ffuf
ffuf ffuf is the blazing-fast web fuzzer that slams URL parameters with wordlists, mutations, and filters to uncover hidden endpoints or injection points in seconds. Tune threads and recursion for deep dives, piping outputs to grep for clean hits on 200s or custom patterns. Open-source Go beast, it's the parameter punisher for pentesters blasting through query strings without mercy.
Explore →wfuzz
wfuzz wfuzz is the Python powerhouse for fuzzing URL params with payloads, recursion, and encoding tricks, spotting vulns like IDOR or open redirects via status filters and recursion. Chain wordlists for multi-position attacks, exporting results for post-fuzz analysis in scripts. Open-source classic, it's the wildcard warrior for web hackers templating brute-force campaigns.
Explore →Arjun
Arjun Arjun is the parameter discovery ninja that brute-forces hidden GET/POST params in URLs, using wordlists to detect unused inputs ripe for injection or bypass tests. Run it on endpoints with --stable or --post flags, getting sorted lists of valid params for targeted fuzzing. Open-source from s0md3v, it's the param prospector for pentesters mining overlooked fields.
Explore →ParamSpider
ParamSpider ParamSpider is the JS-savvy crawler that scrapes client-side code and responses for buried URL parameters, compiling unique lists for fuzzing without brute-force noise. Feed it a domain, let it spider sources and APIs, and export clean param sets for wfuzz chains. Open-source from devanshbatham, it's the spider sense for web explorers unearthing dynamic inputs.
Explore →kiterunner
kiterunner kiterunner is the wordlist-agnostic fuzzer that blasts URL paths and params with brute-force efficiency, using trie-based dicts for rapid mutation and hit validation. Compile wordlists into .kr files, run against scopes with rate limits, and filter by status for clean outputs. Open-source from assetnote, it's the kit kat for pentesters templating high-volume param probes.
Explore →dirsearch
dirsearch dirsearch is the directory and param fuzzer that hammers URLs with extensions and wordlists, detecting 403s or 301s to map app structures for deeper input testing. Configure via Python CLI with recursion and exclusions, exporting CSV for follow-ups on promising paths. Open-source from maurosoria, it's the dir detective for recon pros fuzzing params in web mazes.
Explore →feroxbuster
feroxbuster feroxbuster is the recursive Rust fuzzer for URL params and dirs, auto-tuning rates and filters to carve out hidden files or endpoints with minimal false positives. Spin it with wordlists and extensions, watching it climb directories for param-rich pages. Open-source from michenriksen, it's the ferret ferreter for pentesters sniffing param trails in recursive hunts.
Explore →gobuster
gobuster gobuster is the speedy Go fuzzer for vhost, DNS, and URL param brute-forcing, targeting directories or extensions with status/code filters for efficient mapping. Run modes like dir or vhost on scopes, piping hits to tools for chained fuzzing. Open-source from OJ, it's the gobstopper for web warriors popping param bubbles in brute-force barrages.
Explore →rustbuster
rustbuster rustbuster is the high-performance param fuzzer in Rust, slamming endpoints with wordlists and mutations for 4xx/5xx filtering in concurrent blasts. Customize via CLI flags for recursion or delays, outputting structured JSON for post-processing. Open-source fork, it's the rust rocket for speed demons templating param discovery in resource-hungry scans.
Explore →parameth