# API Parameter Fuzzing Tools > Search results for `fuzz web endpoints and APIs to find hidden parameters` on awesome-repositories.com. 114 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/fuzz-web-endpoints-and-apis-to-find-hidden-parameters **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/fuzz-web-endpoints-and-apis-to-find-hidden-parameters).** ## Results - [dwarvesf/hidden](https://awesome-repositories.com/repository/dwarvesf-hidden.md) (13,360 ⭐) — Hidden is a desktop productivity tool designed to manage and organize the macOS menu bar. It functions as a system interface customizer that allows users to consolidate secondary status icons into a single toggleable area, reducing visual clutter and streamlining the desktop workspace. The utility provides granular control over menu bar elements by enabling users to hide specific icons and rearrange them through a drag-and-drop interface. By utilizing system-level hooks and event monitoring, it maintains a persistent configuration of hidden items that can be toggled on or off to suit the user - [ffuf/ffuf](https://awesome-repositories.com/repository/ffuf-ffuf.md) (15,618 ⭐) — This tool is a command-line utility designed for automated web resource discovery, fuzzing, and application structure mapping. It functions as a security-focused scanner that identifies hidden files, directories, parameters, and virtual hosts by injecting payloads into HTTP requests. By systematically testing how servers handle various inputs, it assists in mapping the architecture of web applications and uncovering potential security vulnerabilities. The tool distinguishes itself through a highly concurrent engine that manages asynchronous request execution and recursive job orchestration. I - [swisskyrepo/payloadsallthethings](https://awesome-repositories.com/repository/swisskyrepo-payloadsallthethings.md) (78,434 ⭐) — This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data i - [directus/directus](https://awesome-repositories.com/repository/directus-directus.md) (36,030 ⭐) — Directus is a headless content platform that functions as a backend service, automatically generating REST and GraphQL APIs by performing introspection on existing SQL database schemas. It serves as a unified data orchestration layer, decoupling content management from frontend delivery while providing a secure, stateless gateway for database transactions. The platform distinguishes itself through a granular role-based access control engine that enforces security policies at the field level across all API endpoints. It includes a visual, low-code administrative dashboard that allows non-techn - [gwen001/github-endpoints](https://awesome-repositories.com/repository/gwen001-github-endpoints.md) (219 ⭐) — Find endpoints on GitHub. - [hahwul/dalfox](https://awesome-repositories.com/repository/hahwul-dalfox.md) (4,846 ⭐) — Dalfox is an automated web application security tool specifically designed for discovering and verifying cross-site scripting vulnerabilities. It functions as an XSS vulnerability scanner that analyzes HTTP parameters and DOM structures to identify reflected, stored, and blind injection points. The project distinguishes itself by providing a Model Context Protocol server and a REST API, allowing artificial intelligence agents and remote interfaces to trigger and manage security scans programmatically. It utilizes a payload mutation engine and fingerprinting strategies to execute WAF evasion t - [anggrayudi/android-hidden-api](https://awesome-repositories.com/repository/anggrayudi-android-hidden-api.md) (3,663 ⭐) — This project is an Android hidden API wrapper and system API bridge that provides access to internal Android system classes and resources. It enables compilation and execution of code against non-public Android framework methods and internal classes by replacing the standard platform jar. The tooling facilitates the retrieval of system-level strings, dimensions, and colors through an internal resource accessor, removing the need for manual Java reflection. The project covers low-level architectural mechanisms for custom bootclasspath injection and stub-based class loading to bypass compile-t - [avelino/awesome-go](https://awesome-repositories.com/repository/avelino-awesome-go.md) (175,576 ⭐) — This project serves as a comprehensive language ecosystem index, functioning as a centralized, community-curated directory for the Go programming language. It organizes a vast landscape of software components, libraries, and development tools into a structured, navigable hierarchy, enabling developers to efficiently discover resources tailored to specific functional domains. The repository distinguishes itself through a decentralized contribution model, where community-driven updates ensure the index remains current with the rapidly evolving software landscape. Beyond simple resource listing, - [ultimatehackers/xsstrike](https://awesome-repositories.com/repository/ultimatehackers-xsstrike.md) (15,027 ⭐) — XSStrike is a security tool designed to detect cross-site scripting vulnerabilities through parameter fuzzing and web response analysis. It functions as a web