wpscan 3.8.28 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a16ee5b06248c761525128f4b8f863aab9033aadf4c0889bd5d86e83ecc5800
-  data.tar.gz: 901bb851ff149164f979ece4584a3ba6123f28368fc9e0ec33de1a662e5e3a24
+  metadata.gz: 4a35937f16511c0e2d5fe332f45489703704f91e2d38d48b46d4f42fb5fe153f
+  data.tar.gz: 2ced1bd5e24ce8d891d298d383c9a79b03d6d05fd614de60da7cf46808138a62
 SHA512:
-  metadata.gz: 408795d09c4ab77f9d080f89d2fa952a1c27e65b54f707f81efed9a7c37c02387144ed88205688d44b224c3e69101c86a70b83bfcd2af42119957f07443148c6
-  data.tar.gz: b4290ac6cb2825dbe35291472f7e410a511394b495589a33f59b1ab54a8b275d3adb2a2da08372510b7914c14297f1a4e48638da0c16c9248ce9c48e35f47f0c
+  metadata.gz: 2ebbec3ada4d857b9be598636dbeaa65d524f3be1733204920f8fe23d03bf8ef6e3a9e446a3dbbfabda70d6da41562c7bb28115d5133497b002ad69ec6464731
+  data.tar.gz: d909b0d2ee28f28fb698c07301a4d42c6118cc6e4d7245b05e0ba329bc90a8a52f2af189c10dc437a7973db5ff4afd46604e5ce0e3889bdb6efdaaeccc879ed3

data/README.md

@@ -1,6 +1,6 @@
 <p align="center">
   <a href="https://wpscan.com/">
-    <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
+    <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/5af15af5e7d67ee7c6e5e4ebcf75c1dfabfa123b/images/wpscan_logo.png" alt="WPScan logo">
   </a>
 </p>
 
@@ -17,19 +17,20 @@
   <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
   <a href="https://hub.docker.com/r/wpscanteam/wpscan/" target="_blank"><img src="https://img.shields.io/docker/pulls/wpscanteam/wpscan.svg"></a>
   <a href="https://github.com/wpscanteam/wpscan/actions?query=workflow%3ABuild" target="_blank"><img src="https://github.com/wpscanteam/wpscan/workflows/Build/badge.svg"></a>
-  <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
+  <a href="https://qlty.sh/gh/wpscanteam/projects/wpscan" target="_blank"><img src="https://qlty.sh/gh/wpscanteam/projects/wpscan/maintainability.svg" alt="Maintainability"></a>
+  <a href="https://coveralls.io/github/wpscanteam/wpscan?branch=master" target="_blank"><img src="https://coveralls.io/repos/github/wpscanteam/wpscan/badge.svg?branch=master" alt="Coverage Status"></a>
 </p>
 
 # INSTALL
 
 ## Prerequisites
 
-- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
-- Ruby >= 3.0 - Recommended: latest
-- Curl >= 7.72  - Recommended: latest
+- (Optional but highly recommended: [rbenv](https://github.com/rbenv/rbenv))
+- Ruby >= 3.3 - Recommended: latest stable
+- Curl >= 7.72 - Recommended: latest stable
   - The 7.29 has a segfault
   - The < 7.72 could result in `Stream error in the HTTP/2 framing layer` in some cases
-- RubyGems      - Recommended: latest
+- RubyGems - Recommended: latest stable
 - Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
 
 ### In a Pentesting distribution
@@ -44,11 +45,33 @@ brew install wpscanteam/tap/wpscan
 
 ### From RubyGems
 
+WPScan depends on gems with native extensions (e.g. `yajl-ruby`, `nokogiri`, `ffi`), so a working C toolchain and Ruby development headers must be present before `gem install wpscan`. Without them, the install fails with errors like `Failed to build gem native extension` or `make: x86_64-linux-gnu-gcc: No such file or directory` (see [#1844](https://github.com/wpscanteam/wpscan/issues/1844)).
+
+- **Debian / Ubuntu**:
+  ```shell
+  sudo apt install build-essential ruby-dev
+  ```
+- **Fedora / RHEL / CentOS**:
+  ```shell
+  sudo dnf install @development-tools ruby-devel
+  ```
+- **Arch Linux**:
+  ```shell
+  sudo pacman -S base-devel ruby
+  ```
+- **Alpine**:
+  ```shell
+  sudo apk add build-base ruby-dev
+  ```
+- **macOS**: install the Xcode Command Line Tools (`xcode-select --install`).
+
+Then install the gem:
+
 ```shell
 gem install wpscan
 ```
 
