Wordlist usage / definition error behavior #572
Description
Issue
I understand that when a keyword is used but not defined an error occurs:
ffuf -u 'http://ffuf.me/cd/param/CUSTOM'
...
Encountered error(s): 1 errors occured.
* Either -w or --input-cmd flag is required
I don't see how it could be useful to trigger an error when a keyword is defined but not used. A warning could be triggered instead so warn the user he may be missing something he is expecting.
ffuf -u 'http://ffuf.me/cd/param/CUSTOM' -w /usr/share/seclists/Discovery/Web-Content/common.txt:CUSTOM -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:PARAM
...
Encountered error(s): 1 errors occured.
* Keyword PARAM defined, but not found in headers, method, URL or POST data.
This last behavior becomes especially annoying when you want specify tons of named wordlists as shortcuts in the .ffufrc config file.
[input]
wordlists = [
"/usr/share/seclists/Discovery/Web-Content/common.txt:COMMON",
"/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:PARAM",
"/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:SUBDOMAINS",
"/usr/share/seclists/Discovery/Web-Content/quickhits.txt:QUICKHITS",
"/usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt:MEDIUMFILES",
"/usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt:MEDIUMDIR",
"/usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt:MEDIUMWORDS"
]ffuf -u 'http://ffuf.me/cd/param/COMMON?PARAM=1' -config ~/test.ffurc.toml
...
Encountered error(s): 5 errors occured.
* Keyword SUBDOMAINS defined, but not found in headers, method, URL or POST data.
* Keyword QUICKHITS defined, but not found in headers, method, URL or POST data.
* Keyword MEDIUMFILES defined, but not found in headers, method, URL or POST data.
* Keyword MEDIUMDIR defined, but not found in headers, method, URL or POST data.
* Keyword MEDIUMWORDS defined, but not found in headers, method, URL or POST data.
I would expect that unused wordlists defined in the config file are ignored, this would allow to have aliases / shortcuts for wordlists.
Currently you have to comment unused wordlists to avoid errors:
[input]
wordlists = [
"/usr/share/seclists/Discovery/Web-Content/common.txt:COMMON",
"/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:PARAM",
#"/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:SUBDOMAINS",
#"/usr/share/seclists/Discovery/Web-Content/quickhits.txt:QUICKHITS",
#"/usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt:MEDIUMFILES",
#"/usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt:MEDIUMDIR",
#"/usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt:MEDIUMWORDS"
]Related code
ffuf/pkg/ffuf/optionsparser.go
Lines 505 to 519 in 5c489ae