v2.2.4

• updated scan cancel menu's input to support comma and range delimited values
• updated scan cancel menu's input to support a -f option that will skip asking the user for confirmation

Another superb request from @mzpqnxow 🥳

v2.2.3

• fixed [de]serialization of atomics on arm hosts
• added official builds of armv7 and aarch64

Thanks to @tienna-0051 for reporting the build failure!

v2.2.2

• bumped serde_json to version 1.0.64
• bumped rlimit to version 0.5.4
• bumped ctrlc to version 3.1.8
• added command completion script install to .deb build
• wordlist order is now preserved after being stored (#233 & #226)
  • previous implementation used a hashset for auto-dedup, with the side effect having an unordered wordlist. Now using a Vec to store the wordlist, which preserves insertion order

thanks to @secure-77 and @Kiblyn11 for bringing wordlist ordering to my attention 🙏

v2.2.1

• fixed regression in banner that reintroduced an emoji that threw off alignment (originally fixed in 1.12.3)
• bumped reqwest version to 0.11.1

v2.2.0

• added --parallel option
• bumped tokio to version 1.2.0
• bumped serde_json to version 1.0.62

special thanks to Nicolas Krassas (@Dinosn) for the suggestion 🎉

---

Version 2.2.0 introduces the --parallel option. If you're one of those people who use feroxbuster to scan 100s of hosts at a time, this is the option for you! --parallel spawns a child process per target passed in over stdin (recursive directories are still async within each child).

The number of parallel scans is limited to whatever you pass to --parallel. When one child finishes its scan, the next child will be spawned.

Unfortunately, using --parallel limits terminal output such that only discovered URLs are shown. No amount of -v's will help you here. I imagine this isn't too big of a deal, as folks that need --parallel probably aren't sitting there watching the output... 🙃

Example Command:

cat large-target-list | ./feroxbuster --stdin --parallel 10 --extract-links --auto-bail

Resuling Process List (illustrative):

\_ target/debug/feroxbuster --stdin --parallel 10
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-one
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-two
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-three
    \_ ...
    \_ target/debug/feroxbuster --silent --extract-links --auto-bail -u https://target-ten

v2.1.0

• added --auto-tune
• added --auto-bail
• bumped env_logger to version 0.8.3

Thanks to @mzpqnxow and @N0ur5 for their requests/suggestions! 🥳

---

Version 2.1.0 introduces the --auto-tune and --auto-bail flags. You can think of these flags as Policies. Both actions (tuning and bailing) are triggered by the same criteria (below). Policies are only enforced after at least 50 requests have been made (or # of threads, if that's > 50).

Policy Enforcement Criteria:

number of general errors (timeouts, etc) is higher than half the number of threads (or at least 25 if threads are lower) (per directory scanned)
90% of responses are 403|Forbidden (per directory scanned)
30% of requests are 429|Too Many Requests (per directory scanned)
both demo gifs below use --timeout to overload a single-threaded python web server and elicit timeouts

--auto-tune:
The AutoTune policy enforces a rate limit on individual directory scans when one of the criteria above is met. The rate limit self-adjusts every (timeout / 2) seconds. If the number of errors have increased during that time, the allowed rate of requests is lowered. On the other hand, if the number of errors hasn't moved, the allowed rate of requests is increased. If no additional errors are found after a certain number of checks, the rate limit will be removed completely.

--auto-bail:
The AutoBail policy aborts individual directory scans when one of the criteria above is met. They just stop getting scanned, no muss, no fuss.

v2.0.2

• added clarity to error messages resulting from attempting to connect to HTTPS servers w/o a valid certificate

🎉 thanks to @bpsizemore for the issue and PR!

v2.0.1

• fixed small bug that prevented requests/second on scan progress bars from displaying correctly

v2.0.0

Version 2.0.0 was a large undertaking with the overall goal to address the Focus Areas below.

Focus Areas:

• - long-term project maintainability
• - improve code quality
• - improve error handling
• - reduce memory consumption

Changes incorporated not specifically related to Focus Areas:

• Wildcards now properly filter 0-length responses (thanks to @BitThr3at for the bug report)
• non-fatal errors have mostly been turned into warnings
  • a -v is needed to see non-fatal errors that are handled internally
  • the overall status bar will show errors incrementing
  • the user will need to increase verbosity to see what's going on
  • prevents spammy error messages during timeouts etc
• added rate limiting (--rate-limit) - #123 (thanks to @mzpqnxow for the suggestion)
• added --silent and added modified behavior of --quiet (thanks to @islanddog and @LaiKash for the report and their help fleshing this out)
  • --quiet - Hide progress bars and banner (good for tmux windows w/ notifications)
  • --silent - Only print URLs + turn off logging (good for piping a list of urls to other commands)
  • closes #119
• bump tokio-util from 0.6.2 to 0.6.3
• bump predicates from 1.0.6 to 1.0.7
• bumps assert_cmd from 1.0.2 to 1.0.3

v1.12.4

• non-utf8 lines in wordlists are now skipped instead of causing an error

In the event that a single line within the given wordlist isn't UTF-8, that line will be skipped. Prior behavior was to exit if ANY line wasn't UTF-8.

Thanks to @sh0reline for the report that sparked this change!