API Parameter Fuzzing Tools

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

GPT Researcher is an autonomous agent framework designed to automate the process of gathering, synthesizing, and documenting information from diverse web and local sources. It functions as a research-oriented execution environment that orchestrates specialized agents to perform complex, multi-branch research tasks, transforming raw data into structured, factual, and cited reports. The project distinguishes itself through a graph-based orchestration layer that manages state transitions and information flow between specialized agents. It employs recursive tree-search execution to explore complex topics by branching into sub-queries, while a modular tool-calling interface allows for the integration of external search engines, databases, and specialized data retrieval servers. This architecture enables the system to perform deep, concurrent research while maintaining real-time progress tracking through non-blocking callback mechanisms. Beyond its core research capabilities, the framework supports hybrid knowledge synthesis by normalizing web-scraped content and local file formats into a unified context. It provides extensive tooling for report customization, including prompt-driven synthesis and the automatic generation of inline visual illustrations. The system is designed for integration into broader software ecosystems, offering asynchronous endpoints and containerized deployment options to facilitate its use within custom web applications or messaging platforms.

This project is a privacy-focused, self-hosted metasearch engine that aggregates results from a wide array of web, academic, and media sources into a single, unified interface. By acting as a proxy between the user and external search providers, it strips identifying headers and tracking parameters from requests, ensuring that search activity remains anonymous and protected from third-party profiling. The platform distinguishes itself through a modular, plugin-based architecture that allows for extensive customization of search behavior, result filtering, and interface branding. It supports advanced privacy features such as routing traffic through the Tor network and proxying external assets like images and favicons to prevent IP address leakage. Users can manage their own instances, configuring search engines, language preferences, and security policies to suit specific deployment needs. The service includes a comprehensive suite of tools for managing search aggregation, including sliding-window rate limiting to prevent abuse and persistent key-value caching to improve response latency. It supports diverse content types, rendering specialized results for academic papers, media, and structured data, while providing administrative APIs for programmatic control over instance settings and engine availability. The software is designed for flexible deployment, supporting containerized environments and providing automated scripts for installation and maintenance. Detailed documentation and configuration files allow for granular control over the search experience, from defining custom search shortcuts to enforcing strict access controls on specific engines.

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

Gowitness is a system for rendering web interfaces at scale to capture visual snapshots, HTTP metadata, and network scan results. It functions as a headless browser screenshot tool and a web surface mapper used to identify and visually document the attack surface of network ranges and URL lists. The tool includes a screenshot gallery server that provides a web-based interface for browsing, filtering, and managing a database of captures. It specifically serves as an Nmap target visualizer, parsing network scan results to automatically capture screenshots of discovered web services. Capabilities include network discovery through CIDR block scanning and the collection of technical metadata such as DOM elements, TLS information, request headers, cookies, and console logs. The system supports bulk visual captures and allows exporting results into structured formats including SQLite, JSONLines, and CSV. Programmatic interaction is available via an API for managing captures, retrieving metadata, and submitting target URLs.

This project is a standardized repository of malicious and malformed character sequences designed to stress-test data parsing and sanitization routines. It serves as a security testing corpus and a language-neutral reference for auditing software robustness against injection flaws and unexpected data handling errors across diverse platforms. The dataset functions as a benchmark for input validation, providing a curated collection of edge-case strings that allow developers to identify potential crashes and security vulnerabilities. By decoupling these test vectors from application logic, the repository enables modular security auditing and automated quality assurance without requiring modifications to the underlying system. The collection covers a broad range of testing requirements, including database query hardening, software input fuzzing, and general input validation testing. The data is provided in multiple standard formats to ensure compatibility with various programming languages and automated testing pipelines.