-On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
+On MacOSX, if a ```Gem::FilePermissionError``` is raised due to Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
 
 # Updating
 
@@ -63,55 +86,87 @@ Pull the repo with ```docker pull wpscanteam/wpscan```
 Enumerating usernames
 
 ```shell
-docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u
+docker run -it --rm -v wpscan-db:/wpscan/.cache/wpscan/db wpscanteam/wpscan --url https://target.tld/ --enumerate u
 ```
 
 Enumerating a range of usernames
 
 ```shell
-docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100
+docker run -it --rm -v wpscan-db:/wpscan/.cache/wpscan/db wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100
 ```
 
 ** replace u1-100 with a range of your choice.
 
+## Persisting the local database
+
+The image ships with a copy of the local database baked in at build time. Because the example commands above use `--rm`, any database update performed during a run is discarded when the container exits, so the next run starts again from the (potentially stale) baked-in copy.
+
+Mounting a named volume at `/wpscan/.cache/wpscan/db` (the `wpscan` user's cache directory inside the container) keeps the database across runs, so `wpscan --update` only re-downloads files whose checksums actually changed and the 5-day staleness prompt behaves as it would for a local install:
+
+```shell
+docker run -it --rm -v wpscan-db:/wpscan/.cache/wpscan/db wpscanteam/wpscan --update
+```
+
+The named volume is created automatically on first use if it doesn't already exist.
+
 # Usage
 
 Full user documentation can be found here; https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
 
-```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. It performs version detection, theme detection, and interesting findings discovery. To enumerate plugins, themes, users, backup folders, etc., use the `-e` option (e.g., `-e ap` for all plugins, `-e vp` for vulnerable plugins, `-e bf` for backup folders).
 
 If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
 As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
 
 For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
 
-The DB is located at ~/.wpscan/db
+## Database Location
+
+The database location follows the [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html):
+
+- **New installations**: `~/.cache/wpscan/db` (or `$XDG_CACHE_HOME/wpscan/db` if set)
+- **Existing installations**: `~/.wpscan/db` (legacy path, maintained for backward compatibility)
+
+Runtime files such as the default HTTP cache and cookie jar are stored under `$TMPDIR/wpscan` when
+`$TMPDIR` is set. Otherwise they use the same per-user XDG cache directory, for example
+`~/.cache/wpscan/cache` and `~/.cache/wpscan/cookie_jar.txt`. These defaults can be overridden
+with `--cache-dir` and `--cookie-jar`.
+
+To migrate an existing installation to the XDG path:
+
+```shell
+mv ~/.wpscan ~/.cache/wpscan
+```
 
 ## Optional: WordPress Vulnerability Database API
 
-The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
+The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real-time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
 
 Up to **25** API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data.
 
 ### How many API requests do you need?
 
-- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
+- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin, and one request per the installed theme.
 - On average, a WordPress website has 22 installed plugins.
 
 ## Load CLI options from file/s
 
-WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
+WPScan can load all options (including the `--url`) from configuration files, the following locations are checked (order: first to last):
 
-- ~/.wpscan/scan.json
-- ~/.wpscan/scan.yml
-- pwd/.wpscan/scan.json
-- pwd/.wpscan/scan.yml
+- `$XDG_CONFIG_HOME/wpscan/scan.json` (if `XDG_CONFIG_HOME` is set)
+- `$XDG_CONFIG_HOME/wpscan/scan.yml` (if `XDG_CONFIG_HOME` is set)
+- `~/.config/wpscan/scan.json` (if `XDG_CONFIG_HOME` is not set)
+- `~/.config/wpscan/scan.yml` (if `XDG_CONFIG_HOME` is not set)
+- `~/.wpscan/scan.json`
+- `~/.wpscan/scan.yml`
+- `pwd/.wpscan/scan.json`
+- `pwd/.wpscan/scan.yml`
 
 If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
 
 e.g:
 
-~/.wpscan/scan.yml:
+`~/.config/wpscan/scan.yml`:
 
 ```yml
 cli_options:
@@ -119,7 +174,7 @@ cli_options:
   verbose: true
 ```
 
