Skip to content

jsmonhq/apiffuf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

apiffuf

API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.

Apiffuf by Jsmon - API URL fuzzer for API hackers | Product Hunt

Installation

Direct install

go install github.com/jsmonhq/apiffuf@latest

Clone and build

git clone https://github.com/jsmonhq/apiffuf.git
cd apiffuf
go build -ldflags="-s -w" -o apiffuf .

Usage

apiffuf -hosts <host|file> -paths <file> [options]

Flags

Flag Alias Default Description
-hosts -u Host or file containing hosts (required)
-paths -w File containing API paths (required)
-method -X GET HTTP method (supports custom methods)
-headers -H Request header (Name: value, repeatable)
-threads -t 20 Parallel goroutines
-rate 0 Requests per second (0 = unlimited)
-o Save default text output to file
-oJ Save JSON output to file
-oC Save CSV output to file
-timeout 10s Per-request timeout
-user-agent apiffuf/1.0 User-Agent header
-no-color false Disable colored terminal output

Examples

Single host and paths file:

apiffuf -hosts api.jsmon.sh -paths paths.txt

Hosts file and custom method:

apiffuf -u hosts.txt -w paths.txt -X POST

With headers, concurrency, and rate limit:

apiffuf -hosts https://api.example.com -paths paths.txt -H "Authorization: Bearer token" -t 50 -rate 10

Save results:

apiffuf -hosts api.jsmon.sh -paths paths.txt -o results.txt -oJ results.json -oC results.csv

URL normalization

apiffuf normalizes host/path combinations before probing:

Host Path Output
http://sub.target.com /api/v2/users http://sub.target.com/api/v2/users
http://sub.target.com/ /api/v2/users http://sub.target.com/api/v2/users
http://sub.target.com api/v2/users http://sub.target.com/api/v2/users
sub.target.com /api/v2/users https://sub.target.com/api/v2/users

If no protocol is supplied in the host input, https is used by default.

Output

Default terminal output (colored when stdout is a TTY):

https://api.jsmon.sh/api/v2/users [200] [application/json] [12234] [Jsmon API]

Each line includes:

  1. URL
  2. Status code
  3. Content-Type
  4. Content-Length
  5. Page title (when available)

Only URLs that receive an HTTP response are shown. Connection errors, timeouts, and DNS failures are excluded.

JSON output (-oJ) and CSV output (-oC) are also supported.

Safety notice

When using PUT, PATCH, or DELETE, apiffuf prints a caution warning because these methods can modify or delete data. Only use against targets you are authorized to test.

Built by team Jsmon.

License

AGPLv3

About

API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.

jsmon.sh

Topics

cybersecurity bugbounty fuzzer ethicalhacking jsmon bugbounty-tools api-hacking

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

26 stars

Watchers

0 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages