Skip to content

Releases: projectdiscovery/katana

v1.1.2

02 Dec 10:30
1bf6eba
Compare
Choose a tag to compare

What's Changed

   -td, -tech-detect  enable technology detection (works with jsonl output)

Issue closed in this release - https://github.com/projectdiscovery/katana/milestone/10?closed=1

New Contributors

Full Changelog: v1.1.1...v1.1.2

v1.1.1

28 Oct 13:38
f8486d4
Compare
Choose a tag to compare

⚠️ Breaking Changes:

The Passive Crawling capability is being removed from katana and released as a separate project urlfinder by @dogancanbakir in #899

PASSIVE:
    -ps, -passive                   enable passive sources to discover target endpoints
    -pss, -passive-source string[]  passive source to use for url discovery (waybackarchive,commoncrawl,alienvault)

What's Changed

🎉 New Features

  • Added no-clobber flag to prevent katana from overwriting existing local files. by @dogancanbakir in #827
-ncb, -no-clobber                 do not overwrite output file
  • Added -store-field-dir flag to make per-host field directory optional by @dogancanbakir in #877
   -sfd, -store-field-dir string     store per-host field to custom directory

🐞 Bug Fixes

  • Fixed improper logging configuration by @dogancanbakir in #825
  • Fixed the issue with setting custom headers/cookie headers by @RamanaReddy0M in #813
  • Fixed header marshalling issue by preserving the header name casing by @dogancanbakir in #924
  • Fixed ignoring form data extraction with -form-extraction when action is "#" by @dogancanbakir in #1052
  • Fixed initial host scope checks to allow continued crawling when -crawl-scope is used by @dogancanbakir in #858
  • Fixed duplicate field output when multiple value is used with -field flag by @dogancanbakir in #1031
  • Fixed Dockerfile build errors by updating Golang by @dualfade in #1034
  • Fixed issue where Ctrl-c could not terminate the process in headless mode with -show-browser option by @zrquan in #972
  • Fixed the issue with setting custom headers/cookie headers in headless mode by @michael2to3 in #868
  • Fixed cookie handling in hybrid mode to include in output by @alban-stourbe-wmx in #936

Other Changes

  • The leakless switch is now enabled by default in headless mode, ensuring the browser is terminated when the Go process ends by @dogancanbakir in #831
  • Updated README for recently introduced flag -e by @zy9ard3 in #826
  • Corrected typos in comments by @eveneast in #851
  • Added directive to ensure compatibility with Windows OS or 386 architecture by @Mzack9999 in #841
  • Added deduplication for stored the fields on scan completion by @dogancanbakir in #885
  • Updated README for installation command by @dwisiswant0 in #1015
  • Added a response parser to extract endpoints from htmx attributes by @zrquan in #994
  • Updated chrome launcher logic to prioritize the specified Chrome path with -scp over default paths by @zrquan in #979
  • Added automatic form filling for select and textarea in forms by @alban-stourbe-wmx in #921
  • Disabled headless auto form filling by @dogancanbakir in #918
  • Added more JavaScript Libraries to improve parsing coverage by @geeknik in #900
  • Corrected path handling with filepath.Join to use OS-specific separators. @ShuBo6 in #883
  • Updated Dockerfile to recent Golang and Alpine images by @o6uoq in #886
  • Improved form extraction logic to use HTML placeholder if input value is missing by @fmuttis in #957

New Contributors

Full Changelog: v1.1.0...v1.1.1

v1.1.0

26 Mar 09:21
01b708d
Compare
Choose a tag to compare

What's Changed

🎉 New Features

   -ps, -passive  enable passive sources to discover target endpoints
   -pss, -passive-source string[]  passive source to use for url discovery (waybackarchive,commoncrawl,alienvault)

Example:

katana -u tesla.com -passive -f qurl
...
https://static-assets-pay.tesla.com/api/payment-schema/creditcard?countrycode=dk
https://static-assets-pay.tesla.com/api/paymenttypes/?clientlibrary=payment-website
https://tradepartnertickets.tesla.com/dist/main.css?029b26e9be3aef4fc82c
https://tradepartnertickets.tesla.com/dist/vendors.vendors.css?029b26e9be3aef4fc82c
https://workforce.tesla.com/auth/callback?code=na_921f11c72db1d416c2fb624ea94ab5e1bad5f803
...
...
...
[INF] Found 208114 endpoints for https://tesla.com in 2m11.65937825s (commoncrawl: 128, alienvault: 1615, waybackarchive: 206371)
   -e, -exclude string[]  exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex)