-pwd/.wpscan/scan.yml:
+`pwd/.wpscan/scan.yml`:
 
 ```yml
 cli_options:
@@ -127,11 +182,19 @@ cli_options:
   url: 'http://target.tld'
 ```
 
-Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
+Running ```wpscan``` in the current directory (pwd) is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
+
+Other command line options can be added by using snake case convention. e.g:
+```yml
+cli_options:
+  user_agent: "Testing UA"
+  max_threads: 1
+  headers: "Custom-Header: aaaa; Another Header: bbb"
+```
 
 ## Save API Token in a file
 
-The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
+The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.config/wpscan/scan.yml file containing the below:
 
 ```yml
 cli_options:
@@ -142,6 +205,9 @@ cli_options:
 
 The API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.
 
+## API Service Status
+
+If you experience connection issues with the WPScan API, you can check the service status at https://status.wpscan.com/. When API connection errors occur, WPScan will include a link to the status page in the error message.
 
 ## Enumerating usernames
 
@@ -157,13 +223,21 @@ wpscan --url https://target.tld/ --enumerate u1-100
 
 ** replace u1-100 with a range of your choice.
 
+## Enumerating backup folders
+
+```shell
+wpscan --url https://target.tld/ --enumerate bf
+```
+
+This will check for backup folders created by popular WordPress backup plugins. These folders may contain sensitive data like database dumps, configuration files, or full site backups.
+
 # LICENSE
 
 ## WPScan Public Source License
 
 The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
-Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
+Cases that include the commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
 ### 1. Definitions
 
@@ -175,15 +249,15 @@ Cases that include commercialization of WPScan require a commercial, non-free li
 
 ### 2. Commercialization
 
-A commercial use is one intended for commercial advantage or monetary compensation.
+Commercial use is one intended for commercial advantage or monetary compensation.
 
 Example cases of commercialization are:
 
 - Using WPScan to provide commercial managed/Software-as-a-Service services.
 - Distributing WPScan as a commercial product or as part of one.
-- Using WPScan as a value added service/product.
+- Using WPScan as a value-added service/product.
 
-Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+Example cases that do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
 
 - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
 - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
@@ -214,9 +288,9 @@ Modification is permitted so long as it does not conflict with the Redistributio
 
 Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
 
-### 7. Support
+### 7. Support, updates, and maintenance 
 
-WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+WPScan is provided under an AS-IS basis and without any support, updates, or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
 
 ### 8. Disclaimer of Warranty
 
@@ -224,11 +298,11 @@ WPScan is provided under this License on an “as is” basis, without warranty
 
 ### 9. Limitation of Liability
 
-To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs, and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
 
 ### 10. Disclaimer
 
-Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accepts no liability and is not responsible for any misuse or damage caused by WPScan.
 
 ### 11. Trademark
 

data/app/app.rb

@@ -1,5 +1,31 @@
 # frozen_string_literal: true
 
+# Formatters
+require_relative 'formatters/cli'
+require_relative 'formatters/cli_no_colour'
+require_relative 'formatters/cli_no_color'
+require_relative 'formatters/json'
+require_relative 'formatters/jsonl'
+require_relative 'formatters/sarif'
+
+# Base controllers
+require_relative 'controllers/core'
+require_relative 'controllers/interesting_findings'
+
+# Base models
+require_relative 'models/interesting_finding'
+require_relative 'models/robots_txt'
+require_relative 'models/fantastico_fileslist'
+require_relative 'models/search_replace_db_2'
+require_relative 'models/headers'
+require_relative 'models/xml_rpc'
+require_relative 'models/version'
+require_relative 'models/user'
+
+# Base finders
+require_relative 'finders/interesting_findings'
+
+# WordPress-specific extensions
 require_relative 'models'
 require_relative 'finders'
 require_relative 'controllers'

data/app/controllers/aliases.rb

@@ -3,11 +3,11 @@
 module WPScan
   module Controller
     # Controller to add the aliases in the CLI
-    class Aliases < CMSScanner::Controller::Base
+    class Aliases < WPScan::Controller::Base
       def cli_options
         [
           OptAlias.new(['--stealthy'],
-                       alias_for: '--random-user-agent --detection-mode passive --plugins-version-detection passive')
+                       alias_for: '--random-user-agent --detection-mode passive')
