Web Fuzzing

ffuf: A fast web fuzzer written in Go.

ffuf -w /path/to/wordlist -u https://target/FUZZ

Arjun: This tool can find query parameters for URL enpoints. If you don't get what that means, it's okay, read along.

arjun -u https://api.example.com/endpoint

vaf: very advanced (web) fuzzer.

parameth: This tool can be used to brute discover GET and POST parameters.

ParamSpider: Mining parameters from dark corners of Web Archives.

smuggler: An HTTP Request Smuggling / Desync testing tool written in Python 3.

Reference: https://raw.githubusercontent.com/gwen001/pentest-tools/master/smuggler.py

DirDar: DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it.

HackBar: HackBar plugin for Burpsuite.

x8-Burp: Discovering hidden parameters with burp.

GitHub - Impact-I/x8-Burp: Hidden parameters discovery suiteGitHub

jsql-injection: jSQL Injection is a Java application for automatic SQL database injection.

HTTP Request Smuggling Detection Tool

Bonus

GitHub - lutfumertceylan/top25-parameter: For basic researches, top 25 vulnerability parameters that can be used in automation tools or manual recon. 🛡️⚔️🧙GitHub

GitHub - afwu/leaky-paths: A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins.GitHub