate::str::contains("Target Url"))
+                .and(predicate::str::contains("http://localhost"))
+                .and(predicate::str::contains("Threads"))
+                .and(predicate::str::contains("Wordlist"))
+                .and(predicate::str::contains("Status Codes"))
+                .and(predicate::str::contains("Timeout (secs)"))
+                .and(predicate::str::contains("User-Agent"))
+                .and(predicate::str::contains("Client Certificate"))
+                .and(predicate::str::contains("Client Key"))
+                .and(predicate::str::contains("certs/client/client.crt"))
+                .and(predicate::str::contains("certs/client/client.key"))
+                .and(predicate::str::contains("─┴─")),
+        );
+}
+
 #[test]
 /// test allows non-existent wordlist to trigger the banner printing to stderr
 /// expect to see all mandatory prints + no recursion
@@ -1082,6 +1146,7 @@ fn banner_prints_parallel() {
     Command::cargo_bin("feroxbuster")
         .unwrap()
         .arg("--stdin")
+        .arg("--quiet")
         .arg("--parallel")
         .arg("4316")
         .arg("--wordlist")
@@ -1366,6 +1431,7 @@ fn banner_prints_all_composite_settings_burp() {
                 .and(predicate::str::contains("─┴─")),
         );
 }
+
 #[test]
 /// test allows non-existent wordlist to trigger the banner printing to stderr
 /// expect to see all mandatory prints + collect words
@@ -1421,6 +1487,89 @@ fn banner_prints_force_recursion() {
         );
 }
 
+#[test]
+/// test allows non-existent wordlist to trigger the banner printing to stderr
+/// expect to see all mandatory prints + scan-dir-listings
+fn banner_prints_scan_dir_listings() {
+    Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg("http://localhost")
+        .arg("--scan-dir-listings")
+        .arg("--wordlist")
+        .arg("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+        .assert()
+        .success()
+        .stderr(
+            predicate::str::contains("─┬─")
+                .and(predicate::str::contains("Target Url"))
+                .and(predicate::str::contains("http://localhost"))
+                .and(predicate::str::contains("Threads"))
+                .and(predicate::str::contains("Wordlist"))
+                .and(predicate::str::contains("Status Codes"))
+                .and(predicate::str::contains("Timeout (secs)"))
+                .and(predicate::str::contains("User-Agent"))
+                .and(predicate::str::contains("Scan Dir Listings"))
+                .and(predicate::str::contains("─┴─")),
+        );
+}
+
+#[test]
+/// test allows non-existent wordlist to trigger the banner printing to stderr
+/// expect to see all mandatory prints + protocol
+fn banner_prints_protocol() {
+    Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg("localhost")
+        .arg("--protocol")
+        .arg("http")
+        .arg("--wordlist")
+        .arg("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+        .assert()
+        .success()
+        .stderr(
+            predicate::str::contains("─┬─")
+                .and(predicate::str::contains("Target Url"))
+                .and(predicate::str::contains("http://localhost"))
+                .and(predicate::str::contains("Threads"))
+                .and(predicate::str::contains("Wordlist"))
+                .and(predicate::str::contains("Status Codes"))
+                .and(predicate::str::contains("Timeout (secs)"))
+                .and(predicate::str::contains("User-Agent"))
+                .and(predicate::str::contains("Default Protocol"))
+                .and(predicate::str::contains("─┴─")),
+        );
+}
+
+#[test]
+/// test allows non-existent wordlist to trigger the banner printing to stderr
+/// expect to see all mandatory prints + protocol
+fn banner_prints_limit_dirs() {
+    Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg("localhost")
+        .arg("--limit-bars")
+        .arg("3")
+        .arg("--wordlist")
+        .arg("/definitely/doesnt/exist/0cd7fed0-47f4-4b18-a1b0-ac39708c1676")
+        .assert()
+        .success()
+        .stderr(
+            predicate::str::contains("─┬─")
+                .and(predicate::str::contains("Target Url"))
+                .and(predicate::str::contains("http://localhost"))
+                .and(predicate::str::contains("Threads"))
+                .and(predicate::str::contains("Wordlist"))
+                .and(predicate::str::contains("Status Codes"))
+                .and(predicate::str::contains("Timeout (secs)"))
+                .and(predicate::str::contains("User-Agent"))
+                .and(predicate::str::contains("Limit Dir Scan Bars"))
+                .and(predicate::str::contains("─┴─")),
+        );
+}
+
 #[test]
 /// test allows non-existent wordlist to trigger the banner printing to stderr
 /// expect to see all mandatory prints + force recursion

