gitea-mirror/sif
1
0
Fork 0
mirror of https://github.com/lunchcat/sif.git synced 2026-06-12 19:11:25 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
b4e78114d7d8d982eb02bb0216b1b3d00c45e6e5
sif/docs/usage.md
T
vmfunc b4e78114d7 feat(js): extract secrets and endpoints from scanned javascript 
the -js pipeline already pulls every <script> into a buffer but only
mined supabase jwts from it. reuse that buffer to run a credential
regex bank (aws/github/slack/stripe/google keys, pem blocks, plus
entropy-gated generic apikey/secret/token assignments) and a
linkfinder-style endpoint extractor that resolves relatives to
absolute urls. both dedupe across scripts and surface through the
existing js logger and result struct, no new flag.
2026-06-09 18:11:38 -07:00

5.7 KiB
Raw Blame History

usage

complete guide to sif command line options.

target options

-u, --urls

specify target urls (comma-separated):

./sif -u https://example.com
./sif -u https://site1.com,https://site2.com

-f, --file

read targets from a file (one url per line):

./sif -f targets.txt

scan options

directory fuzzing

-dirlist <size> - fuzz for directories and files

sizes: small, medium, large

./sif -u https://example.com -dirlist medium

subdomain enumeration

-dnslist <size> - enumerate subdomains

sizes: small, medium, large

./sif -u https://example.com -dnslist small

port scanning

-ports <scope> - scan for open ports

scopes: common (top ports), full (all ports)

./sif -u https://example.com -ports common

google dorking

-dork - automated google dorking

./sif -u https://example.com -dork

git repository detection

-git - check for exposed git repositories

./sif -u https://example.com -git

nuclei scanning

-nuclei - run nuclei vulnerability templates

./sif -u https://example.com -nuclei

javascript analysis

-js - analyze javascript files + secret and endpoint extraction

./sif -u https://example.com -js

cms detection

-cms - detect content management systems

./sif -u https://example.com -cms

http headers

-headers - dump the target's response headers

./sif -u https://example.com -headers

security headers

-sh - flag missing/weak security headers (hsts, csp, x-frame-options, ...) and headers that leak server internals

./sif -u https://example.com -sh

cloud storage

-c3 - check for cloud storage misconfigurations

./sif -u https://example.com -c3

subdomain takeover

-st - check for subdomain takeover vulnerabilities

requires -dnslist to be enabled

./sif -u https://example.com -dnslist small -st

shodan lookup

-shodan - query shodan for host intelligence

requires SHODAN_API_KEY environment variable

export SHODAN_API_KEY=your-api-key
./sif -u https://example.com -shodan

sql reconnaissance

-sql - detect sql admin panels and error disclosure

./sif -u https://example.com -sql

lfi scanning

-lfi - local file inclusion vulnerability checks

./sif -u https://example.com -lfi

framework detection

-framework - detect web frameworks with version and cve lookup

./sif -u https://example.com -framework

whois lookup

-whois - perform whois lookups

./sif -u https://example.com -whois

skip base scan

-noscan - skip the base url scan (robots.txt, etc)

./sif -u https://example.com -noscan -dirlist medium

module options

-lm, --list-modules

list all available modules:

./sif -lm

-m, --modules

run specific modules by id (comma-separated):

./sif -u https://example.com -m sqli-error-based,xss-reflected

-mt, --module-tags

run modules matching tags:

./sif -u https://example.com -mt owasp-top10
./sif -u https://example.com -mt injection

-am, --all-modules

run all available modules:

./sif -u https://example.com -am

runtime options

-t, --timeout

http request timeout (default: 10s):

./sif -u https://example.com -t 30s

--threads

number of concurrent threads (default: 10). values below 1 are clamped to 1:

./sif -u https://example.com --threads 20

-l, --log

directory to save log files:

./sif -u https://example.com -l ./logs

-d, --debug

enable debug logging:

./sif -u https://example.com -d

http options

these apply to every outbound request across all scanners (proxy, custom headers, cookie and rate limiting share one client). a scanner that sets a header explicitly still wins over the global default.

-proxy

route all traffic through a proxy. supports http, https and socks5 urls:

./sif -u https://example.com -proxy socks5://127.0.0.1:1080

-H, --header

add a custom header to every request. repeatable or comma-separated, "Key: Value":

./sif -u https://example.com -H "Authorization: Bearer tok" -H "X-Env: staging"

-cookie

cookie header to send with every request:

./sif -u https://example.com -cookie "session=abc; theme=dark"

-rate-limit

cap outbound requests per second (0 = unlimited, default 0):

./sif -u https://example.com -rate-limit 20

api options

-api

enable api mode for json output:

./sif -u https://example.com -api

output is a json object with scan results.

commands

these run without scanning a target.

version

print the sif version. release builds are stamped via ldflags, local make builds derive it from git describe, and go installed builds read it from the module build info:

./sif version

patchnote

show the latest release's notes, fetched from github (also -pn):

./sif patchnote

the first time you run a new release sif also prints that release's notes once. set SIF_NO_PATCHNOTES=1 to disable that.

examples

quick recon

./sif -u https://example.com -framework -headers -git

full scan

./sif -u https://example.com \
  -dirlist large \
  -dnslist medium \
  -ports full \
  -framework \
  -js \
  -headers \
  -cms \
  -git \
  -sql \
  -lfi \
  -am

ci/cd pipeline

./sif -u https://staging.example.com -api -am > results.json

batch scanning

echo "https://site1.com
https://site2.com
https://site3.com" > targets.txt

./sif -f targets.txt -am -l ./logs
Reference in New Issue View Git Blame Copy Permalink