gf

URL pattern matching tool by Tomnomnom for vulnerability filtering

URL FilteringGo

Installation

1go install github.com/tomnomnom/gf@latestInstall via Go

2echo 'xss: <script>alert(1)</script>' >> ~/.gf/patterns/xssAdd custom XSS pattern

3gf -hVerify installation

Basic Usage

Filter URLs vulnerable to XSS

cat all_urls.txt | gf xss > xss.txt

Filter URLs vulnerable to SSRF

cat all_urls.txt | gf ssrf > ssrf.txt

Filter URLs vulnerable to Open Redirect

cat all_urls.txt | gf redirect > redirect.txt

Filter URLs vulnerable to SQL Injection

cat all_urls.txt | gf sql > sql.txt

Filter with multiple vulnerability patterns

cat all_urls.txt | gf sqli,idor > vulns.txt

Key Options

gf <pattern>

Filter URLs by specific pattern

-list

List all saved patterns

-save <name>

Save a new pattern

-rm <name>

Remove a saved pattern

-only

Show only matching results

-no-color

Disable colors in output

Built-in Patterns

xss

Detect input points prone to XSS

ssrf

Detect input points prone to SSRF

sqli

Detect input points prone to SQL Injection

idor

Detect potential IDOR points

redirect

Detect Open Redirect

rce

Detect Remote Code Execution

lfi

Detect Local File Inclusion

ssti

Detect Server-Side Template Injection

When to Use gf?

When you have a large URL file from multiple tools

To quickly filter results by vulnerability type

During post-recon phase

To split URLs by vulnerability type for parallel testing

When working on bug bounty or CTF

Notes & Tips

Created by Tomnomnom (also author of gospider and httpx)

Very fast since it's written in Go

Supports custom patterns via ~/.gf/patterns/

Can be combined with httpx to filter by response status

Supports reading URLs from stdin (piping)

Displays results with different colors per pattern

Can create custom patterns for any vulnerability

Supports JSON output with jq

Common Errors & Solutions

no matching patterns

Add a custom pattern with -save or run gf -list to see available patterns

command not found

Make sure ~/go/bin is in your PATH or reinstall

empty output

There may be no matching URLs — try different patterns

invalid pattern name

Use gf -list to check available pattern names

gf

URL pattern matching tool by Tomnomnom for vulnerability filtering

URL FilteringGo

Installation

1go install github.com/tomnomnom/gf@latestInstall via Go

2echo 'xss: <script>alert(1)</script>' >> ~/.gf/patterns/xssAdd custom XSS pattern

3gf -hVerify installation

Basic Usage

Filter URLs vulnerable to XSS

cat all_urls.txt | gf xss > xss.txt

Filter URLs vulnerable to SSRF

cat all_urls.txt | gf ssrf > ssrf.txt

Filter URLs vulnerable to Open Redirect

cat all_urls.txt | gf redirect > redirect.txt

Filter URLs vulnerable to SQL Injection

cat all_urls.txt | gf sql > sql.txt

Filter with multiple vulnerability patterns

cat all_urls.txt | gf sqli,idor > vulns.txt

Key Options

gf <pattern>

Filter URLs by specific pattern

-list

List all saved patterns

-save <name>

Save a new pattern

-rm <name>

Remove a saved pattern

-only

Show only matching results

-no-color

Disable colors in output

Built-in Patterns

xss

Detect input points prone to XSS

ssrf

Detect input points prone to SSRF

sqli

Detect input points prone to SQL Injection

idor

Detect potential IDOR points

redirect

Detect Open Redirect

rce

Detect Remote Code Execution

lfi

Detect Local File Inclusion

ssti

Detect Server-Side Template Injection

When to Use gf?

When you have a large URL file from multiple tools

To quickly filter results by vulnerability type

During post-recon phase

To split URLs by vulnerability type for parallel testing

When working on bug bounty or CTF

Notes & Tips

Created by Tomnomnom (also author of gospider and httpx)

Very fast since it's written in Go

Supports custom patterns via ~/.gf/patterns/

Can be combined with httpx to filter by response status

Supports reading URLs from stdin (piping)

Displays results with different colors per pattern

Can create custom patterns for any vulnerability

Supports JSON output with jq

Common Errors & Solutions

no matching patterns

Add a custom pattern with -save or run gf -list to see available patterns

command not found

Make sure ~/go/bin is in your PATH or reinstall

empty output

There may be no matching URLs — try different patterns

invalid pattern name

Use gf -list to check available pattern names