🐞 Bug Fixes

Other Changes

New Contributors

Full Changelog: v1.0.5...v1.1.0

v1.0.5

11 Jan 22:04
Compare
Choose a tag to compare

What's Changed

🎉 New Features

  • Added option to disable redirects with -disable-redirects by @ErikOwen in #630
   -dr, -disable-redirects  disable following redirects (default false)

🐞 Bug Fixes

Full Changelog: v1.0.4...v1.0.5

v1.0.4

14 Sep 17:35
Compare
Choose a tag to compare

What's Changed

🎉 New Features

  • Added support for custom regex on field scope -fs option by @c3l3si4n in #571
katana -fs '(company-staging.io|company.com)' -u company.com
  • Added option to disable redirects by @WigzyDev in #588
   -dr, -disable-redirects  disable following redirects (default false)
   -resume string  resume crawl using resume.cfg

🐞 Bug Fixes

Other Changes

New Contributors

Full Changelog: v1.0.3...v1.0.4

v1.0.3

01 Aug 12:26
Compare
Choose a tag to compare

What's Changed

🎉 New Features

   -mdc, -match-condition string  match response with dsl based condition
   -fdc, -filter-condition string  filter response with dsl based condition
   -tlsi, -tls-impersonate  enable experimental client hello (ja3) tls randomization
   -jsl, -jsluice  enable jsluice parsing in javascript file (memory intensive)
  • Added option to parse and include form, input, textarea & select elements in jsonl output by @aristosMiliaressis in #464
   -fx, -form-extraction  extract form, input, textarea & select elements in jsonl output
   -xhr, -xhr-extraction  extract xhr request url,method in jsonl output
  • Added the stored response path information in json output when -j used with -sr option by @ErikOwen in #532

🐞 Bug Fixes

🔨 Maintenance

  • Fixed release workflow to accommodate tree-sitter bindings by @Mzack9999 in #527

Other Changes

   -ct, -crawl-duration value  maximum duration to crawl the target for (s, m, h, d) (default s)
   -cwu, -chrome-ws-url string  use chrome browser instance launched elsewhere with the debugger listening at this URL

New Contributors

Full Changelog: v1.0.2...v1.0.3

v1.0.2

12 Jun 22:40
Compare
Choose a tag to compare

What's Changed

🎉 Features

katana -H cookie.txt -u https://mail.google.com -headless
  • Added option to exclude raw request/response and body in jsonl output by @maik-s in #460
   -or, -omit-raw                    omit raw requests/responses from jsonl output
   -ob, -omit-body                   omit response body from jsonl output

🐞 Bugs

🔨 Maintenance

Issues closed in this release - https://github.com/projectdiscovery/katana/milestone/6?closed=1

New Contributors

Full Changelog: v1.0.1...v1.0.2

v1.0.1

08 Apr 08:37
846693f
Compare
Choose a tag to compare

What's Changed

  • Added support to ignore crawling same path with different query-param by @RamanaReddy0M in #371
   -iqp, -ignore-query-params  ignore crawling same path with different query-param values
katana -u hackerone.com

Issues closed in this release - https://github.com/projectdiscovery/katana/milestone/5?closed=1

New Contributors

Full Changelog: v1.0.0...v1.0.1

v1.0.0

20 Mar 11:03
Compare
Choose a tag to compare

What's Changed

Warning: breaking changes in json output structure.

