gitpaths is a lightweight tool written in Go that lists the folder structure of a GitHub repo without requiring a clone. It simplifies the process of creating custom wordlists for fuzzing.
- Fetches file paths from a repository using the GitHub API. 🔭
- Allows specifying a branch within the target repository. 🎯
- Minimal dependencies and lightweight. 🪶
- Extremely fast! 🚀
gitpaths requires Go 1.21 or later. To install, simply run:
go install -v github.com/mllamazares/gitpaths@latestgitpaths -hThis command displays help for the tool. Here are the available parameters:
Usage of gitpaths:
-u string
GitHub repository URL
-b string
Branch name (optional) (default "master")
-o string
Output file (optional)
-silent
Suppress output to the terminal
-h Display help
- Use a tool like Wappalyzer, httpx, nuclei, or whatweb to identify the tech stack of the target endpoint, such as a CRM, CMS, or WordPress plugin.
- Find the corresponding GitHub repository (and branch, if needed) using Google.
- Generate a custom wordlist:
gitpaths -u https://github.com/example/pluginXYZ -b version2.1.23 -o pluginXYZ_wordlist.txt - Use your preferred fuzzing tool with that wordlist to test which endpoints are reachable on your target:
ffuf -u https://target.com/plugins/FUZZ -w pluginXYZ_wordlist.txt
- Auto-detect technology and GitHub repo.
- Accept GitHub tokens to avoid rate limiting for large-scale operations.
- Integrate with
ffuffor a complete fuzzing experience. - Clean and refactor code.
Contributions are welcome! Feel free to submit a PR. 🙌