Web Fuzzing

ffuf: A fast web fuzzer written in Go.

ffuf -w /path/to/wordlist -u https://target/FUZZ

Arjun: This tool can find query parameters for URL enpoints. If you don't get what that means, it's okay, read along.

arjun -u https://api.example.com/endpoint

vaf: very advanced (web) fuzzer.

parameth: This tool can be used to brute discover GET and POST parameters.

ParamSpider: Mining parameters from dark corners of Web Archives.

smuggler: An HTTP Request Smuggling / Desync testing tool written in Python 3.

python3 smuggler.py -u <URL>

Reference: https://raw.githubusercontent.com/gwen001/pentest-tools/master/smuggler.py

DirDar: DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it.


HackBar: HackBar plugin for Burpsuite.

x8-Burp: Discovering hidden parameters with burp.

jsql-injection: jSQL Injection is a Java application for automatic SQL database injection.