Wfuzz is a web application fuzzing framework that automates the injection of payloads into HTTP requests to discover hidden resources, parameters, and vulnerabilities. It functions as a content discovery scanner, a brute-force tool for credential guessing, and a plugin-based vulnerability scanner, all within a single modular system. The tool distinguishes itself through its plugin-based extensibility, allowing custom Python modules to add new payload sources, output printers, or scanning logic without modifying core code. It supports concurrent request dispatch using thread-based parallelism to improve throughput on large payload sets, while also providing result filtering and comparison to highlight anomalies. Wfuzz replays captured HTTP requests and responses from prior sessions, preserving state for manual inspection and resending during testing. The framework covers hidden endpoint and resource discovery, HTTP parameter fuzzing across query strings, POST bodies, headers, and cookies, and brute-force authentication against login forms and HTTP authentication mechanisms. It uses a keyword-based payload injection system where a placeholder token in any HTTP request field is replaced with values from wordlists, generators, or iterators.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

reconftw is an attack surface management framework and reconnaissance workflow orchestrator designed to automate the discovery, mapping, and monitoring of external digital assets. It operates as a modular tool-chain pipeline that coordinates a sequence of security tools to perform intelligence gathering and vulnerability scanning. The project distinguishes itself through a cloud-native deployment model that parallelizes scanning workloads across a fleet of remote VPS instances to bypass local resource constraints. It utilizes container-based environment isolation to ensure consistent execution across different cloud providers and features a checkpoint system to resume interrupted workflows from the last point of failure. The toolkit covers a broad range of capabilities, including passive and active subdomain enumeration, open-source intelligence gathering, and network infrastructure analysis. It also incorporates automated vulnerability scanning for common web flaws and CVEs, differential asset tracking to identify new targets, and the generation of security reports using artificial intelligence. The environment can be deployed via container orchestration and integrated into CI/CD pipelines for recurring security checks.

This project is a terminal-based HTTP client designed for interacting with web services, debugging APIs, and automating network requests. It provides a specialized command-line interface that simplifies the construction of complex HTTP exchanges, allowing users to test and inspect web services directly from the shell. The tool distinguishes itself through a declarative syntax engine that translates shorthand command-line tokens into fully formed HTTP requests, including headers, parameters, and body payloads. It features a modular, plugin-based architecture that enables users to extend core functionality with custom authentication schemes, transport protocols, and data formatting logic. Furthermore, it supports persistent session management, allowing for the maintenance of cookies and authentication states across multiple related requests to simulate browser-like interactions. Beyond its core request capabilities, the tool provides a comprehensive suite of features for handling network traffic, including automated shell scripting with error handling, remote file downloading with progress tracking, and robust proxy support. It also offers advanced configuration options for HTTPS security, response streaming for large payloads, and terminal-aware output formatting that provides syntax-highlighted, human-readable displays.

Zphisher is a security testing framework designed for conducting authorized social engineering assessments and penetration testing. It functions as a credential harvesting simulator that enables security professionals to evaluate organizational defenses and user awareness by deploying deceptive login interfaces. The platform automates the creation of realistic web pages through dynamic template rendering and provides tools to mask destination addresses. It integrates reverse proxy tunneling to expose local testing services to the public internet, allowing for remote access during security audits without requiring modifications to network firewall configurations. The tool supports the simulation of credential harvesting attacks to measure vulnerability within authentication workflows. It is packaged to ensure consistent execution across different host environments, facilitating the deployment of controlled testing infrastructure for security awareness training.