tests/test_config.rs

@@ -1,5 +1,6 @@
 mod utils;
 use assert_cmd::prelude::*;
+use httpmock::MockServer;
 use predicates::prelude::*;
 use std::process::Command;
 use utils::{setup_tmp_directory, teardown_tmp_directory};
@@ -7,13 +8,15 @@ use utils::{setup_tmp_directory, teardown_tmp_directory};
 #[test]
 /// send a single valid request, expect a 200 response
 fn read_in_config_file_for_settings() -> Result<(), Box<dyn std::error::Error>> {
+    let srv = MockServer::start();
+
     let (tmp_dir, file) = setup_tmp_directory(&["threads = 37".to_string()], "ferox-config.toml")?;
 
     Command::cargo_bin("feroxbuster")
         .unwrap()
         .current_dir(&tmp_dir)
         .arg("--url")
-        .arg("http://localhost")
+        .arg(srv.url("/"))
         .arg("--wordlist")
         .arg(file.as_os_str())
         .arg("-vvvv")

tests/test_extractor.rs

@@ -640,3 +640,73 @@ fn extractor_recurses_into_403_directories() -> Result<(), Box<dyn std::error::E
     teardown_tmp_directory(tmp_dir);
     Ok(())
 }
+
+#[test]
+/// robots.txt requests shouldn't fire when --dont-extract-links is used
+fn robots_text_extraction_doesnt_run_with_dont_extract_links() {
+    let srv = MockServer::start();
+    let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
+
+    let mock = srv.mock(|when, then| {
+        when.method(GET).path("/LICENSE");
+        then.status(200).body("im a little teapot"); // 18
+    });
+
+    let mock_two = srv.mock(|when, then| {
+        when.method(GET).path("/robots.txt");
+        then.status(200).body(
+            r#"
+            User-agent: *
+            Crawl-delay: 10
+            # CSS, JS, Images
+            Allow: /misc/*.css$
+            Disallow: /misc/stupidfile.php
+               Disallow: /disallowed-subdir/
+            "#,
+        );
+    });
+
+    let mock_file = srv.mock(|when, then| {
+        when.method(GET).path("/misc/stupidfile.php");
+        then.status(200).body("im a little teapot too"); // 22
+    });
+
+    let mock_scanned_file = srv.mock(|when, then| {
+        when.method(GET).path("/misc/LICENSE");
+        then.status(200).body("i too, am a container for tea"); // 29
+    });
+
+    let mock_dir = srv.mock(|when, _| {
+        when.method(GET).path("/misc/");
+    });
+
+    let mock_disallowed = srv.mock(|when, then| {
+        when.method(GET).path("/disallowed-subdir");
+        then.status(404);
+    });
+
+    let cmd = Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg(srv.url("/"))
+        .arg("--wordlist")
+        .arg(file.as_os_str())
+        .arg("--dont-extract-links")
+        .arg("--no-recursion")
+        .unwrap();
+
+    cmd.assert().success().stdout(
+        predicate::str::contains("/LICENSE")
+            .and(predicate::str::contains("18c"))
+            .and(predicate::str::contains("/misc/stupidfile.php"))
+            .not(),
+    );
+
+    assert_eq!(mock.hits(), 1);
+    assert_eq!(mock_dir.hits(), 0);
+    assert_eq!(mock_two.hits(), 0);
+    assert_eq!(mock_file.hits(), 0);
+    assert_eq!(mock_disallowed.hits(), 0);
+    assert_eq!(mock_scanned_file.hits(), 0);
+    teardown_tmp_directory(tmp_dir);
+}

