3.8.3

.github/workflows/auto-merge-dependabot.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.4.0
+        uses: dependabot/fetch-metadata@v3.0.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/docker.yml

@@ -17,23 +17,23 @@ jobs:
 
     steps:
       - name: checkout sources
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           push: true
           platforms: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/386,linux/ppc64le

.github/workflows/go.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/golangci-lint.yml

@@ -8,14 +8,14 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:
           go-version: "stable"
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
           args: --timeout=5m

.github/workflows/hadolint.yml

@@ -12,8 +12,8 @@ jobs:
     name: hadolint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: hadolint/hadolint-action@v3.2.0
+      - uses: actions/checkout@v6
+      - uses: hadolint/hadolint-action@v3.3.0
         with:
           dockerfile: Dockerfile
           # DL3007: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -26,7 +26,7 @@ jobs:
           go-version: "stable"
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6.4.0
+        uses: goreleaser/goreleaser-action@v7.0.0
         with:
           distribution: goreleaser
           version: latest

.github/workflows/update.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: dev
 
@@ -28,7 +28,7 @@ jobs:
           go mod tidy
 
       - name: Commit and push changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@v7
         with:
           commit_message: "chore: update dependencies [automated]"
           branch: dev

.github/workflows/vhs.yml

@@ -3,6 +3,10 @@ on:
   push:
     paths:
       - vhs/**.tape
+  schedule:
+    # every week
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
 
 permissions:
   contents: write
@@ -11,7 +15,7 @@ jobs:
   vhs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -29,19 +33,23 @@ jobs:
       - name: Build linux
         run: task linux
 
-      - name: Install deps
+      - name: Install vhs deps
         run: |
           sudo apt update
           sudo apt install -y ffmpeg ttyd
 
-      - uses: charmbracelet/vhs-action@v2
-        with:
-          path: "vhs/gobuster_dir.tape"
+      - name: Install vhs
+        run: |
+          go install github.com/charmbracelet/vhs@latest
+
+      - name: Generate vhs gif
+        run: |
+          vhs vhs/gobuster_dir.tape -o vhs/gobuster_dir.gif
 
       - name: commit and push changes
         run: |
           git config user.name "Github"
           git config user.email "<>"
           git add vhs/*.gif
           git commit -m "update vhs gifs" || echo "no changes to commit"
-          git push origin master
+          git push

.github/workflows/yamllint.yml

@@ -13,7 +13,7 @@ jobs:
     name: yamllint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: karancode/yamllint-github-action@master
         with:
           # fail on warnings and errors

