API Parameter Fuzzing Tools

Alamofire is an HTTP networking library that provides a foundation for managing network requests and responses through a chainable, type-safe interface. It serves as an asynchronous request manager, coordinating concurrent network operations and data streams while maintaining application responsiveness. The library distinguishes itself through a protocol-oriented request adaptation system, which utilizes interceptors to modify or authenticate requests before dispatch. It employs a middleware-driven pipeline to process traffic, handling encoding, authentication, and error recovery in a modular sequence. By wrapping the native networking stack, it offers a unified interface for managing the lifecycle of HTTP tasks. The project includes a generic response serialization system that automatically transforms raw network data into strongly typed objects. It also features a declarative validation layer that verifies server responses against expected status codes and content types to ensure data integrity. These capabilities facilitate the consumption of RESTful services and the orchestration of complex communication between mobile applications and cloud infrastructure.

Dalfox is an automated web application security tool specifically designed for discovering and verifying cross-site scripting vulnerabilities. It functions as an XSS vulnerability scanner that analyzes HTTP parameters and DOM structures to identify reflected, stored, and blind injection points. The project distinguishes itself by providing a Model Context Protocol server and a REST API, allowing artificial intelligence agents and remote interfaces to trigger and manage security scans programmatically. It utilizes a payload mutation engine and fingerprinting strategies to execute WAF evasion testing, while employing AST-based DOM analysis to trace data flow from sources to execution sinks. Its broader capabilities include multi-stage parameter profiling, out-of-band callback verification for blind vulnerabilities, and the generation of SARIF-compatible result exports. The tool supports authenticated scanning through custom headers and cookies, as well as the integration of curated external payload lists. The tool can be integrated into automation pipelines using machine-readable outputs and specific exit codes for CI signaling.

Rocket is a type-safe web framework designed for building server-side applications. It provides a high-performance asynchronous routing engine that maps incoming network traffic to concurrent handler functions, while managing the full lifecycle of web requests. The framework emphasizes compile-time verification, ensuring that request parameters, response types, and routing logic remain consistent throughout the development process. The framework distinguishes itself through its use of request guards, which act as a validation layer to intercept and transform incoming data into structured types before it reaches core business logic. It also features an integrated testing suite that allows developers to dispatch internal requests and verify application behavior without requiring an active network connection. Additionally, the framework supports thread-safe state management, enabling the sharing of global resources across the application while maintaining safe, concurrent access within individual handlers. Beyond its core routing and validation capabilities, the framework includes tools for automated configuration management, which merges settings from multiple sources into structured objects. It also provides extensive support for response handling, including asynchronous streaming, dynamic template rendering, and the ability to derive custom response logic for specific data types. These features are complemented by lifecycle hooks that allow for the execution of custom logic during application startup, shutdown, or request processing phases.

fuzzDicts is a repository of curated wordlists and dictionaries designed for web application fuzzing. It provides collections of strings and payloads used to discover hidden files, subdomains, and security vulnerabilities. The project includes specialized libraries for different security testing vectors, such as dictionaries for common request and cookie parameters, lists of common subdomain prefixes, and collections of passwords and default vendor credentials for brute-force testing. It also maintains a security payload library containing character sequences used to identify flaws like SQL injection and cross-site scripting. The available datasets cover several capability areas, including hidden asset discovery, subdomain enumeration, and security vulnerability scanning.

MediaCrawler is an automated web scraping framework designed to extract public posts, comments, and creator metadata from various social media platforms. It functions as a headless browser automator, utilizing real browser instances to render dynamic content and execute the client-side scripts necessary for interacting with modern web interfaces. The system distinguishes itself through a focus on session persistence and network flexibility. It supports remote debugging to reuse active browser sessions and cookies, which helps minimize the risk of triggering platform security challenges. To maintain stable data collection at scale, the tool integrates proxy-based request routing, allowing users to distribute traffic across external IP services to bypass rate limits and geographic restrictions. The architecture is built for extensibility and modularity, employing a provider pattern that allows developers to integrate new platforms or custom storage backends through standardized interfaces. Users can manage complex scraping workflows via command-line configuration, enabling the definition of specific targets and storage formats—such as JSON, CSV, or various database systems—without modifying the core logic. The project also includes utilities for data visualization, such as generating word clouds from collected comments. Installation requires setting up the necessary runtime environments, including a JavaScript engine for handling complex client-side rendering and the appropriate browser automation drivers.