tests/test_filters.rs

@@ -247,3 +247,95 @@ fn filters_similar_should_filter_response() {
     assert_eq!(not_similar.hits(), 1);
     teardown_tmp_directory(tmp_dir);
 }
+
+#[test]
+/// when using --collect-backups, should only see results in output
+/// when the response shouldn't be otherwise filtered
+fn collect_backups_should_be_filtered() {
+    let srv = MockServer::start();
+    let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
+
+    let mock = srv.mock(|when: httpmock::When, then| {
+        when.method(GET).path("/LICENSE");
+        then.status(200).body("this is a test");
+    });
+
+    let mock_two = srv.mock(|when, then| {
+        when.method(GET).path("/LICENSE.bak");
+        then.status(201)
+            .body("im a backup file, but filtered out because im not 200");
+    });
+
+    let cmd = Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg(srv.url("/"))
+        .arg("--wordlist")
+        .arg(file.as_os_str())
+        .arg("--status-codes")
+        .arg("200")
+        .arg("--collect-backups")
+        .unwrap();
+
+    cmd.assert().success().stdout(
+        predicate::str::contains("/LICENSE")
+            .and(predicate::str::contains("200"))
+            .and(predicate::str::contains("/LICENSE.bak"))
+            .not()
+            .and(predicate::str::contains("201"))
+            .not(),
+    );
+
+    assert_eq!(mock.hits(), 1);
+    assert_eq!(mock_two.hits(), 1);
+    teardown_tmp_directory(tmp_dir);
+}
+
+#[test]
+/// create a FeroxResponse that should elicit a true from
+/// RegexFilter::should_filter_response
+fn filters_regex_should_filter_response_based_on_headers() {
+    let srv = MockServer::start();
+    let (tmp_dir, file) = setup_tmp_directory(
+        &["not-matching".to_string(), "matching".to_string()],
+        "wordlist",
+    )
+    .unwrap();
+
+    let mock = srv.mock(|when, then| {
+        when.method(GET).path("/not-matching");
+        then.status(200)
+            .header("content-type", "text/html")
+            .body("this is a test");
+    });
+
+    let mock_two = srv.mock(|when, then| {
+        when.method(GET).path("/matching");
+        then.status(200)
+            .header("content-type", "application/json")
+            .body("this is also a test");
+    });
+
+    let cmd = Command::cargo_bin("feroxbuster")
+        .unwrap()
+        .arg("--url")
+        .arg(srv.url("/"))
+        .arg("--wordlist")
+        .arg(file.as_os_str())
+        .arg("--filter-regex")
+        .arg("content-type:application/json")
+        .unwrap();
+
+    cmd.assert().success().stdout(
+        predicate::str::contains("/not-matching")
+            .and(predicate::str::contains("200"))
+            .and(predicate::str::contains("/matching"))
+            .not()
+            .and(predicate::str::contains("200"))
+            .not(),
+    );
+
+    assert_eq!(mock.hits(), 1);
+    assert_eq!(mock_two.hits(), 1);
+    teardown_tmp_directory(tmp_dir);
+}

tests/test_heuristics.rs

@@ -104,9 +104,9 @@ fn test_single_target_cannot_connect_due_to_ssl_errors() -> Result<(), Box<dyn s
         .arg(file.as_os_str())
         .assert()
         .success()
-        .stdout(
-            predicate::str::contains("Could not connect to https://expired.badssl.com due to SSL errors (run with -k to ignore), skipping...", )
-        );
+        .stdout(predicate::str::contains(
+            "Could not connect to https://expired.badssl.com",
+        ));
 
     teardown_tmp_directory(tmp_dir);
     Ok(())

tests/test_main.rs

@@ -108,10 +108,11 @@ fn main_parallel_spawns_children() -> Result<(), Box<dyn std::error::Error>> {
 
