gf
Filter URLs by vulnerability type for efficient triaging
Recon & OSINT6 commands
#filter#urls#triage#patterns#go#recon
Installation
1Install using Go
2Add custom patterns
3Verify installation
# Using Go
go install github.com/tomnomnom/gf@latest
# Add custom XSS pattern
echo 'xss: <script>alert(1)</script>' >> ~/.gf/patterns/xss
# Verify
gf -listBasic Usage
Filter URL lists by vulnerability patterns for efficient testing
# Filter XSS URLs
cat all_urls.txt | gf xss > xss.txt
# Filter SSRF URLs
cat all_urls.txt | gf ssrf > ssrf.txt
# Filter Open Redirect
cat all_urls.txt | gf redirect > redirect.txt
# Filter SQL Injection
cat all_urls.txt | gf sql > sql.txt
# Multiple patterns
cat all_urls.txt | gf sqli,idor > vulns.txtCommand Reference
6 commands
1Filter URLs by specified pattern
gf <pattern>2List all saved patterns
-list3Save a new pattern
-save <name>4Remove a saved pattern
-rm <name>5Only show matching URLs
-only6Disable colored output
-no-colorWhen to Use
1
After collecting large URL lists from multiple tools2
Quick triaging of URLs by vulnerability type3
Post-reconnaissance URL filtering4
Preparing URLs for specific vulnerability scanners5
In Bug Bounty workflows for efficient targetingNotes & Tips
1
Created by Tomnomnom (author of gospider, httpx)2
Extremely fast due to Go implementation3
Supports custom patterns in ~/.gf/patterns/4
Can be piped with other tools like httpx5
Reads URLs from stdin (piping)6
Color-codes output by pattern type7
Built-in patterns for common vulnerabilities8
Can create custom patterns for any vulnerabilityCommon Errors & Solutions
no matching patterns
Add custom pattern with -save or check available patterns with -list
command not found
Ensure ~/go/bin is in PATH or reinstall
empty output
No URLs matched the pattern, try different patterns
invalid pattern name
Use -list to see available pattern names