RESTler
RESTler RESTler is Microsoft's stateful REST API fuzzer that generates test cases from OpenAPI specs, mutating fields with random values to uncover crashes or logic flaws in backend endpoints. Clone the repo, generate grammar from your spec, and run fuzz sessions via CLI for prioritized reports on failures. Open-source from Microsoft, it's the spec-driven sledgehammer for API pentesters blasting fields systematically.
Explore →Schemathesis
Schemathesis Schemathesis is the property-based fuzzer for OpenAPI/GraphQL schemas, injecting edge-case values into fields to test validation, auth, and error handling with coverage metrics. Install via pip, point at your spec URL, and run sessions with custom seeds for targeted mutations. Open-source from Karta, it's the schema shredder for devs fuzzing API fields against spec compliance.
Explore →ffuf
ffuf ffuf adapts wordlist fuzzing to API fields by placing payloads in JSON/XML bodies or query params, detecting anomalies with response filters for injection or bypass hunting. Configure via CLI with -X POST and -d for body fuzzing, chaining outputs for multi-stage tests. Open-source Go tool, it's the flexible field flinger for web API explorers wordlisting inputs dynamically.
Explore →wfuzz
wfuzz wfuzz extends param fuzzing to API fields in POST/PUT bodies, using placeholders for JSON keys or XML tags to probe for deserialization flaws or overflow errors. Set up with -d for data payloads and --hc for filtering, recursing on responses for chained discoveries. Open-source Python classic, it's the body brawler for pentesters templating field attacks across HTTP methods.
Explore →Dalfox
Dalfox Dalfox is the XSS-focused API fuzzer that targets fields in forms and APIs with reflected payload mutations, chaining with grep for blind detection in JSON responses. Run on URLs with --po for POST fuzzing, customizing wordlists for field-specific injections. Open-source from hahwul, it's the XSS specialist for web pentesters fuzzing API params for client-side leaks.
Explore →api-fuzzer
api-fuzzer api-fuzzer is the Go-based tool for fuzzing REST fields with random or dict-based inputs, testing for crashes, leaks, or deserialization via response monitoring. Define endpoints in YAML, run sessions with custom corpora, and log anomalies for review. Open-source from kenshohamano, it's the endpoint experimenter for API devs fuzzing fields against edge cases.
Explore →fuzzapi
fuzzapi fuzzapi is the Burp-integrated fuzzer for API fields, loading OpenAPI specs to mutate params with payloads for injection or format errors in automated campaigns. Install as extension, select scopes, and run with dicts for coverage reports. Open-source from assetnote, it's the spec slammer for pentesters targeting field vulns in structured APIs.
Explore →restler-fuzzer
restler-fuzzer restler-fuzzer builds on RESTler for advanced field mutation with stateful sequences, generating complex inputs from schemas to hit backend logic flaws. Extend its grammar files for custom tests, running via dotnet for detailed crash repros. Open-source from Microsoft, it's the sequence synthesizer for API fuzzers chaining field tests into exploits.
Explore →param-miner
param-miner param-miner is the Burp extension that fuzzes API fields for hidden params using differential responses, building wordlists from schemas for targeted discovery. Load in Burp, scan scopes, and export miners for offline runs. Open-source from PortSwigger, it's the param pioneer for web pentesters uncovering fields in API dark corners.
Explore →graphql-path-enum