         ]
       end
     end

data/app/controllers/authenticated_inventory.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Fetches an authoritative inventory of installed plugins and themes from the
+    # WordPress REST API using admin credentials (--wp-auth). Pre-populates the
+    # target's @plugins / @themes / @main_theme so the regular enumeration
+    # controllers skip detection for those items.
+    class AuthenticatedInventory < WPScan::Controller::Base
+      def run
+        return unless ParsedCli.wp_auth
+
+        output('@info', msg: 'Fetching authoritative inventory via WP REST API (/wp-json/wp/v2/)') if user_interaction?
+
+        plugins = plugins_finder.aggressive(userpwd: userpwd)
+        themes  = themes_finder.aggressive(userpwd: userpwd)
+
+        target.instance_variable_set(:@plugins, plugins)
+        target.instance_variable_set(:@themes, themes)
+
+        active = themes.find { |t| t.instance_variable_get(:@wp_json_active) }
+        target.instance_variable_set(:@main_theme, active) if active
+
+        formatter.output('plugins', { plugins: plugins, verbose: ParsedCli.verbose }, 'enumeration')
+        formatter.output('themes',  { themes: themes, verbose: ParsedCli.verbose }, 'enumeration')
+      end
+
+      private
+
+      def plugins_finder
+        @plugins_finder ||= Finders::Plugins::WpJsonApi.new(target)
+      end
+
+      def themes_finder
+        @themes_finder ||= Finders::Themes::WpJsonApi.new(target)
+      end
+
+      def userpwd
+        "#{ParsedCli.wp_auth[:username]}:#{ParsedCli.wp_auth[:password]}"
+      end
+    end
+  end
+end

data/app/controllers/core/cli_options.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # CLI Options for the Core Controller
+    class Core < Base
+      def base_cli_options
+        formats = WPScan::Formatter.availables
+
+        [
+          OptURL.new(['-u', '--url URL', 'The URL to scan'],
+                     required_unless: %i[help hh version],
+                     default_protocol: 'http'),
+          OptBoolean.new(['--force', 'Do not check if target returns a 403'])
+        ] + mixed_cli_options + [
+          OptFilePath.new(['-o', '--output FILE', 'Output to FILE'], writable: true, exists: false),
+          OptChoice.new(['-f', '--format FORMAT',
+                         'Output results in the format supplied'], choices: formats),
+          OptBoolean.new(['--[no-]stream',
+                          'Emit enumeration findings (plugins/themes/users) as they are discovered, ' \
+                          'instead of waiting until each enumeration step completes. ' \
+                          'Has no effect on the json or sarif output formats, which always batch.'],
+                         default: true),
+          OptChoice.new(['--detection-mode MODE'],
+                        choices: %w[mixed passive aggressive],
+                        normalize: :to_sym,
+                        default: :mixed),
+          OptArray.new(['--scope DOMAINS',
+                        'Comma separated (sub-)domains to consider in scope. ',
+                        'Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld'], advanced: true),
+          OptArray.new(['--exclude-vulns UUIDs',
+                        'Comma separated list of vulnerability UUIDs to exclude. ',
+                        'Format: UUID (e.g: c099c1da-3750-4e63-8af9-929e773bbe57)'], advanced: true)
+        ] + cli_browser_options
+      end
+
+      def mixed_cli_options
+        [
+          OptBoolean.new(['-h', '--help', 'Display the simple help and exit']),
+          OptBoolean.new(['--hh', 'Display the full help and exit']),
+          OptBoolean.new(['--version', 'Display the version and exit']),
+          OptBoolean.new(['--ignore-main-redirect',
+                          'Ignore the main redirect (if any) and scan the target url. ' \
+                          'Has no effect if --follow-redirect is set.'],
+                         advanced: true),
+          OptBoolean.new(['--follow-redirect', 'Automatically update the URL to the destination of the redirect'],
+                         advanced: true),
+          OptBoolean.new(['-v', '--verbose', 'Verbose mode']),
+          OptBoolean.new(['--[no-]banner', 'Whether or not to display the banner'], default: true),
+          OptPositiveInteger.new(['--max-scan-duration SECONDS',
+                                  'Abort the scan if it exceeds the time provided in seconds'],
+                                 advanced: true),
+          OptPositiveInteger.new(['--max-log-file-size MiB',
+                                  'Skip inspection of PHP log files (debug.log, error_log, ...) ' \
+                                  'when their advertised or transferred size exceeds this value, in MiB. ' \
+                                  'Guards against memory exhaustion on sites serving huge log files.'],