Arjun is an HTTP parameter discovery tool that identifies valid parameters on web endpoints by testing large dictionaries of parameter names against target URLs. It systematically probes endpoints using GET, POST, JSON, and XML request formats to find which parameters the server accepts, and can detect parameters whose values appear reflected in the response body. The tool distinguishes itself through its multi-method scanning approach, passive parameter collection from public archives like OTX and CommonCrawl, and its ability to detect value-sensitive parameters that only trigger a response when a specific value is supplied. It also extracts form field names from HTML responses and can inject parameters into structured JSON or XML payloads for deeper probing. Arjun supports batch scanning of multiple targets from a file, concurrent processing, and imports targets from Burp Suite logs or raw HTTP request files. It handles rate limiting by slowing requests and automatically retrying, and exports discovered parameters in JSON, plain text, or Burp Suite compatible formats.

Bilibili-Evolved is a browser-based environment that functions as a web content modification engine. It operates as a user interface customization suite, allowing users to personalize their browsing experience by injecting custom logic and interface modifications directly into the Bilibili platform. The project distinguishes itself through a modular component architecture that organizes independent features into isolated units, which can be toggled or configured individually. It utilizes a user-script injection mechanism and a document mutation observer pattern to dynamically alter site assets, intercept data streams, and apply custom style sheets at runtime. By routing network requests through a secondary layer, it bypasses browser security restrictions to fetch external assets and augment site functionality without requiring server-side access. The suite covers a broad range of client-side feature augmentation, enabling the modification of layout, visual presentation, and interactive tools across video, live, and social sections. Comprehensive documentation is provided to assist users in managing these modular tools and contributing to the development of the script.

This tool is a command-line utility designed for automated web resource discovery, fuzzing, and application structure mapping. It functions as a security-focused scanner that identifies hidden files, directories, parameters, and virtual hosts by injecting payloads into HTTP requests. By systematically testing how servers handle various inputs, it assists in mapping the architecture of web applications and uncovering potential security vulnerabilities. The tool distinguishes itself through a highly concurrent engine that manages asynchronous request execution and recursive job orchestration. It allows for granular control over the fuzzing process, including pipeline-based payload mutation, dynamic input encoding, and the ability to integrate external tools for custom payload generation. Users can manage scan intensity through precise traffic rate controls and interactive execution adjustments, ensuring stability while navigating target defenses. Beyond core discovery, the software provides extensive observability and reporting capabilities. It supports logic-based response filtering to isolate relevant findings from noise, audit logging for verifiable testing trails, and structured data export in formats like JSON and CSV. The tool also accommodates secure testing environments through support for client-side certificate authentication and persistent configuration management for standardized testing workflows.

This project serves as an agentic browser controller, providing a programmatic bridge that enables autonomous software agents to navigate web pages and interact with document elements. It functions as a browser automation protocol, facilitating headless browser operations and automated web interactions to perform repetitive tasks and end-to-end testing without manual human input. The system distinguishes itself by utilizing the Chrome DevTools Protocol to establish a bidirectional communication channel with the browser engine. This allows for protocol-based remote control, where external applications can execute complex commands, capture visual snapshots, and inspect document structures. To maintain stability and security, the controller manages session-isolated browser instances, ensuring that concurrent tasks remain independent through unique data directories. Beyond core automation, the project provides a middleware layer for remote browser debugging and programmatic web inspection. It supports asynchronous command execution to handle multi-step interactions without blocking the host application, and it offers tools to connect local or remote development environments to active browser sessions for consistent testing across various interfaces.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.