What's New in v1.3.0

New Features

• Input List Support (-u): Pass a file containing multiple URLs (one per line) to scan them all in a single run. The -u flag now auto-detects whether the argument is a URL or a file path. (#37)
• Output to File (-o): Save scan results directly to a file for later analysis.
• JSON Output (--json): Output all results in structured JSON format, ideal for piping into other tools or automation pipelines. (#37)
• Unicode Encoding Technique: New unicode bypass technique that generates overlong UTF-8 (%c1%a1), %uXXXX, and multi-byte overlong encoded path variations to evade WAFs and path filters. (#47)
• Custom Payload Positions (-p): Define injection points in the URL using custom markers (e.g., -p '§' -u 'http://target.com/§100§/admin'). Payloads from endpaths and midpaths are injected at each marked position. (#34)

Bug Fixes

• HTTP/2.0 Request File Parsing: Fixed a bug where HTTP/2.0 in Burp Suite request files was incorrectly converted to HTTP/1.1.0 instead of HTTP/1.1.
• Query String Preservation: Fixed query strings being silently dropped in double-encoding, midpaths, and path-case-switching techniques.
• Double-Encoding Byte Index: Fixed incorrect byte slicing for multi-byte runes in the double-encoding technique.
• Overlong UTF-8 Formula: Fixed the 2-byte overlong encoding formula that was producing incorrect byte sequences (e.g., %c0%e1 instead of %c1%a1 for 'a').

Improvements

• Added 4 new bypass-relevant endpaths: ?&, .., /., ;/
• Unicode encoding is now included in the default technique list
• Wider main banners (NOMORE403, AUTO-CALIBRATION) for better visual hierarchy
• Thread-safe JSON result accumulation
• Comprehensive test coverage for all new features and bug fixes (29 tests passing)

Closes

• #37 - Input List/Output
• #47 - Enhancement techniques (Unicode encoding)
• #34 - Custom payload positions

Changelog

• 5629009 Avoid bad messages on terminal
• 037c18c Fix request handling and add tests
• a44e39e Improve reliability, output quality, and fix request-file query string bug
• df9fdda Merge pull request #51 from devploit/devploit/review-project
• a43243f Merge pull request #53 from clarabennettdev/add-version-flag
• f12f2c6 Merge pull request #54 from SecHoussam/main
• 3b8ee5d Merge pull request #55 from SecHoussam/main
• 1d8c47e Update midpaths
• 2e18dbc Update midpaths with additional path entries
• 4e607bd feat: add --version flag

Changelog

• a601fce Fix segfault when invalid URL is parsed
• 8db6b58 Update README.md
• ac98473 Update README.md

Changelog

• 7368970 Reduce complexity of requester() function
• e8b62f3 Set go install feature

Changelog

• 727c578 Update README.md and fix goreleaser version

Minor refactoring

Fix double-encoding function.

Minor changes in escapedURL

Fix trailing slash issues and ensure compatibility with unusual paths using standard net/url

🚀 Major Release Changelog 🚀

We are excited to announce a major release that brings several powerful enhancements, bug fixes, and cutting-edge security techniques. This update takes our project to the next level with improved functionality, performance, and security. Here are the key highlights:

🔧 New Features & Improvements:

• Auto-Calibration Feature Added:
  To streamline the output and eliminate duplicates, we've introduced an auto-calibrate function. This feature simplifies data processing and makes the output more efficient. Users can still opt to see the full output details using the -v flag for debugging or detailed analysis.
  (Special thanks to Diego Jurado for this great idea!)

• Switched HTTP Request Library:
  In this release, we've replaced the default Go http library with go-rawurlparser by @slicingmelon. This change resolves parsing issues with specific payloads, ensuring better handling of edge cases. The updated library improves the stability and accuracy of URL parsing, making the system more robust overall.

• Double URL Encoding Technique:
  Inspired by cutting-edge research, we've incorporated a double URL encoding technique that was introduced in the DEFCON 2024 Bug Bounty Village talk by Justin Rhynorater Gardner. This advanced method helps bypass URL-based filters, enhancing security and offering a sophisticated approach to handling potentially harmful inputs.
  📄 DEFCON 2024 Presentation PDF

• New Filtering Options:
  We've introduced two new command-line flags, --status and --unique, which allow users to filter results more effectively, providing more control over the output.
  (Thanks to @jaikishantulswani for contributing this feature!)

🛠️ Bug Fixes & Minor Updates:

• Rewrite of HTTP Versions technique:
  After detecting incorrect behavior in the HTTP Versions technique, it has been rewritten to function as intended.

• Minor Bug Fixes:
  We've also addressed several small bugs and made improvements to the codebase.
  (Thanks to @nxczje for their valuable PR!)

💡 Looking Ahead:

This release marks a significant step in the evolution of the project, but there's still more to come! We will continue to refine the system, add new features, and address user feedback to make the project even better. Stay tuned for future updates!

🎉 Special Thanks:

We would like to give special recognition to the amazing contributors who have helped shape this release:

• Diego Jurado for suggesting the auto-calibration and double-encoding feature idea.
• @slicingmelon for the go-rawurlparser pkg.
• @jaikishantulswani for adding the new filtering options.
• @nxczje for fixing minor bugs and contributing to the codebase.