Firecrawl is a web data extraction platform designed to convert unstructured web content into clean, LLM-ready formats like markdown or JSON. It functions as an autonomous web crawler and scraper, capable of mapping entire domains, performing recursive navigation, and executing complex data gathering tasks. By leveraging headless browser orchestration, the system handles dynamic, JavaScript-heavy pages to ensure comprehensive data capture. The platform distinguishes itself through its focus on agentic workflows, providing a programmatic interface that allows autonomous agents to perform live web research, interact with pages, and execute multi-step navigation tasks. It supports distributed crawling infrastructure, enabling users to scale data collection across multiple nodes while managing concurrency and long-running jobs through asynchronous queueing. The system also integrates with agentic frameworks via standardized protocols, allowing for seamless connection to AI-powered clients and automated pipelines. Beyond its core extraction capabilities, the project provides a suite of developer tools for site mapping, batch scraping, and web searching. It includes features for stateful session persistence, webhook-based notifications, and configurable crawl depth, allowing for granular control over how information is retrieved and processed. The project offers comprehensive API documentation and SDKs to facilitate integration into backend services and local development environments. Users can deploy the crawling infrastructure within their own private networks or utilize managed cloud services.

Yakit is a comprehensive cybersecurity all-in-one platform designed for security assessments. It integrates a suite of core tools including an HTTP interception proxy for real-time traffic modification, an out-of-band interaction detector for verifying remote command execution via TCP, DNSLog, and ICMP, and a reverse shell manager for controlling remote server connections. The platform is distinguished by its dedicated security scripting environment, which allows for the development and execution of custom logic and plugins using a specialized high-performance language. It further extends functionality through a plugin framework and a centralized marketplace for integrating third-party tools. The toolset covers a wide range of capability areas, including web application fuzzing with dynamic parameter generation and automated vulnerability scanning using proof-of-concept templates. It also provides advanced network utilities such as multi-protocol port multiplexing and reverse-shell tunneling to bridge internal network services to the public internet. The system supports remote backend management, enabling a local client to execute security tasks across different network environments.

uBlock is a browser-based content blocker that functions as a declarative filtering engine to intercept network requests and modify web page content. It operates by parsing standardized filter lists into optimized data structures, allowing it to block network hosts, enforce security policies, and prevent unauthorized data transmission. The extension provides a comprehensive security layer that monitors outgoing traffic and disables intrusive browser features to enhance user privacy. What distinguishes this project is its granular control over filtering behavior through a dynamic rule orchestrator. Users can manage custom rules, apply site-specific overrides, and toggle filtering settings on a per-domain basis. The engine also employs advanced techniques such as CNAME uncloaking, IP address filtering, and response body modification to identify and neutralize trackers that attempt to bypass standard blocking methods. Furthermore, it supports enterprise-grade deployment, enabling organizations to enforce consistent security and filtering configurations across managed environments. The project covers a broad capability surface including cosmetic page modification, which uses CSS injection and sandboxed scriptlets to remove visual clutter and neutralize anti-blocking scripts. It also provides interactive tools for real-time network traffic inspection and manual element removal, ensuring users can debug and customize their browsing experience. The extension is designed to maintain high performance by synchronizing its initialization at startup, ensuring that all security rules are active before any network requests are processed.

Firefox is a cross-platform web browser engine designed to render web content, execute JavaScript, and manage secure browsing sessions. It utilizes a multi-process isolation architecture that distributes browser tasks across independent operating system processes to ensure stability and prevent site-specific failures from impacting the entire application. The engine incorporates a sandboxed execution environment to restrict web content and untrusted scripts to isolated memory compartments, enforcing security policies that prevent unauthorized access to system resources. The project distinguishes itself through a high-performance rendering pipeline that decouples visual updates from the main thread, enabling fluid scrolling and animation performance. It features a formal cross-language binding layer that connects high-level scripting environments with low-level system logic, facilitating memory-safe performance improvements through the integration of Rust components. Additionally, the browser employs a declarative component framework that uses reactive properties and shadow DOM encapsulation to ensure consistent rendering and modular feature development across the user interface. The browser provides a comprehensive suite of capabilities for web standards implementation, privacy protection, and automated testing. It includes infrastructure for local machine learning, persistent data management, and cross-device synchronization of user profiles and settings. The platform also offers extensive developer tools for inspecting network activity, profiling performance, and debugging scripts, alongside a robust framework for third-party extension development. The codebase is structured to support complex browser operations, including automated testing, build configuration, and system-level integration. It is distributed as a complete application package for major operating systems, with documentation and build tools provided to support cross-platform development and continuous integration workflows.

