Context-Aware Content Discovery with Chameleon

Posted on

While there's already a handful of great directory bruteforce tools, the key to uncovering hidden files / endpoints will always be a good wordlist. A common approach I noticed being used by bug bounty hunters is using the same, huge, wordlist everytime. Its clear that this approach will either miss a lot of stuff or take too long due to wordlist size. Chameleon tries to fix this by automatically detecting the technology running on the target server and using a calibrated wordlist. This blog post will document most of chameleon's features and show how to customize it.

Classic Directory Bruteforce

By default, Chameleon does not attempt to detect technologies and runs just like any other directory bruteforce tool. If no wordlist is is supplied, Chameleon will use the default wordlist. ( ~/.content/chameleon/wordlists/raft-medium-words.txt )

Detect Technologies Automatically

If the -a flag is supplied, Chameleon will load the url in a headless chrome tab and extract the technologies detected wappalyzer. By default, Chameleon will scan the url from -u, however you can change the url used for the technology detection using the -T flag. In order for this feature to work, headless chrome should be installed.

When Chameleon detects a technology it will try do the folllowing:

1. Check if there is any wordlist associated with the technology. If it is, it will add it to the main wordlist.

2. Check if there are any extensions associated with the technology. If there are, it will use the extension to generate a wordlist like so:

3. If the technology detected is Microsoft ASP.NET, it will lowercase all lines from the wordlist.

Custom Wordlists

Most custom wordlists are taken from SecLists or Assetnote, however the Flask, Golang, Spring, Laravel wordlists are generated using Google BigQuery. Credits to Shubs for the idea.

Supply Technologies

It's also possible to supply your own technologies, which will be used even if Wappalyzer does not detect them.

Config file

Chameleon uses the config file located in ~/.config/chameleon/config.yaml.

Changing the default wordlists:

If no wordlist is provided, chameleon will use the wordlist specified in main_wordlist from the config file. ( Default: ~/.config/chameleon/wordlists/raft-medium-words.txt )

When detecting technologies with characteristic extensions, chameleon will generate a wordlist by like so ( FUZZ.%ext ). Chameleon will use the wordlist specified in small_wordlist from the config file. ( Default: ~/.config/chameleon/wordlists/raft-medium-words.txt )

Changing technology wordlists

Example config.yaml with technology specific wordlists:

Adding new technology wordlists

Chameleon uses fingerprints from You can add new technology wordlists by taking the name of a technology from apps.json and adding it to the config file like so:

Adding new extension fingerprints.

Chameleon generates wordlists using characteristic extensions matching the detected technology. You can add / modify the extensions in the config file like so:

Filtering & Matching

Currently, Chameleon supports filtering based on the response's content length or status code.

-S = Filter HTTP response size. Comma separated list of sizes
-C = Filter HTTP status codes from response - Comma separated list [default: 404]
-s = Match HTTP response size. Comma separated list of sizes
-c = Match HTTP status codes from response - Comma separated list

It's also possible to use the -A flag to automatically calibrate filtering options.


Using Chameleon for directory bruteforcing eliminates the process of manually detecting the technologies used on a host and identifying the correct wordlist to use. As such, not only does it saves time, but it can also lead to the discovery of files/endpoints which would otherwise be missed with a common wordlist. Since Chameleon is still at an early stage, I'm welcome to any suggestions for improving it.