xnlinkfinder

--depthThe level of depth to search. For example, if a value of 2 is passed, then all links initially found will then be searched for more links (default: 1). This option is ignored for Burp files because they can be huge and consume lots of memory. It is also advisable to use the -sp (--scope-prefix) argument to ensure a request to links found without a domain can be attempted.

Input a URL or domain.

--configPath to the YML config file. If not passed, a default 'config.yml' is used which has some excludes some words/extensions and defines some stopwords.

--originWhether you want the origin of the link to be in the output. Displayed as LINK-URL [ORIGIN-URL] in the output (default: false)

--cookiesAdd cookies to pass with HTTP requests. Pass in the format 'name1=value1; name2=value2;'

--excludeLink exclusions in a comma separated list, e.g. careers,forum

--headersAdd custom headers to pass with HTTP requests. Pass in the format 'Header1: value1; Header2: value2;'

--includeInclude input links in the output (default: false)

--timeoutHow many seconds to wait for the server to send data before giving up (default: 10 seconds)

--verboseVerbose output

-insecureWhether TLS certificate checks should be made disabled making requests (default: false)

--no-bannerHides the tool banner.

--processesBasic multithreading is done when getting requests for a URL, or file of URLs (not a Burp file). This argument determines the number of processes (threads) used (default: 25)

-ascii-onlyWhether links and parameters will only be added if they only contain ASCII characters (default: False). This can be useful when you know the target is likely to use ASCII characters and you also get a number of false positives from binary files for some reason.

--user-agentWhat User Agents to get links for, e.g. 'desktop mobile'

--regex-afterRegEx for filtering purposes against found endpoints before output (e.g. /api/v[0-9].[0-9]* ). If it matches, the link is output.

-s403Stop when > 95 percent of responses return 403 Forbidden (default: false)

-s429Stop when > 95 percent of responses return 429 Too Many Requests (default: false)

-replay-proxyFor active link finding with URL (or file of URLs), replay the requests through this proxy.

--scope-filterWill filter output links to only include it if the domain of the link is in the scope specified.

--scope-prefixAny links found starting with / will be prefixed with scope domain in the output instead of the original link.

--vverboseIncreased verbose output

--max-file-sizeThe maximum file size (in bytes) of a file to be checked if -i is a directory. If the file size os over, it will be ignored (default: 500 MB). Setting to 0 means no files will be ignored, regardless of size.

--max-time-limitThe maximum time limit (in minutes) to run before stopping (default: 0). If 0 is passed, there is no limit.

--stopwords-fileA file of additional Stop Words (in addition to stopWords in the YML Config file) used to exclude words from the target specific wordlist. Stop Words are used in Natural Language Processing and different lists can be found in different libraries. You may want to add words in different languages, depending on your target.

-sTOStop when > 95 percent of requests time out (default: false)

--wordlist-maxlenThe maximum length of words to add to the target specific wordlist (excluding plurals).

--memory-thresholdThe memory threshold percentage. If the machines memory goes above the threshold, the program will be stopped and ended gracefully before running out of memory (default: 95)

--scope-filterWill filter output links to only include them if the domain of the link is in the scope specified.

--scope-prefixAny links found starting with / will be prefixed with scope domains in the output instead of the original link.

--no-wordlist-digitsExclude any words from the target specific wordlist with numerical digits in.

--no-wordlist-imgaltBy default, any image 'alt' attributes will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--no-wordlist-pluralsWhen words are found for a target specific wordlist, by default new words are added if there is a singular word from a plural, and vice versa. If this argument is used, this process is not done.

--no-wordlist-commentsBy default, any comments in pages will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--no-wordlist-pathwordsBy default, any path words found in the links will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--scope-prefix-originalIf a scope-prefix is passed, then this determines whether the original link starting with / is also included in the output (default: false).

--no-wordlist-parametersBy default, any parameters found in the links will be processed for the target specific wordlist. If this argument is used, they will not be processed.

-sCEStop when > 95 percent of requests have connection errors (default: false)