.gitignore

@@ -30,3 +30,4 @@ config.json
 gobuster
 *.txt
 dist/
+wordlist

README.md

@@ -129,6 +129,13 @@ gobuster dir -u https://example.com -w wordlist.txt -l
 
 # Filter by status codes
 gobuster dir -u https://example.com -w wordlist.txt -s 200,301,302
+
+# Filter using a regex against the response body
+# This can be handy for websites that return status code 200 for everything, but the html contains an error message
+gobuster dir -u https://example.com -w wordlist.txt -re "error\shello"
+
+# Filter using a regex but inverted against the response body
+gobuster dir -u https://example.com -w wordlist.txt -rei "(?i)\berror\b"
 ```
 
 #### 🔍 DNS Mode (`dns`)
@@ -344,6 +351,18 @@ _Remember: Always test responsibly and with proper authorization._
 
 <details>
 
+<summary>3.8.3</summary>
+
+## 3.8.3
+
+- Add option to filter body by regex
+- Add option to save response bodies
+- Allow comma in Header values passed via the CLI
+
+</details>
+
+<details>
+
 <summary>3.8.2</summary>
 
 ## 3.8.2

cli/dir/dir.go

@@ -3,6 +3,7 @@ package dir
 import (
 	"errors"
 	"fmt"
+	"regexp"
 
 	internalcli "github.com/OJ/gobuster/v3/cli"
 	"github.com/OJ/gobuster/v3/gobusterdir"
@@ -36,11 +37,19 @@ func getFlags() []cli.Flag {
 		&cli.BoolFlag{Name: "discover-backup", Aliases: []string{"db"}, Value: false, Usage: "Upon finding a file search for backup files by appending multiple backup extensions"},
 		&cli.StringFlag{Name: "exclude-length", Aliases: []string{"xl"}, Usage: "exclude the following content lengths (completely ignores the status). You can separate multiple lengths by comma and it also supports ranges like 203-206"},
 		&cli.BoolFlag{Name: "force", Value: false, Usage: "Continue even if the prechecks fail. Please only use this if you know what you are doing, it can lead to unexpected results."},
+		&cli.StringFlag{Name: "regex", Aliases: []string{"re"}, Usage: "Use regex to filter the results, by inspecting the content of the response body. When using this option be sure to set the status-codes and status-codes-blacklist options accordingly. The regex check is done after the status code checks. Only responses matching the regex will be displayed."},
+		&cli.StringFlag{Name: "regex-invert", Aliases: []string{"rei"}, Usage: "Use regex to filter the results, but inverted, by inspecting the content of the response body. When using this option be sure to set the status-codes and status-codes-blacklist options accordingly. The regex check is done after the status code checks. Only responses NOT matching the regex will be displayed."},
 	}...)
 	return flags
 }
 
 func run(c *cli.Context) error {
+	globalOpts, err := internalcli.ParseGlobalOptions(c)
+	if err != nil {
+		return err
+	}
+	log := libgobuster.NewLogger(globalOpts.Debug)
+
 	pluginOpts := gobusterdir.NewOptions()
 
 	httpOptions, err := internalcli.ParseCommonHTTPOptions(c)
@@ -101,12 +110,26 @@ func run(c *cli.Context) error {
 	}
 	pluginOpts.ExcludeLengthParsed = ret4
 
-	globalOpts, err := internalcli.ParseGlobalOptions(c)
-	if err != nil {
-		return err
+	if c.IsSet("regex") && c.IsSet("regex-invert") {
+		return errors.New("regex and regex-invert are mutually exclusive, please set only one")
 	}
 
-	log := libgobuster.NewLogger(globalOpts.Debug)
+	if c.IsSet("regex") && c.String("regex") != "" {
+		regex, err := regexp.Compile(c.String("regex"))
+		if err != nil {
+			return fmt.Errorf("invalid value for regex: %w", err)
+		}
+		pluginOpts.Regex = regex
+	}
+
+	if c.IsSet("regex-invert") && c.String("regex-invert") != "" {
+		regex, err := regexp.Compile(c.String("regex-invert"))
+		if err != nil {
+			return fmt.Errorf("invalid value for regex-invert: %w", err)
+		}
+		pluginOpts.Regex = regex
+		pluginOpts.RegexInvert = true
+	}
 
 	plugin, err := gobusterdir.New(&globalOpts, pluginOpts, log)
 	if err != nil {

cli/options.go

@@ -129,7 +129,8 @@ func CommonHTTPOptions() []cli.Flag {
 		&cli.BoolFlag{Name: "follow-redirect", Aliases: []string{"r"}, Value: false, Usage: "Follow redirects"},
 		&cli.StringSliceFlag{Name: "headers", Aliases: []string{"H"}, Usage: "Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'"},
 		&cli.BoolFlag{Name: "no-canonicalize-headers", Aliases: []string{"nch"}, Value: false, Usage: "Do not canonicalize HTTP header names. If set header names are sent as is"},
-		&cli.StringFlag{Name: "method", Aliases: []string{"m"}, Value: "GET", Usage: "the password to the p12 file"},
+		&cli.StringFlag{Name: "method", Aliases: []string{"m"}, Value: "GET", Usage: "Specify HTTP method"},
+		&cli.StringFlag{Name: "body-output-dir", Usage: "Directory to store response bodies"},
 	}...)
 	flags = append(flags, BasicHTTPOptions()...)
 	return flags
@@ -209,6 +210,14 @@ func ParseCommonHTTPOptions(c *cli.Context) (libgobuster.HTTPOptions, error) {
 		opts.Headers = append(opts.Headers, header)
 	}
 
+	if c.IsSet("body-output-dir") {
+		opts.BodyOutputDir = c.String("body-output-dir")
+		err = os.MkdirAll(opts.BodyOutputDir, 0o755)
+		if err != nil {
+			return opts, fmt.Errorf("could not create body output dir %q: %w", opts.BodyOutputDir, err)
+		}
+	}
+
 	return opts, nil
 }
 

go.mod

@@ -1,15 +1,15 @@
 module github.com/OJ/gobuster/v3
 
-go 1.25
+go 1.25.0
 
 require (
-	github.com/fatih/color v1.18.0
+	github.com/fatih/color v1.19.0
 	github.com/google/uuid v1.6.0
-	github.com/pin/tftp/v3 v3.1.0
+	github.com/pin/tftp/v3 v3.2.0
 	github.com/urfave/cli/v2 v2.27.7
 	go.uber.org/automaxprocs v1.6.0
-	golang.org/x/term v0.37.0
-	software.sslmate.com/src/go-pkcs12 v0.6.0
+	golang.org/x/term v0.41.0
+	software.sslmate.com/src/go-pkcs12 v0.7.0
 )
 
 require (
@@ -19,13 +19,13 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	mvdan.cc/gofumpt v0.9.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
+	mvdan.cc/gofumpt v0.9.2 // indirect
 )
 
 tool mvdan.cc/gofumpt