{"id":37063068,"url":"https://github.com/offensive-tooling/fuzzmap","last_synced_at":"2026-01-14T07:02:11.533Z","repository":{"id":283840606,"uuid":"886095434","full_name":"offensive-tooling/FUZZmap","owner":"offensive-tooling","description":"Web Application Offensive Fuzzing Module","archived":false,"fork":false,"pushed_at":"2025-04-20T09:19:49.000Z","size":737,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-27T18:19:28.964Z","etag":null,"topics":["fuzzing","fuzzmap","offensive","offensive-tooling","pentest","pentesting","scanner","vulnerability-scanners","webfuzzer","webscanner"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/offensive-tooling.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-11-10T07:14:21.000Z","updated_at":"2025-04-22T13:34:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"026fc3dd-62e6-4c9d-942d-2b51dead2f13","html_url":"https://github.com/offensive-tooling/FUZZmap","commit_stats":null,"previous_names":["offensive-tooling/fuzzmap"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/offensive-tooling/FUZZmap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offensive-tooling%2FFUZZmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offensive-tooling%2FFUZZmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offensive-tooling%2FFUZZmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offensive-tooling%2FFUZZmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/offensive-tooling","download_url":"https://codeload.github.com/offensive-tooling/FUZZmap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offensive-tooling%2FFUZZmap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28412486,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T05:26:33.345Z","status":"ssl_error","status_checked_at":"2026-01-14T05:21:57.251Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzing","fuzzmap","offensive","offensive-tooling","pentest","pentesting","scanner","vulnerability-scanners","webfuzzer","webscanner"],"created_at":"2026-01-14T07:02:10.829Z","updated_at":"2026-01-14T07:02:11.516Z","avatar_url":"https://github.com/offensive-tooling.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FUZZmap \n\n\u003cdiv align=\"center\"\u003e\n  \n[![Python 3.13.0](https://img.shields.io/badge/python-3.13.0-yellow.svg)](https://www.python.org/)\n[![License](https://img.shields.io/badge/license-MIT-red.svg)](LICENSE)\n\n**Web Application Vulnerability Fuzzing Tool**\n\n*Current version: 0.2 (SQL Injection, XSS)*\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/%F0%9F%94%8D-Fuzzing-blueviolet\" alt=\"Fuzzing\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/%F0%9F%93%8A-Parameter%20Collection-green\" alt=\"Parameter Reconnaissance\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F-Vulnerability%20Detection-orange\" alt=\"Vulnerability Detection\"\u003e\n\u003c/p\u003e\n\nFUZZmap is a web application vulnerability fuzzing tool designed to detect security flaws. It identifies web application vulnerabilities through automated parameter Reconnaissance and advanced payload testing.\n![alt text](image.png)\n\n\n## 💻 FUZZmap Developers\n- [arrester](https://github.com/arrester)\n- [jhanks](https://github.com/jeongahn)\n- [mathe](https://github.com/ma4the)\n- [arecia](https://github.com/areciah)\n- [hansowon](https://github.com/hansowon)\n\n## ✨ Features\n\n- **Parameter Reconnaissance**\n- **Common Payload Testing**\n- **Advanced Payload Testing**\n  - **SQL Injection Detection** - Advanced analysis including error-based, time-based, and boolean-based techniques (v0.1)\n  - **XSS Detection** - Advanced analysis including advanced xss in v0.2\n  - **SSTI Detection** - *(Advanced analysis coming in v0.3)*\n- **Asynchronous Architecture** - Utilizes `asyncio` and semaphores for optimized concurrent testing\n- **Expandable Framework** - Designed for easy addition of new vulnerability types in future versions\n\n## 📋 Installation\n\n### Using pip\n```bash\n# Installation\npip install fuzzmap\n```\n\n### From GitHub\n```bash\n# Git clone\ngit clone https://github.com/offensive-tooling/FUZZmap.git\ncd fuzzmap\n\n# Installation\npip install -e .\n```\n\n## 🚀 Usage\n\n### Command Line Usage\n\n```bash\n# Test specific parameter\nfuzzmap -t \u003ctarget_url\u003e -m get -p \u003ctarget_parameter\u003e\n\n# Test multiple parameters\nfuzzmap -t \u003ctarget_url\u003e -m get -p \u003ctarget_parameter 1\u003e,\u003ctarget_parameter 2\u003e\n\n# Use POST method\nfuzzmap -t \u003ctarget_url\u003e -m post -p \u003ctarget_parameter\u003e\n\n# Test with Parameter Reconnaissance \nfuzzmap -t \u003ctarget_url\u003e -rp\n```\n\n### Python Module Usage\n\n```python\nimport asyncio\nfrom fuzzmap.core.controller.controller import Controller\n\nasync def main():\n    # Test with specific parameters\n    fm = Controller(target=\"http://target.com\", method=\"GET\", param=[\"target_parameter\"])\n    results = await fm.async_run()\n    \n    # Test with Parameter Reconnaissance\n    fm = Controller(target=\"http://target.com\", recon_param=True)\n    results = await fm.async_run()\n\nasyncio.run(main())\n```\n\n## 🛠️ How It Works\n\nFuzzMap operates in four main phases:\n\n1. **Parameter Reconnaissance**: Automatically identifies parameters through:\n   - URL query extraction\n   - Form field analysis (inputs, selects, textareas)\n   - Form action paths and methods\n   - *(JavaScript hidden parameters - release later)*\n   - *(Dynamic parameter collection module - release later)*\n\n2. **Common Payload Testing**: Tests various vulnerabilities with common payloads:\n   - SQL Injection\n   - XSS (Cross Site Scripting)\n   - SSTI (Server Side Template Injection)\n   - *(More types to be continuously added)*\n\n3. **Advanced Payload Testing** (Currently for SQL Injection only):\n   - SQL Injection (error-based, time-based, boolean-based)\n   - *(XSS payloads and features coming in v0.2)*\n   - *(SSTI payloads and features coming in v0.3)*\n\n4. **Result Classification**: Categorize findings as follows:\n   - Vulnerability type and subtype\n   - Detection confidence scoring (0-100%)\n   - Detection details and evidence\n\n## 📊 Example Output\n\n```\nhandler: common, advanced\n🎯 url: http://target.com/\nparameters: ['test', 'searchFor']\nmethod: GET\nType: xss\n💰 Detected: True\nCommon_payload: '\"\u003e\u003ciframe onload=alert('{{1234**3}}');\u003e\nCommon_Confidence: 50\n🔍 Detail_Vuln: Error-Based SQL Injection\nAdvanced_payload: ' UNION SELECT NULL-- -\nAdvanced_Confidence: 100\nContext: ECT NULL-- -\u003c/h2\u003eError: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\n\n------------------------------------------------------------------\nhandler: common, advanced\n🎯 url: http://target.com/\nparameters: ['test', 'searchFor']\nmethod: GET\nType: sql_injection\n💰 Detected: True\nCommon_payload: ' || BEGIN DBMS_SESSION.SLEEP(5); END; -- \nCommon_Confidence: 70\n🔍 Detail_Vuln: Error-Based SQL Injection\nAdvanced_payload: ' UNION SELECT NULL-- -\nAdvanced_Confidence: 100\nContext: ECT NULL-- -\u003c/h2\u003eError: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\n```\n\n## ⚙️ Command Line Options\n\n```\n-t, --target      🎯 Target URL to scan\n-m, --method      📡 HTTP method (GET/POST)\n-p, --param       🔍 Parameters to test (comma separated)\n-rp, --recon_param 🔎 Enable parameter reconnaissance\n-a, --advanced    🔬 Enable advanced payload scan\n-ua, --user_agent 🌐 Custom User-Agent string\n-c, --cookies     🍪 Cookies to include (format: name1=value1;name2=value2)\n-v, --verbose     📝 Enable verbose output\n-h, --help        ℹ️  Show this help message\n```\n\n## 📝 Translations\n\n- [English (Original)](README.md)\n- [Korean](fuzzmap/doc/translations/README-KR.md)\n\n## 🔔 Disclaimer\n\nFUZZmap is designed for legitimate security testing with proper authorization. Always ensure you have permission before testing any website or application.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n  \u003cb\u003eFUZZmap - Slogan (Coming Soon)\u003c/b\u003e\n\u003c/div\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foffensive-tooling%2Ffuzzmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foffensive-tooling%2Ffuzzmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foffensive-tooling%2Ffuzzmap/lists"}