jsmonhq

jsmonhq / apiffuf

Public

API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.

jsmon.sh api-hacking bugbounty bugbounty-tools cybersecurity ethicalhacking
13
0
69% credibility
Found May 26, 2026 at 13 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

apiffuf is an API testing tool that helps you discover and verify all the endpoints on your API. You give it a list of your API addresses and a list of path names, and it automatically combines them together to test every possible combination. The tool sends requests to all these URLs, waits for responses, and shows you which endpoints are working. It can test quickly or slowly, supports different request types, lets you add custom headers like authentication tokens, and displays results in colorful terminal output or saves them to files. The tool is designed for security researchers and developers who want to audit their own APIs, and it includes warnings to only use it on systems you have permission to test.

How It Works

1
🔍 You need to test your API

You want to find all the endpoints on your API to make sure everything is working correctly and nothing unexpected is exposed.

2
📝 You prepare two lists

You create a simple list of your API addresses and another list of common path names like /users or /products.

3
🚀 You run the scanner

The tool automatically combines every address with every path, sending requests to all combinations at once.

4
You choose how fast to go
🐢
Gentle mode

You set a slower pace to avoid overwhelming your server during testing.

🐇
Fast mode

You test all endpoints as quickly as possible for rapid results.

5
🔗 You add authentication if needed

If your API requires a login token, you can include it so the scanner can access protected endpoints.

6
📊 You see live results

As endpoints respond, you watch colorful results appear showing which URLs are working and what they return.

You get a complete map of your API

The tool shows you every endpoint that responded, with details like status codes and page titles, so you know exactly what's exposed.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 13 to 13 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is apiffuf?

Apiffuf is a command-line tool written in Go that fuzzes API endpoints by combining lists of hosts with lists of paths, then reporting which combinations respond to HTTP requests. You feed it a target host (or file of hosts) and a file of API paths, and it generates all possible URL combinations, probes them concurrently, and shows you the hits. It handles URL normalization automatically, defaulting to HTTPS when no protocol is specified and collapsing duplicate slashes. The tool supports custom HTTP methods, request headers, concurrency limits, and rate limiting. Results can be streamed to the terminal in color or saved as plain text, JSON, or CSV for further analysis.

Why is it gaining traction?

Developers tired of writing one-off scripts to enumerate API endpoints find apiffuf's cross-join approach refreshingly straightforward. The built-in rate limiter and configurable thread count make it safe to run against production-like environments without overwhelming targets. Having JSON and CSV export built-in means you can pipe findings directly into other tooling without post-processing. The URL normalization logic handles messy inputs gracefully, so you don't have to scrub your host and path lists before running.

Who should use this?

API developers doing discovery and inventory work will appreciate the quick feedback loop. Security researchers and penetration testers who need to map out endpoint surfaces will find the concurrent probing and export options useful. DevOps engineers validating that infrastructure matches documented APIs can automate path enumeration against staging environments. If you're already using specialized API tools with built-in fuzzing, this fills a simpler niche.

Verdict

Apiffuf solves a narrow, well-defined problem cleanly and would be valuable as a permanent addition to any API testing toolkit. However, with only 13 stars and a credibility score of 0.699999988079071%, it's early-stage software with limited community validation. The AGPLv3 license restricts commercial use, so evaluate that before integrating it into your workflow. Worth trying on your next API audit, but treat it as a single-purpose utility rather than a platform.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.