Django REST Framework is a toolkit for building standards-compliant web services that map complex data models to structured HTTP responses. It provides a modular architecture for handling the request lifecycle, including authentication, permission checks, and content negotiation. The framework is designed to facilitate the development of robust APIs by transforming complex data types into native formats and validating incoming request payloads against defined schemas. The project distinguishes itself through a highly modular, class-based design that allows developers to build complex views and API logic through inheritance and mixin composition. It features a powerful serialization system that automatically generates schemas from database models, alongside a flexible policy-based system for managing access control, rate limiting, and versioning. The framework also includes automated schema generation, which introspects view logic to produce interactive, machine-readable API documentation at runtime. Beyond its core serialization and view architecture, the framework provides a comprehensive suite of tools for managing the entire API lifecycle. This includes extensive support for authentication methods, content negotiation, pagination, and filtering, as well as robust error handling and testing utilities. These components are designed to be highly customizable, allowing developers to override default behaviors or implement custom logic to meet specific application requirements.

Gobuster is a command-line security utility designed for brute-force discovery of hidden infrastructure and content. It operates by systematically testing wordlists against target network services to identify files, directories, subdomains, and cloud storage buckets. The tool utilizes a concurrent worker pool to execute these requests in parallel, ensuring efficient scanning across various network environments. The project distinguishes itself through a modular plugin architecture that supports multiple discovery modes, including HTTP, DNS, and TFTP. This design allows for protocol-agnostic request abstraction, enabling the tool to perform virtual host identification, cloud storage auditing, and custom protocol fuzzing within a unified execution pipeline. Users can further refine these operations by customizing network headers, proxy settings, and security certificates. Beyond basic enumeration, the tool provides robust result management capabilities. It includes response-based filtering logic to discard irrelevant data based on status codes or content patterns, and it supports real-time stream-based processing to save findings directly to local files. These features allow for the systematic mapping of external network footprints and the identification of exposed application endpoints or sensitive configuration data.

Lighthouse is an automated diagnostic tool that evaluates web pages against industry standards for performance, accessibility, and search engine optimization. It functions as a programmatic analysis engine and a command-line utility, allowing developers to integrate comprehensive web quality checks directly into continuous integration pipelines and local development workflows. The project distinguishes itself through a modular architecture that utilizes artifact-based data collection to ensure consistent analysis across different environments. It supports a headless execution mode for automated testing and provides a plugin-driven framework, enabling developers to register custom audit logic and specialized reporting categories to meet unique project requirements. Beyond its core auditing capabilities, the tool detects underlying web frameworks and content management systems to provide tailored optimization recommendations. It generates structured, machine-readable reports and offers multiple interfaces, including a browser-integrated panel and a dedicated extension, to facilitate real-time feedback during the development process.

Unleashed Firmware is a custom firmware modification for portable multi-tool devices designed to expand the capabilities of radio frequency, infrared, and contactless authentication hardware. It functions as a comprehensive platform for wireless security auditing, signal analysis, and hardware interaction, enabling users to capture, decode, and emulate signals across various communication protocols. The firmware distinguishes itself through a modular plugin architecture that allows for the dynamic addition of signal analysis and attack capabilities without requiring a full system recompile. It utilizes a unified hardware abstraction layer and direct memory-mapped peripheral control to manage diverse radio and input components, ensuring precise timing for high-speed signal capture and real-time emulation. Beyond its core security testing functions, the system provides tools for automating keystroke injection over USB or Bluetooth and allows for extensive customization of device identity and interface settings. It supports the unlocking of restricted frequency bands and the integration of external hardware modules to improve the range and reliability of wireless operations. The project is distributed as a static-linked binary image to maintain predictable performance on resource-constrained microcontrollers.