RSS

Apiffuf (ffuf for APIs) – fuzzer for API hostsnames and endpoints

rashahacks1 pts0 comments

GitHub - jsmonhq/apiffuf: API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

jsmonhq

apiffuf

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>3 Commits<br>3 Commits

internal

internal

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

go.mod

go.mod

go.sum

go.sum

main.go

main.go

View all files

Repository files navigation

apiffuf

API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.

Installation

Direct install

go install github.com/jsmonhq/apiffuf@latest

Clone and build

git clone https://github.com/jsmonhq/apiffuf.git<br>cd apiffuf<br>go build -ldflags="-s -w" -o apiffuf .

Usage

-paths [options]">apiffuf -hosts -paths [options]

Flags

Flag<br>Alias<br>Default<br>Description

-hosts<br>-u<br>Host or file containing hosts (required)

-paths<br>-w<br>File containing API paths (required)

-method<br>-X<br>GET<br>HTTP method (supports custom methods)

-headers<br>-H<br>Request header (Name: value, repeatable)

-threads<br>-t<br>20<br>Parallel goroutines

-rate<br>Requests per second (0 = unlimited)

-o<br>Save default text output to file

-oJ<br>Save JSON output to file

-oC<br>Save CSV output to file

-timeout<br>10s<br>Per-request timeout

-user-agent<br>apiffuf/1.0<br>User-Agent header

-no-color<br>false<br>Disable colored terminal output

Examples

Single host and paths file:

apiffuf -hosts api.jsmon.sh -paths paths.txt

Hosts file and custom method:

apiffuf -u hosts.txt -w paths.txt -X POST

With headers, concurrency, and rate limit:

apiffuf -hosts https://api.example.com -paths paths.txt -H "Authorization: Bearer token" -t 50 -rate 10

Save results:

apiffuf -hosts api.jsmon.sh -paths paths.txt -o results.txt -oJ results.json -oC results.csv

URL normalization

apiffuf normalizes host/path combinations before probing:

Host<br>Path<br>Output

http://sub.target.com<br>/api/v2/users<br>http://sub.target.com/api/v2/users

http://sub.target.com/<br>/api/v2/users<br>http://sub.target.com/api/v2/users

http://sub.target.com<br>api/v2/users<br>http://sub.target.com/api/v2/users

sub.target.com<br>/api/v2/users<br>https://sub.target.com/api/v2/users

If no protocol is supplied in the host input, https is used by default.

Output

Default terminal output (colored when stdout is a TTY):

https://api.jsmon.sh/api/v2/users [200] [application/json] [12234] [Jsmon API]

Each line includes:

URL

Status code

Content-Type

Content-Length

Page title (when available)

Only URLs that receive an HTTP response are shown. Connection errors, timeouts, and DNS failures are excluded.

JSON output (-oJ) and CSV output (-oC) are also supported.

Safety notice

When using PUT, PATCH, or DELETE, apiffuf prints a caution warning because these methods can modify or delete data. Only use against targets you are authorized to test.

Built by team Jsmon.

License

AGPLv3

About

API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.

jsmon.sh

Topics

cybersecurity

bugbounty

fuzzer

ethicalhacking

jsmon

bugbounty-tools

api-hacking

Resources

Readme

License

AGPL-3.0 license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Custom properties

Stars

star

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Go<br>100.0%

You can’t perform that action at this time.

apiffuf paths hosts http users output

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.