A lightweight Python-based API endpoint fuzzing tool that discovers valid API endpoints and displays their response content directly in the terminal.
While using tools like ffuf for endpoint enumeration, I noticed that although they efficiently identify valid endpoints, I still had to manually visit each endpoint in a browser or use additional tools to inspect the response.
To streamline this process, I created APIFuzz.
APIFuzz not only identifies valid endpoints but also displays:
- Endpoint path
- HTTP status code
- Response content
All directly inside the terminal.
- Endpoint enumeration using custom wordlists
- Displays valid endpoints
- Shows HTTP status codes
- Prints API response content
- Colorized terminal output
- Simple and lightweight
- Python 3.x
- requests
- termcolor
Install dependencies:
pip install requests termcolorpython3 apifuzz.py <API_URL> <WORDLIST>python3 apifuzz.py http://target-api.com/ wordlist.txt[*] checking for endpoints...
[+] Endpoint: /users Status Code: 200
{'id': 1, 'name': 'admin'}
[+] Endpoint: /products Status Code: 200
{'items': ['item1', 'item2']}
- Accepts a target API URL.
- Reads endpoints from a wordlist.
- Sends GET requests to each endpoint.
- Ignores 404 responses.
- Prints valid endpoints and their response content.
APIFuzz/
│
├── apifuzz.py
├── wordlist.txt
└── README.md
- Multithreading support
- Custom headers
- Authentication support
- Rate limiting
- JSON/CSV output
- POST request support
- Response filtering
Aniruddh Kumar Yadav
GitHub: https://github.com/annithehunter
LinkedIn: https://linkedin.com/in/annithehunter
This tool is intended for educational purposes and authorized security testing only. Always obtain proper permission before testing any target.