{"id":13542007,"url":"https://github.com/d4rckh/vaf","last_synced_at":"2025-04-09T13:04:19.104Z","repository":{"id":41972282,"uuid":"362109703","full_name":"d4rckh/vaf","owner":"d4rckh","description":"Vaf is a cross-platform very advanced and fast web fuzzer written in nim","archived":false,"fork":false,"pushed_at":"2022-05-29T16:39:47.000Z","size":2503,"stargazers_count":320,"open_issues_count":5,"forks_count":43,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-02T12:09:37.822Z","etag":null,"topics":["bruteforce","bug-bounty","bugbounty","burpsuite","fuzzer","fuzzing","hacking","hacking-tools","nim","penetration-testing","pentest-tool","recon","security-tools","vaf","web","xss"],"latest_commit_sha":null,"homepage":"","language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d4rckh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"patreon":"d4rckh"}},"created_at":"2021-04-27T12:46:52.000Z","updated_at":"2025-02-26T09:29:30.000Z","dependencies_parsed_at":"2022-08-03T09:45:34.761Z","dependency_job_id":null,"html_url":"https://github.com/d4rckh/vaf","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4rckh%2Fvaf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4rckh%2Fvaf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4rckh%2Fvaf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4rckh%2Fvaf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d4rckh","download_url":"https://codeload.github.com/d4rckh/vaf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248045230,"owners_count":21038553,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bruteforce","bug-bounty","bugbounty","burpsuite","fuzzer","fuzzing","hacking","hacking-tools","nim","penetration-testing","pentest-tool","recon","security-tools","vaf","web","xss"],"created_at":"2024-08-01T10:01:00.040Z","updated_at":"2025-04-09T13:04:19.082Z","avatar_url":"https://github.com/d4rckh.png","language":"Nim","funding_links":["https://patreon.com/d4rckh"],"categories":["Recon","Nim"],"sub_categories":["Fuzzing"],"readme":"\u003cdiv align=\"center\"\u003e\n\u003ch1\u003evaf\u003c/h1\u003e\n\u003ch3\u003eA fast, simple, and feature rich web fuzzer written in nim\u003c/h3\u003e\n\u003cimg src=\"https://img.shields.io/github/stars/d4rckh/vaf\"\u003e\u003c/img\u003e\n\u003ca href=\"https://github.com/d4rckh/vaf/issues\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/issues/d4rckh/vaf\"\u003e\u003c/img\u003e\n\u003c/a\u003e\n\u003ca href=\"https://github.com/d4rckh/vaf/network\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/forks/d4rckh/vaf\"\u003e\u003c/img\u003e\n\u003c/a\u003e\n\u003ca href=\"https://github.com/d4rckh/vaf/blob/main/LICENSE\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/license/d4rckh/vaf\"\u003e\u003c/img\u003e\n\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/languages/top/d4rckh/vaf\"\u003e\u003c/img\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003cimg src=\"screenshots/main.png\"\u003e\u003c/img\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003c/div\u003e\n\nvaf is a cross-platform web fuzzer with a lot of features. Some of its features include:\n- Fast threading\n- HTTP header fuzzing\n- Proxying\n- [your own feature!](https://github.com/d4rckh/vaf/issues/new?assignees=\u0026labels=enhancement\u0026template=feature_request.md\u0026title=%5Bfeature%5D)\n- And more...\n\n\n## Installing\n\nYou can install vaf using this one-liner:\n```\ncurl https://raw.githubusercontent.com/d4rckh/vaf/main/install.sh | sudo bash\n```\n\n## Options\n\n```\nOptions:\n  -h, --help\n  -u, --url=URL              Target URL. Replace fuzz area with FUZZ\n  -w, --wordlist=WORDLIST    The path to the wordlist.\n  -m, --method=METHOD        Request method. Supported: POST, GET (default: GET)\n  -H, --header=HEADER        Specify HTTP headers; can be used multiple times. Example: -H 'header1: val1' -H 'header1: val1'\n  -pf, --prefix=PREFIX       The prefixes to append to the word (default: )\n  -sf, --suffix=SUFFIX       The suffixes to append to the word (default: )\n  -t, --threads=THREADS      Number of threads (default: 5)\n  -sc, --status=STATUS       The status to filter; to 'any' to print on any status (default: 200)\n  -g, --grep=GREP            Only log if the response body contains the string (default: )\n  -ng, --notgrep=NOTGREP     Only log if the response body does no contain a string (default: )\n  -pd, --postdata=POSTDATA   Specify POST data; used only if '-m post' is set (default: {})\n  -x, --proxy=PROXY          Specify a proxy (default: )\n  -ca, --cafile=CAFILE       Specify a CA root certificate; useful if you are using Burp/ZAP proxy (default: )\n  -o, --output=OUTPUT        Output the results in a file (default: )\n  -mr, --maxredirects=MAXREDIRECTS\n                             How many redirects should vaf follow; 0 means none (default: 0)\n  -v, --version              Print version information\n  -pif, --printifreflexive   Print only if the fuzzed word is reflected in the page\n  -i, --ignoressl            Do not verify SSL certificates; useful if you are using Burp/ZAP proxy\n  -ue, --urlencode           URL encode the fuzzed words\n  -pu, --printurl            Print the requested URL\n  -ph, --printheaders        Print response headers\n  -dbg, --debug              Prints debug information\n```\n\n## Examples\n\n### Fuzz URL path, show only responses which returned 200 OK\n```\nvaf -u https://example.org/FUZZ -w path/to/wordlist.txt -sc OK\n```\n\n### Fuzz 'User-Agent' header, show only responses which returned 200 OK\n```\nvaf -u https://example.org/ -w path/to/wordlist.txt -sc OK -H \"User-Agent: FUZZ\"\n```\n\n### Fuzz POST data, show only responses which returned 200 OK\n```\nvaf -u https://example.org/ -w path/to/wordlist.txt -sc OK -m POST -H \"Content-Type: application/json\" -pd '{\"username\": \"FUZZ\"}'\n```\n\n# Contributors \n\nThanks to everyone who contributed to this project!\n- [@daanbreur](https://github.com/daanbreur)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd4rckh%2Fvaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd4rckh%2Fvaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd4rckh%2Fvaf/lists"}