+                                 default: 20, advanced: true)
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_options
+        cli_browser_headers_options + [
+          OptBoolean.new(['--random-user-agent', '--rua',
+                          'Use a random user-agent for each scan']),
+          OptFilePath.new(['--user-agents-list FILE-PATH',
+                           'List of agents to use with --random-user-agent'],
+                          exists: true,
+                          advanced: true,
+                          default: APP_DIR.join('user_agents.txt')),
+          OptCredentials.new(['--http-auth login:password',
+                              'Basic HTTP authentication, beware that the $ character must be properly escaped.']),
+          OptCredentials.new(['--wp-auth login:password',
+                              'WordPress admin credentials used to query the REST API for an authoritative ' \
+                              'inventory of installed plugins and themes (/wp-json/wp/v2/plugins and /themes). ' \
+                              'When provided, plugin/theme enumeration via -e is bypassed. ' \
+                              'The password MUST be a WordPress Application Password (WP >= 5.6, ' \
+                              'created at Users -> Profile -> Application Passwords). ' \
+                              'Real account passwords are rejected by WordPress core over Basic Auth.']),
+          OptPositiveInteger.new(['-t', '--max-threads VALUE', 'The max threads to use'],
+                                 default: 5),
+          OptPositiveInteger.new(['--throttle MilliSeconds', 'Milliseconds to wait before doing another web request. ' \
+                                                             'If used, the max threads will be set to 1.']),
+          OptPositiveInteger.new(['--request-timeout SECONDS', 'The request timeout in seconds'],
+                                 default: 60),
+          OptPositiveInteger.new(['--connect-timeout SECONDS', 'The connection timeout in seconds'],
+                                 default: 30),
+          OptBoolean.new(['--disable-tls-checks',
+                          'Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ ' \
+                          '(requires cURL 7.66 for the latter)'])
+        ] + cli_browser_proxy_options + cli_browser_cookies_options + cli_browser_cache_options
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_headers_options
+        [
+          OptString.new(['--user-agent VALUE', '--ua']),
+          OptHeaders.new(['--headers HEADERS', 'Additional headers to append in requests'], advanced: true),
+          OptString.new(['--vhost VALUE', 'The virtual host (Host header) to use in requests'], advanced: true)
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_proxy_options
+        [
+          OptProxy.new(['--proxy protocol://IP:port',
+                        'Supported protocols depend on the cURL installed. ' \
+                        'Note: with socks5://, hostnames are resolved locally before being ' \
+                        'sent to the proxy; use socks5h:// to have the proxy resolve them ' \
+                        '(required for .onion addresses when proxying through Tor).']),
+          OptCredentials.new(['--proxy-auth login:password'])
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_cookies_options
+        [
+          OptString.new(['--cookie-string COOKIE',
+                         'Cookie string to use in requests, ' \
+                         'format: cookie1=value1[; cookie2=value2]']),
+          OptFilePath.new(['--cookie-jar FILE-PATH', 'File to read and write cookies'],
+                          writable: true,
+                          readable: true,
+                          create: true,
+                          default: tmp_directory.join('cookie_jar.txt')),
+          OptBoolean.new(['--expect-saml',
+                          'Expect SAML authentication to be required. ' \
+                          'When the target redirects to a SAML IdP, an interactive browser ' \
+                          'is launched for login and the resulting session cookies are reused ' \
+                          'for the rest of the scan.'],
+                         advanced: true)
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_cache_options
+        [
+          OptInteger.new(['--cache-ttl TIME_TO_LIVE', 'The cache time to live in seconds'],
+                         default: 600, advanced: true),
+          OptBoolean.new(['--clear-cache', 'Clear the cache before the scan'], advanced: true),
+          OptDirectoryPath.new(['--cache-dir PATH'],
+                               readable: true,
+                               writable: true,
+                               create: true,
+                               default: tmp_directory.join('cache'),
+                               advanced: true)
+        ]
+      end
+    end
+  end
+end