vmfunc
9401aa669e
three active web-vuln probes wired into the per-target loop: - cors: crafts attacker origins (evil sentinel, null, prefix/suffix bypass, http downgrade) and flags responses that reflect them in access-control-allow-origin, ranking reflection+credentials high. - redirect: injects a controlled sentinel host plus bypass variants (//, https:/, backslash, null-byte, userinfo @) into redirect-prone params and catches 30x location, meta-refresh and js redirects that resolve off-site. - xss: injects a unique canary wrapped in breaking chars, classifies the reflection context (html/attribute/script) and reports only the chars that survive unescaped where they matter, so escaped reflections don't false-positive. all route through httpx.Client so proxy/-H/-cookie/-rate-limit apply. hermetic httptest coverage plus integration testbed entries.
6.1 KiB
usage
complete guide to sif command line options.
target options
-u, --urls
specify target urls (comma-separated):
./sif -u https://example.com
./sif -u https://site1.com,https://site2.com
-f, --file
read targets from a file (one url per line):
./sif -f targets.txt
scan options
directory fuzzing
-dirlist <size> - fuzz for directories and files
sizes: small, medium, large
./sif -u https://example.com -dirlist medium
subdomain enumeration
-dnslist <size> - enumerate subdomains
sizes: small, medium, large
./sif -u https://example.com -dnslist small
port scanning
-ports <scope> - scan for open ports
scopes: common (top ports), full (all ports)
./sif -u https://example.com -ports common
google dorking
-dork - automated google dorking
./sif -u https://example.com -dork
git repository detection
-git - check for exposed git repositories
./sif -u https://example.com -git
nuclei scanning
-nuclei - run nuclei vulnerability templates
./sif -u https://example.com -nuclei
javascript analysis
-js - analyze javascript files + secret and endpoint extraction
./sif -u https://example.com -js
cms detection
-cms - detect content management systems
./sif -u https://example.com -cms
http headers
-headers - dump the target's response headers
./sif -u https://example.com -headers
security headers
-sh - flag missing/weak security headers (hsts, csp, x-frame-options, ...) and headers that leak server internals
./sif -u https://example.com -sh
cloud storage
-c3 - check for cloud storage misconfigurations
./sif -u https://example.com -c3
subdomain takeover
-st - check for subdomain takeover vulnerabilities
requires -dnslist to be enabled
./sif -u https://example.com -dnslist small -st
shodan lookup
-shodan - query shodan for host intelligence
requires SHODAN_API_KEY environment variable
export SHODAN_API_KEY=your-api-key
./sif -u https://example.com -shodan
sql reconnaissance
-sql - detect sql admin panels and error disclosure
./sif -u https://example.com -sql
lfi scanning
-lfi - local file inclusion vulnerability checks
./sif -u https://example.com -lfi
cors probe
-cors - probe for cors misconfigurations (reflected/permissive origins)
./sif -u https://example.com -cors
open redirect probe
-redirect - probe redirect-prone params for open redirects
./sif -u https://example.com/login?next=home -redirect
reflected xss probe
-xss - inject a canary into params and report unescaped reflections
./sif -u https://example.com/search?q=test -xss
framework detection
-framework - detect web frameworks with version and cve lookup
./sif -u https://example.com -framework
whois lookup
-whois - perform whois lookups
./sif -u https://example.com -whois
skip base scan
-noscan - skip the base url scan (robots.txt, etc)
./sif -u https://example.com -noscan -dirlist medium
module options
-lm, --list-modules
list all available modules:
./sif -lm
-m, --modules
run specific modules by id (comma-separated):
./sif -u https://example.com -m sqli-error-based,xss-reflected
-mt, --module-tags
run modules matching tags:
./sif -u https://example.com -mt owasp-top10
./sif -u https://example.com -mt injection
-am, --all-modules
run all available modules:
./sif -u https://example.com -am
runtime options
-t, --timeout
http request timeout (default: 10s):
./sif -u https://example.com -t 30s
--threads
number of concurrent threads (default: 10). values below 1 are clamped to 1:
./sif -u https://example.com --threads 20
-l, --log
directory to save log files:
./sif -u https://example.com -l ./logs
-d, --debug
enable debug logging:
./sif -u https://example.com -d
http options
these apply to every outbound request across all scanners (proxy, custom headers, cookie and rate limiting share one client). a scanner that sets a header explicitly still wins over the global default.
-proxy
route all traffic through a proxy. supports http, https and socks5 urls:
./sif -u https://example.com -proxy socks5://127.0.0.1:1080
-H, --header
add a custom header to every request. repeatable or comma-separated, "Key: Value":
./sif -u https://example.com -H "Authorization: Bearer tok" -H "X-Env: staging"
-cookie
cookie header to send with every request:
./sif -u https://example.com -cookie "session=abc; theme=dark"
-rate-limit
cap outbound requests per second (0 = unlimited, default 0):
./sif -u https://example.com -rate-limit 20
api options
-api
enable api mode for json output:
./sif -u https://example.com -api
output is a json object with scan results.
commands
these run without scanning a target.
version
print the sif version. release builds are stamped via ldflags, local make builds derive it from git describe, and go installed builds read it from the module build info:
./sif version
patchnote
show the latest release's notes, fetched from github (also -pn):
./sif patchnote
the first time you run a new release sif also prints that release's notes once. set SIF_NO_PATCHNOTES=1 to disable that.
examples
quick recon
./sif -u https://example.com -framework -headers -git
full scan
./sif -u https://example.com \
-dirlist large \
-dnslist medium \
-ports full \
-framework \
-js \
-headers \
-cms \
-git \
-sql \
-lfi \
-cors \
-redirect \
-xss \
-am
ci/cd pipeline
./sif -u https://staging.example.com -api -am > results.json
batch scanning
echo "https://site1.com
https://site2.com
https://site3.com" > targets.txt
./sif -f targets.txt -am -l ./logs