application fuzzer and vulnerability scanner that identifies injection points and security flaws. The project includes a specialized utility for detecting blind XSS, where payloads execute asynchronously or on separate pages. It also features a JavaScript library auditor to identify outdated libraries with known vulnerabilities and a dedicated tool for identifying and bypassing web application firewalls using various evasion techniques. - [aflplusplus/aflplusplus](https://awesome-repositories.com/repository/aflplusplus-aflplusplus.md) (6,605 ⭐) — AFL++ is a coverage-guided fuzzing framework that discovers crashes and hangs in software by mutating inputs while tracking which code paths are exercised. It functions as both a fuzzing engine and a campaign manager, supporting targets with or without source code through compile-time instrumentation, dynamic binary instrumentation, and emulation. The framework includes tools for crash triage and analysis, test case minimization, and campaign deployment across local or distributed environments. The framework distinguishes itself through its breadth of instrumentation backends, allowing users - [google/fuzzing](https://awesome-repositories.com/repository/google-fuzzing.md) (3,772 ⭐) — Tutorials, examples, discussions, research proposals, and other resources related to fuzzing - [asyncfuncai/deepwiki-open](https://awesome-repositories.com/repository/asyncfuncai-deepwiki-open.md) (14,362 ⭐) — This platform is an automated documentation and codebase analysis system designed to generate structured wikis, technical guides, and interactive diagrams from source code repositories. It functions as a retrieval-augmented generation framework that connects codebases to language models, enabling context-aware answers, deep research, and automated documentation updates through semantic vector search. The system distinguishes itself through a self-hosted, containerized architecture that supports both cloud-based and local AI model execution. It provides sophisticated model orchestration, allow - [jaykali/maskphish](https://awesome-repositories.com/repository/jaykali-maskphish.md) (3,020 ⭐) — Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe - [fuzzing/mffa](https://awesome-repositories.com/repository/fuzzing-mffa.md) (334 ⭐) — Media Fuzzing Framework for Android - [fuzzdb-project/fuzzdb](https://awesome-repositories.com/repository/fuzzdb-project-fuzzdb.md) (8,819 ⭐) — fuzzdb is a collection of datasets designed for web application penetration testing and dynamic fuzzing. It provides a fuzzing payload dictionary, a resource discovery wordlist, and a fault injection dataset containing corrupted Unicode, null bytes, and escape codes to trigger application crashes and logic errors. The project includes a security filter bypass list featuring polyglots and encoded strings to evade web application firewalls and input validation filters. It also provides a comprehensive web application penetration testing dataset specifically for identifying flaws such as cross-s - [golang/go](https://awesome-repositories.com/repository/golang-go.md) (134,756 ⭐) — Go is a statically typed, compiled programming language designed for building scalable, concurrent software. It provides a memory-safe execution environment that combines a high-performance runtime with a self-hosting compiler toolchain, enabling the creation of statically linked machine code binaries without external dependencies. The language is built around a structural type system that uses interfaces for polymorphism and a concurrency model based on lightweight, stack-based coroutines that communicate through channels. The language distinguishes itself through a runtime that features a c - [s0md3v/xsstrike](https://awesome-repositories.com/repository/s0md3v-xsstrike.md) (14,752 ⭐) — XSStrike is an automated security scanning engine designed for web application discovery, input - [googlechrome/lighthouse](https://awesome-repositories.com/repository/googlechrome-lighthouse.md) (30,355 ⭐) — Lighthouse is an automated diagnostic tool that evaluates web pages against industry standards for performance, accessibility, and search engine optimization. It functions as a programmatic analysis engine and a command-line utility, allowing developers to integrate comprehensive web quality checks directly into continuous integration pipelines and local development workflows. The project distinguishes itself through a modular architecture that utilizes artifact-based data collection to ensure consistent analysis across different environments. It supports a headless execution mode for automat - [gh0stkey/web-fuzzing-box](https://awesome-repositories.com/repository/gh0stkey-web-fuzzing-box.md) (2,444 ⭐) - [cpuu/awesome-fuzzing](https://awesome-repositories.com/repository/cpuu-awesome-fuzzing.md) (972 ⭐) — A curated list of awesome Fuzzing(or Fuzz Testing) for software security - [gitroomhq/postiz-app](https://awesome-repositories.com/repository/gitroomhq-postiz-app.md) (32,271 ⭐) — Postiz is an open-source social media management platform designed to centralize the scheduling, publishing, and analysis of content across diverse social