Usage
Scan a Placeholder URL
uv run traverser \
--url "https://example.test/download?file=<>" \
--target /etc/passwd \
--wordlist default.wordlist
The --place value defaults to <>.
Multiple Targets
uv run traverser \
--url "https://example.test/download?file=<>" \
--target /etc/passwd \
--target /etc/hosts
Targets may also come from a file:
uv run traverser \
--url "https://example.test/download?file=<>" \
--target-file targets.txt
Payload Profiles
uv run traverser \
--url "https://example.test/download?file=<>" \
--target /etc/passwd \
--profile linux \
--profile encoded \
--min-depth 1 \
--max-depth 6
Available profiles:
linuxwindowsencodeddouble-encodedmixed-separator
Placement Modes
Placeholder replacement is the default and most flexible mode. Traverser also supports helpers:
uv run traverser --url "https://example.test/download" --target /etc/passwd --query-param file
uv run traverser --url "https://example.test/files" --target /etc/passwd --path-segment
uv run traverser --url "https://example.test/download" --target /etc/passwd --header-value X-File
uv run traverser --url "https://example.test/download" --target /etc/passwd --post-body
Network Controls
uv run traverser \
--url "https://example.test/download?file=<>" \
--target /etc/passwd \
--timeout 5 \
--retries 2 \
--no-follow-redirects
Output
Default output is an ASCII report. JSON output is available for automation:
uv run traverser \
--url "https://example.test/download?file=<>" \
--target /etc/passwd \
--json \
--output findings.json