Lostfuzzer
A Bash script for automated nuclei dast scanning by using passive urls
Install / Use
/learn @coffinxp/LostfuzzerREADME
Automated URL Recon & DAST Scanning
Overview
This script automates the process of extracting, filtering, and testing passive URLs by using gau tool. It checks for live URLs and performs DAST (Dynamic Application Security Testing) using nuclei.
🚀 Why This Tool?
ParamSpider can create imbalanced URLs like:
http://testphp.vulnweb.com/listproducts.php?artist=FUZZ&cat=FUZZ
This breaks Nuclei DAST scans because every query needs a valid parameter. The URL has too many FUZZ placeholders. This makes it harder for Nuclei to properly process and test each parameter because valid query structures are needed for effective scanning.also i did'nt used any active crawler tool bcz thats takes lots of time to get live urls from targets.
That’s why I built this custom tool to extract only valid URLs with full query parameters, ensuring they are correctly formatted for security testing.
🛠️ What This Tool Does:
✅ Extracts valid URLs with real query parameters
✅ Removes imbalanced/fuzzed queries
✅ Checks live URLs before scanning
✅ Runs Nuclei DAST properly for accurate results
This makes bug hunting faster, cleaner, and more effective! 🚀
Prerequisites
Ensure the following tools are installed before running the script:
Installation
Clone the repository and navigate into it:
git clone https://github.com/coffinxp/lostfuzzer.git
cd lostfuzzer
Make the script executable:
chmod +x lostfuzzer.sh
Usage
Run the script and follow the prompts:
./lostfuzzer.sh
You'll be asked to provide:
- A target domain or a file containing a list of subdomains
The script will:
- Fetch passive URLs by gau tool in parallel if there are multiple subdomains
- Filter URLs containing query parameters
- Check which URLs are live using httpx-toolkit
- Run nuclei for DAST scanning
- Save results for manual testing
Output Files
filtered_urls.txt: Filtered URLs with query parameters for further manual testingnuclei_results.txt: Results of the DAST scan
Example Output
Disclaimer
This tool is intended for educational and legal security testing purposes only. The author is not responsible for any misuse of this script.
Related Skills
node-connect
344.4kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
99.2kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
344.4kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
344.4kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
