{"id":51172288,"url":"https://github.com/jsmonhq/apiffuf","last_synced_at":"2026-06-27T01:30:26.274Z","repository":{"id":359853706,"uuid":"1247758656","full_name":"jsmonhq/apiffuf","owner":"jsmonhq","description":"API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.","archived":false,"fork":false,"pushed_at":"2026-05-23T18:38:25.000Z","size":26,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-23T20:22:21.002Z","etag":null,"topics":["api-hacking","bugbounty","bugbounty-tools","cybersecurity","ethicalhacking","fuzzer","jsmon"],"latest_commit_sha":null,"homepage":"https://jsmon.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jsmonhq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-23T18:35:07.000Z","updated_at":"2026-05-23T18:38:28.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jsmonhq/apiffuf","commit_stats":null,"previous_names":["jsmonhq/apiffuf"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jsmonhq/apiffuf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsmonhq%2Fapiffuf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsmonhq%2Fapiffuf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsmonhq%2Fapiffuf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsmonhq%2Fapiffuf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jsmonhq","download_url":"https://codeload.github.com/jsmonhq/apiffuf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsmonhq%2Fapiffuf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34839004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-hacking","bugbounty","bugbounty-tools","cybersecurity","ethicalhacking","fuzzer","jsmon"],"created_at":"2026-06-27T01:30:25.677Z","updated_at":"2026-06-27T01:30:26.269Z","avatar_url":"https://github.com/jsmonhq.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# apiffuf\n\nAPI URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.\n\n\u003ca href=\"https://www.producthunt.com/products/apiffuf-by-jsmon?embed=true\u0026amp;utm_source=badge-featured\u0026amp;utm_medium=badge\u0026amp;utm_campaign=badge-apiffuf-by-jsmon\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u003cimg alt=\"Apiffuf by Jsmon - API URL fuzzer for API hackers | Product Hunt\" width=\"250\" height=\"54\" src=\"https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=1154673\u0026amp;theme=light\u0026amp;t=1779692501333\"\u003e\u003c/a\u003e\n\n## Installation\n\n### Direct install\n\n```bash\ngo install github.com/jsmonhq/apiffuf@latest\n```\n\n### Clone and build\n\n```bash\ngit clone https://github.com/jsmonhq/apiffuf.git\ncd apiffuf\ngo build -ldflags=\"-s -w\" -o apiffuf .\n```\n\n## Usage\n\n```text\napiffuf -hosts \u003chost|file\u003e -paths \u003cfile\u003e [options]\n```\n\n### Flags\n\n| Flag | Alias | Default | Description |\n|------|-------|---------|-------------|\n| `-hosts` | `-u` | — | Host or file containing hosts (required) |\n| `-paths` | `-w` | — | File containing API paths (required) |\n| `-method` | `-X` | `GET` | HTTP method (supports custom methods) |\n| `-headers` | `-H` | — | Request header (`Name: value`, repeatable) |\n| `-threads` | `-t` | `20` | Parallel goroutines |\n| `-rate` | — | `0` | Requests per second (`0` = unlimited) |\n| `-o` | — | — | Save default text output to file |\n| `-oJ` | — | — | Save JSON output to file |\n| `-oC` | — | — | Save CSV output to file |\n| `-timeout` | — | `10s` | Per-request timeout |\n| `-user-agent` | — | `apiffuf/1.0` | User-Agent header |\n| `-no-color` | — | `false` | Disable colored terminal output |\n\n### Examples\n\nSingle host and paths file:\n\n```bash\napiffuf -hosts api.jsmon.sh -paths paths.txt\n```\n\nHosts file and custom method:\n\n```bash\napiffuf -u hosts.txt -w paths.txt -X POST\n```\n\nWith headers, concurrency, and rate limit:\n\n```bash\napiffuf -hosts https://api.example.com -paths paths.txt -H \"Authorization: Bearer token\" -t 50 -rate 10\n```\n\nSave results:\n\n```bash\napiffuf -hosts api.jsmon.sh -paths paths.txt -o results.txt -oJ results.json -oC results.csv\n```\n\n## URL normalization\n\n`apiffuf` normalizes host/path combinations before probing:\n\n| Host | Path | Output |\n|------|------|--------|\n| `http://sub.target.com` | `/api/v2/users` | `http://sub.target.com/api/v2/users` |\n| `http://sub.target.com/` | `/api/v2/users` | `http://sub.target.com/api/v2/users` |\n| `http://sub.target.com` | `api/v2/users` | `http://sub.target.com/api/v2/users` |\n| `sub.target.com` | `/api/v2/users` | `https://sub.target.com/api/v2/users` |\n\nIf no protocol is supplied in the host input, `https` is used by default.\n\n## Output\n\nDefault terminal output (colored when stdout is a TTY):\n\n```text\nhttps://api.jsmon.sh/api/v2/users [200] [application/json] [12234] [Jsmon API]\n```\n\nEach line includes:\n\n1. URL\n2. Status code\n3. Content-Type\n4. Content-Length\n5. Page title (when available)\n\nOnly URLs that receive an HTTP response are shown. Connection errors, timeouts, and DNS failures are excluded.\n\nJSON output (`-oJ`) and CSV output (`-oC`) are also supported.\n\n## Safety notice\n\nWhen using `PUT`, `PATCH`, or `DELETE`, apiffuf prints a caution warning because these methods can modify or delete data. Only use against targets you are authorized to test.\n\n### Built by team [Jsmon](https://jsmon.sh).\n\n## License\n\nAGPLv3\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjsmonhq%2Fapiffuf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjsmonhq%2Fapiffuf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjsmonhq%2Fapiffuf/lists"}