networks, community forums, and blogging platforms. It functions as a unified hub where users can coordinate, review, and distribute content through a shared team workspace, while leveraging integrated artificial intelligence to assist in drafting text and generating multimedia assets. The platform distinguishes itself through a modular architecture that utilizes a provider-specific adapter pattern to ensure consistent content distribution - [daffainfo/allaboutbugbounty](https://awesome-repositories.com/repository/daffainfo-allaboutbugbounty.md) (6,644 ⭐) — AllAboutBugBounty is a curated collection of bug bounty techniques and payloads for web application security testing. It serves as a reference resource covering common web vulnerabilities and exploitation methods for security researchers, providing a structured approach to identifying and exploiting web application security flaws in bug bounty programs. The repository covers a wide range of attack categories including authentication bypass, cross-site scripting injection, server-side request forgery, web cache poisoning, and business logic abuse. It includes techniques for bypassing access co - [node-modules/parameter](https://awesome-repositories.com/repository/node-modules-parameter.md) (726 ⭐) — parameter - [bottlerocket-os/bottlerocket](https://awesome-repositories.com/repository/bottlerocket-os-bottlerocket.md) (9,624 ⭐) — Bottlerocket is a container-optimized operating system and minimal Linux distribution designed specifically for hosting container workloads. It functions as an immutable infrastructure OS, utilizing a read-only root filesystem and atomic partition swapping to ensure consistent and reversible system updates. The system is distinguished by an API-driven host manager that replaces traditional shell-based configuration with a local REST API for administrative tasks. To maintain security and stability, it employs a dual-runtime isolation model that separates workload runtimes from system operation - [sensepost/gowitness](https://awesome-repositories.com/repository/sensepost-gowitness.md) (4,174 ⭐) — Gowitness is a system for rendering web interfaces at scale to capture visual snapshots, HTTP metadata, and network scan results. It functions as a headless browser screenshot tool and a web surface mapper used to identify and visually document the attack surface of network ranges and URL lists. The tool includes a screenshot gallery server that provides a web-based interface for browsing, filtering, and managing a database of captures. It specifically serves as an Nmap target visualizer, parsing network scan results to automatically capture screenshots of discovered web services. Capabiliti - [autoscrape-labs/pydoll](https://awesome-repositories.com/repository/autoscrape-labs-pydoll.md) (6,919 ⭐) — pydoll is a Chrome DevTools Protocol automation library and headless browser controller used for web data extraction and parallel browser automation. It controls Chromium-based browsers via direct WebSocket connections, allowing it to manage isolated browser contexts and tabs while bypassing the overhead and detection associated with WebDriver. The project features an anti-bot evasion framework that mimics natural human behavior, including mouse movements generated via Bezier curves and variable typing patterns. It provides specialized stealth capabilities to bypass behavioral analysis and au - [six2dez/reconftw](https://awesome-repositories.com/repository/six2dez-reconftw.md) (7,226 ⭐) — reconftw is an attack surface management framework and reconnaissance workflow orchestrator designed to automate the discovery, mapping, and monitoring of external digital assets. It operates as a modular tool-chain pipeline that coordinates a sequence of security tools to perform intelligence gathering and vulnerability scanning. The project distinguishes itself through a cloud-native deployment model that parallelizes scanning workloads across a fleet of remote VPS instances to bypass local resource constraints. It utilizes container-based environment isolation to ensure consistent executio - [strongcourage/fuzzing-corpus](https://awesome-repositories.com/repository/strongcourage-fuzzing-corpus.md) (320 ⭐) — My fuzzing corpus - [filamentphp/filament](https://awesome-repositories.com/repository/filamentphp-filament.md) (31,215 ⭐) — Filament is a full-stack framework for building administrative panels and management interfaces within the Laravel ecosystem. It provides a declarative, component-based architecture that allows developers to construct complex, data-driven applications using server-side configuration objects rather than manual HTML. By inspecting database model structures and relationships, the framework automates the generation of CRUD interfaces, forms, and data tables, significantly reducing boilerplate code. The project distinguishes itself through a highly modular and extensible design that supports custo - [sqlmapproject/sqlmap](https://awesome-repositories.com/repository/sqlmapproject-sqlmap.md) (37,676 ⭐) — This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuris - [introlab/find-object](https://awesome-repositories.com/repository/introlab-find-object.md) (477 ⭐) — Find-Object project - [google/oss-fuzz](https://awesome-repositories.com/repository/google-oss-fuzz.md) (12,353 ⭐) — OSS-Fuzz is a distributed, containerized platform for continuous fuzzing and memory safety analysis. It functions as a bug hunting infrastructure that identifies security vulnerabilities and stability bugs through automated, coverage-guided fuzz testing across a scalable cluster of containers. The system provides a continuous security testing pipeline that manages the entire lifecycle of vulnerability discovery, from bootstrapping project templates and compiling targets to executing long-running batch tests. It specifically focuses on memory safety, utilizing sanitizers to detect buffer overf - [htr-tech/zphisher](https://awesome-repositories.com/repository/htr-tech-zphisher.md) (15,416 ⭐) — Zphisher is a security testing framework designed for conducting authorized social engineering assessments and penetration testing. It functions as a credential harvesting simulator that enables security professionals to evaluate organizational defenses and user awareness by deploying deceptive login interfaces. The platform automates the creation of realistic web pages through dynamic template rendering and provides tools to mask destination addresses. It integrates reverse proxy tunneling to expose local testing services to the public internet, allowing for remote access during security aud - [elysiajs/elysia](https://awesome-repositories.com/repository/elysiajs-elysia.md) (18,531 ⭐) — Elysia is a high-performance TypeScript web framework designed for building type-safe backend services. It provides a modular, plugin-based architecture that allows developers to compose server logic, middleware, and validation schemas into scalable application instances. By leveraging native web standards, the framework ensures portability across diverse JavaScript runtimes, including Node.js, Deno, and various edge computing environments. The framework distinguishes itself through its focus on end-to-end type safety, automatically synchronizing request and response definitions between the s - [web-padawan/api-viewer-element](https://awesome-repositories.com/repository/web-padawan-api-viewer-element.md) (283 ⭐) — API documentation and live playground for Web Components. Based on Custom Elements Manifest format - [facebook/rocksdb](https://awesome-repositories.com/repository/facebook-rocksdb.md) (31,767 ⭐) — RocksDB is a high-performance, embeddable persistent key-value library and storage engine based on Log-Structured Merge-trees. It is designed to provide durable storage for large-scale datasets, integrating directly into applications to manage data on flash and RAM-based hardware. The engine is distinguished by its focus on minimizing read and write amplification through multi-threaded compaction and custom memory allocators. It features specialized optimizations for flash storage, including support for zoned block devices, and provides the ability to extend store behavior via external plugin - [mishakorzik/allhackingtools](https://awesome-repositories.com/repository/mishakorzik-allhackingtools.md) (5,186 ⭐) — AllHackingTools is a security tool orchestrator and suite designed to install, update, and manage a wide array of third-party hacking and security utilities from a single command interface. It functions as a centralized hub for network analysis, open source intelligence, penetration testing, and social engineering tools. The project provides specialized frameworks for gathering open source intelligence and searching for user profiles across social platforms. It includes toolkits for network reconnaissance, vulnerability scanning, and the execution of security exploits, as well as a social eng - [bytebytegohq/system-design-101](https://awesome-repositories.com/repository/bytebytegohq-system-design-101.md) (83,491 ⭐) — This project is a centralized engineering knowledge repository that provides a structured curriculum for mastering system design, architectural patterns, and fundamental software development workflows. It serves as a professional development resource for engineers, offering foundational knowledge and real-world case studies to support the design of scalable, secure, and efficient distributed systems. The repository distinguishes itself through a visual-first approach to knowledge synthesis, distilling complex technical concepts into high-density graphical diagrams and succinct illustrations. - [aurelg/ephemeral-hidden-service](https://awesome-repositories.com/repository/aurelg-ephemeral-hidden-service.md) (9 ⭐) — Create ephemeral Tor hidden services from the command line - [k8gege/k8tools](https://awesome-repositories.com/repository/k8gege-k8tools.md) (6,167 ⭐) — K8tools is a multi-stage attack framework that combines memory-only payload execution, credential testing, port forwarding, privilege escalation, and physical USB-based keystroke injection for comprehensive system compromise. At its core, the Ladon PowerShell module loads a multi-function scanner directly into memory, enabling command execution without writing files to disk, while supporting