DirDigger

DirDigger

About project

DirDigger is an efficient directory digging and busting tool that offers a range of features surpassing those of its alternatives. It serves a dual purpose, being an invaluable asset for both CTF enthusiasts and individuals engaged in the scanning of web app directories and API URLs encompassing bug bounty programs.

Originally conceived as a portfolio project to create a Burp extension similar to gobuster/dirbuster, DirDigger experienced the creation and implementation of novel ideas and features, transforming it into a fully comprehensive directory digging tool.

Features

DirDigger current features:

  • Works as BurpSuite extension and as desktop java application
  • Tree representation for existing urls
  • Recursive (directory depth and thread number can be set)
  • Proxy support
  • Filtered response codes
  • Follow redirects
  • See urls that are grouped by redirect in a Redirect Tree (if redirects were followed)
  • File extensions
  • Multiple file loading for keywords list
  • Rate limiter detection (if detected scanning will be slowed down)
  • Ignoring volatile params
  • Stopping and Continuing execution
  • Saving progress to a file and option to load a file to continue execution or see results (useful when working in team)

Screenshots

Existing target url directories representiation in Regular Tree DirDigger

Grouping urls by redirection in Redirect Tree DirDigger

Project future

To-do list for future enhancements:

  • Contexts (if domain has subdomains and you want to scan them at the same time, by changing context you can see progress and trees for a particular hostname)
    • In here maybe some cross context communication can exist (e.g. when one hostname redirects to another)
  • Pass selected urls, or 200 urls, to site map (one-way sync)
    • there can exist two-way sync also -> to initialize tree in DirDigger extension based on site map and start working on that
  • add option to create contexts based on target (Burp targets)
  • create cli version and modularize the project
  • save threads and application state in some PostgreSQL db (can be useful for teams that are performing application security testing)

Github project link: https://github.com/realbugdigger/DirDigger