previous format
{
  "timestamp": "2022-11-05T22:33:27.745815+05:30",
  "endpoint": "https://www.iana.org/domains/example",
  "source": "https://example.com",
  "tag": "a",
  "attribute": "href"
}
new format
{
  "timestamp": "2023-03-20T16:23:58.027559+05:30",
  "request": {
    "method": "GET",
    "endpoint": "https://example.com",
    "tag": "a",
    "attribute": "href",
    "source": "http://www.iana.org/domains/reserved",
    "raw": "GET / HTTP/1.1\r\nHost: example.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\r\nAccept-Encoding: gzip\r\n\r\n"
  },
  "response": {
    "status_code": 200,
    "headers": {
      "accept_ranges": "bytes",
      "expires": "Mon, 27 Mar 2023 10:53:58 GMT",
      "last_modified": "Thu, 17 Oct 2019 07:18:26 GMT",
      "content_type": "text/html; charset=UTF-8",
      "server": "ECS (dcb/7EA3)",
      "vary": "Accept-Encoding",
      "etag": "\"3147526947\"",
      "cache_control": "max-age=604800",
      "x_cache": "HIT",
      "date": "Mon, 20 Mar 2023 10:53:58 GMT",
      "age": "331239"
    },
    "body": "<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <style type=\"text/css\">\n    body {\n        background-color: #f0f0f2;\n        margin: 0;\n        padding: 0;\n        font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n        \n    }\n    div {\n        width: 600px;\n        margin: 5em auto;\n        padding: 2em;\n        background-color: #fdfdff;\n        border-radius: 0.5em;\n        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n    }\n    a:link, a:visited {\n        color: #38488f;\n        text-decoration: none;\n    }\n    @media (max-width: 700px) {\n        div {\n            margin: 0 auto;\n            width: auto;\n        }\n    }\n    </style>    \n</head>\n\n<body>\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is for use in illustrative examples in documents. You may use this\n    domain in literature without prior coordination or asking for permission.</p>\n    <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n",
    "technologies": [
      "Azure",
      "Amazon ECS",
      "Amazon Web Services",
      "Docker",
      "Azure CDN"
    ],
    "raw": "HTTP/1.1 200 OK\r\nContent-Length: 1256\r\nAccept-Ranges: bytes\r\nAge: 331239\r\nCache-Control: max-age=604800\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Mon, 20 Mar 2023 10:53:58 GMT\r\nEtag: \"3147526947\"\r\nExpires: Mon, 27 Mar 2023 10:53:58 GMT\r\nLast-Modified: Thu, 17 Oct 2019 07:18:26 GMT\r\nServer: ECS (dcb/7EA3)\r\nVary: Accept-Encoding\r\nX-Cache: HIT\r\n\r\n<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <style type=\"text/css\">\n    body {\n        background-color: #f0f0f2;\n        margin: 0;\n        padding: 0;\n        font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n        \n    }\n    div {\n        width: 600px;\n        margin: 5em auto;\n        padding: 2em;\n        background-color: #fdfdff;\n        border-radius: 0.5em;\n        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n    }\n    a:link, a:visited {\n        color: #38488f;\n        text-decoration: none;\n    }\n    @media (max-width: 700px) {\n        div {\n            margin: 0 auto;\n            width: auto;\n        }\n    }\n    </style>    \n</head>\n\n<body>\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is for use in illustrative examples in documents. You may use this\n    domain in literature without prior coordination or asking for permission.</p>\n    <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n"
  }
}
  • Refactored katana core by @Mzack9999 in #312
    • for synchronous correlation between http request/response
    • added request/response data into json output
    • added status code information in json output
    • updated json output structure
  • Added technology detection of crawled endpoints in json output using wappalyzer by @Mzack9999 in #294
...
    "technologies": [
      "Azure",
      "Amazon ECS",
      "Amazon Web Services",
      "Docker",
      "Azure CDN"
    ],
...
   -mr, -match-regex string[]  regex or list of regex to match on output url (cli, file)
   -fr, -filter-regex string[]  regex or list of regex to filter on output url (cli, file)
   -r, -resolvers string[]  list of custom resolver (file or comma separated)
   -up, -update  update katana to latest version
katana -f ufile -u https://www.tesla.com

Issues closed in release - https://github.com/projectdiscovery/katana/milestone/4

New Contributors

Full Changelog: v0.0.3...v1.0.0

v0.0.3

13 Jan 13:29
8e34ee6
Compare
Choose a tag to compare

What's Changed

Issues closed in release - https://github.com/projectdiscovery/katana/milestone/3?closed=1

New Contributors

Full Changelog: v0.0.2...v0.0.3