memory-only payload delivery that downloads and runs obfuscated shellcode or PowerShell commands to evade antivirus detection. The framework distinguishes itself through its breadth of integrated capabili - [clickhouse/clickhouse](https://awesome-repositories.com/repository/clickhouse-clickhouse.md) (48,229 ⭐) — ClickHouse is a high-performance, columnar analytical database designed for real-time query execution and large-scale data aggregation. It functions as a distributed data warehouse capable of processing petabytes of information, while also providing an embedded engine that integrates directly into applications for native query capabilities without external dependencies. The system is built to handle high-throughput ingestion and complex analytical workloads, delivering millisecond-level latency for interactive dashboards and operational monitoring. The platform distinguishes itself through ad - [yelp/fuzz-lightyear](https://awesome-repositories.com/repository/yelp-fuzz-lightyear.md) (226 ⭐) — A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. - [thekingofduck/fuzzdicts](https://awesome-repositories.com/repository/thekingofduck-fuzzdicts.md) (8,355 ⭐) — fuzzDicts is a repository of curated wordlists and dictionaries designed for web application fuzzing. It provides collections of strings and payloads used to discover hidden files, subdomains, and security vulnerabilities. The project includes specialized libraries for different security testing vectors, such as dictionaries for common request and cookie parameters, lists of common subdomain prefixes, and collections of passwords and default vendor credentials for brute-force testing. It also maintains a security payload library containing character sequences used to identify flaws like SQL i - [voorivex/pentest-guide](https://awesome-repositories.com/repository/voorivex-pentest-guide.md) (2,761 ⭐) — This project is a comprehensive web application penetration testing guide and vulnerability research framework. It provides a structured methodology for identifying and exploiting security flaws through a phased approach involving reconnaissance, analysis, and exploitation. The resource is distinguished by its use of a curated methodology framework that links theoretical vulnerability patterns to real-world bug bounty reports and historical exploit examples. It includes a payload-based testing library and a reference system that maps specific vulnerability categories to recommended third-part - [fastapi/typer](https://awesome-repositories.com/repository/fastapi-typer.md) (19,632 ⭐) — This project is a Python framework for building command-line interfaces by converting standard functions into executable programs. It uses type hints to automatically infer and generate argument parsers, validation logic, and help documentation, allowing developers to define complex terminal applications through simple function signatures. The framework distinguishes itself through a decorator-driven registration system that enables the construction of hierarchical command trees. It supports dependency injection to manage shared state and runtime configuration across subcommands, and it utili - [quarkslab/android-fuzzing](https://awesome-repositories.com/repository/quarkslab-android-fuzzing.md) (138 ⭐) — This repository contains the material associated with the blogpost Android greybox fuzzing with AFL++ Frida mode. - [zaproxy/zaproxy](https://awesome-repositories.com/repository/zaproxy-zaproxy.md) (15,293 ⭐) — OWASP ZAP is a dynamic application security testing tool and intercepting HTTP proxy used to find vulnerabilities in web applications. It functions as a penetration testing framework that enables both automated security scanning and manual security testing of running web services. The tool provides a suite of capabilities for analyzing web applications from the outside in, including the ability to capture and modify traffic between a browser and a target application. It is designed to integrate into DevSecOps pipelines to provide consistent security checks across different environments. - [bryanyzhu/hidden-two-stream](https://awesome-repositories.com/repository/bryanyzhu-hidden-two-stream.md) (191 ⭐) — Caffe implementation for "Hidden Two-Stream Convolutional Networks for Action Recognition" - [appsmithorg/appsmith](https://awesome-repositories.com/repository/appsmithorg-appsmith.md) (40,051 ⭐) — Appsmith is a low-code platform designed for building internal business tools, such as operational dashboards and administrative panels. It enables developers to construct dynamic user interfaces by dragging and dropping modular widgets onto a canvas and binding them directly to backend data sources. The platform utilizes a reactive framework that automatically updates interface elements and triggers functions whenever underlying data or widget properties change, eliminating the need for manual event handling. The platform distinguishes itself through a server-side proxy architecture that exe - [sindresorhus/find-up](https://awesome-repositories.com/repository/sindresorhus-find-up.md) (640 ⭐) — Find a file or directory by walking up parent directories