     Command::cargo_bin("feroxbuster")
         .unwrap()
+        .env("RUST_LOG", "trace")
         .arg("--stdin")
         .arg("--parallel")
         .arg("2")
-        .arg("-vvvv")
+        .arg("--quiet")
         .arg("--debug-log")
         .arg(outfile.as_os_str())
         .arg("--wordlist")
@@ -172,6 +173,7 @@ fn main_parallel_creates_output_directory() -> Result<(), Box<dyn std::error::Er
     Command::cargo_bin("feroxbuster")
         .unwrap()
         .arg("--stdin")
+        .arg("--quiet")
         .arg("--parallel")
         .arg("2")
         .arg("--output")

tests/test_policies.rs

@@ -22,6 +22,7 @@ use utils::{setup_tmp_directory, teardown_tmp_directory};
 // these words will be used along with pattern matching to trigger different policies
 
 #[test]
+#[ignore]
 /// --auto-bail should cancel a scan with spurious errors  
 fn auto_bail_cancels_scan_with_timeouts() {
     let srv = MockServer::start();
@@ -37,7 +38,7 @@ fn auto_bail_cancels_scan_with_timeouts() {
     let error_mock = srv.mock(|when, then| {
         when.method(GET)
             .path_matches(Regex::new("/[a-zA-Z]{6}error[a-zA-Z]{6}").unwrap());
-        then.delay(Duration::new(3, 0))
+        then.delay(Duration::new(2, 5000))
             .status(200)
             .body("verboten, nerd");
     });
@@ -65,10 +66,10 @@ fn auto_bail_cancels_scan_with_timeouts() {
         .arg("--timeout")
         .arg("2")
         .arg("--threads")
-        .arg("4")
+        .arg("8")
         .arg("--debug-log")
         .arg(logfile.as_os_str())
-        .arg("-vvvv")
+        .arg("-vv")
         .arg("--json")
         .assert()
         .success();
@@ -146,7 +147,7 @@ fn auto_bail_cancels_scan_with_403s() {
         .arg("4")
         .arg("--debug-log")
         .arg(logfile.as_os_str())
-        .arg("-vvvv")
+        .arg("-vv")
         .arg("--json")
         .assert()
         .success();
@@ -228,7 +229,7 @@ fn auto_bail_cancels_scan_with_429s() {
         .arg("4")
         .arg("--debug-log")
         .arg(logfile.as_os_str())
-        .arg("-vvvv")
+        .arg("-vvv")
         .arg("--json")
         .assert()
         .success();

tests/test_scanner.rs

@@ -430,6 +430,7 @@ fn scanner_single_request_scan_with_filtered_result() -> Result<(), Box<dyn std:
 }
 
 #[test]
+#[should_panic] // added in 2.11.0 for panicking trace-level logging
 /// send a single valid request, get a response, and write the logging messages to disk
 fn scanner_single_request_scan_with_debug_logging() {
     let srv = MockServer::start();
@@ -467,6 +468,7 @@ fn scanner_single_request_scan_with_debug_logging() {
 }
 
 #[test]
+#[should_panic] // added in 2.11.0 for panicking trace-level logging
 /// send a single valid request, get a response, and write the logging messages to disk as NDJSON
 fn scanner_single_request_scan_with_debug_logging_as_json() {
     let srv = MockServer::start();
@@ -693,7 +695,7 @@ fn collect_backups_makes_appropriate_requests() {
     let srv = MockServer::start();
     let (tmp_dir, file) = setup_tmp_directory(&["LICENSE.txt".to_string()], "wordlist").unwrap();
 
-    let valid_paths = vec![
+    let valid_paths = [
         "/LICENSE.txt",
         "/LICENSE.txt~",
         "/LICENSE.txt.bak",