[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81775":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":31,"readmeContent":32,"aiSummary":33,"trendingCount":15,"starSnapshotCount":15,"syncStatus":34,"lastSyncTime":35,"discoverSource":36},81775,"apiffuf","jsmonhq\u002Fapiffuf","jsmonhq","API URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.","https:\u002F\u002Fjsmon.sh",null,"Go",26,4,21,0,5,15,55.1,"GNU Affero General Public License v3.0",false,"main",true,[24,25,26,27,28,29,30],"api-hacking","bugbounty","bugbounty-tools","cybersecurity","ethicalhacking","fuzzer","jsmon","2026-06-12 04:01:35","# apiffuf\n\nAPI URL fuzzer that cross-joins hosts and paths into normalized URLs, probes them over HTTP, and reports responding endpoints.\n\n\u003Ca href=\"https:\u002F\u002Fwww.producthunt.com\u002Fproducts\u002Fapiffuf-by-jsmon?embed=true&utm_source=badge-featured&utm_medium=badge&utm_campaign=badge-apiffuf-by-jsmon\" target=\"_blank\" rel=\"noopener noreferrer\">\u003Cimg alt=\"Apiffuf by Jsmon - API URL fuzzer for API hackers | Product Hunt\" width=\"250\" height=\"54\" src=\"https:\u002F\u002Fapi.producthunt.com\u002Fwidgets\u002Fembed-image\u002Fv1\u002Ffeatured.svg?post_id=1154673&theme=light&t=1779692501333\">\u003C\u002Fa>\n\n## Installation\n\n### Direct install\n\n```bash\ngo install github.com\u002Fjsmonhq\u002Fapiffuf@latest\n```\n\n### Clone and build\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fjsmonhq\u002Fapiffuf.git\ncd apiffuf\ngo build -ldflags=\"-s -w\" -o apiffuf .\n```\n\n## Usage\n\n```text\napiffuf -hosts \u003Chost|file> -paths \u003Cfile> [options]\n```\n\n### Flags\n\n| Flag | Alias | Default | Description |\n|------|-------|---------|-------------|\n| `-hosts` | `-u` | — | Host or file containing hosts (required) |\n| `-paths` | `-w` | — | File containing API paths (required) |\n| `-method` | `-X` | `GET` | HTTP method (supports custom methods) |\n| `-headers` | `-H` | — | Request header (`Name: value`, repeatable) |\n| `-threads` | `-t` | `20` | Parallel goroutines |\n| `-rate` | — | `0` | Requests per second (`0` = unlimited) |\n| `-o` | — | — | Save default text output to file |\n| `-oJ` | — | — | Save JSON output to file |\n| `-oC` | — | — | Save CSV output to file |\n| `-timeout` | — | `10s` | Per-request timeout |\n| `-user-agent` | — | `apiffuf\u002F1.0` | User-Agent header |\n| `-no-color` | — | `false` | Disable colored terminal output |\n\n### Examples\n\nSingle host and paths file:\n\n```bash\napiffuf -hosts api.jsmon.sh -paths paths.txt\n```\n\nHosts file and custom method:\n\n```bash\napiffuf -u hosts.txt -w paths.txt -X POST\n```\n\nWith headers, concurrency, and rate limit:\n\n```bash\napiffuf -hosts https:\u002F\u002Fapi.example.com -paths paths.txt -H \"Authorization: Bearer token\" -t 50 -rate 10\n```\n\nSave results:\n\n```bash\napiffuf -hosts api.jsmon.sh -paths paths.txt -o results.txt -oJ results.json -oC results.csv\n```\n\n## URL normalization\n\n`apiffuf` normalizes host\u002Fpath combinations before probing:\n\n| Host | Path | Output |\n|------|------|--------|\n| `http:\u002F\u002Fsub.target.com` | `\u002Fapi\u002Fv2\u002Fusers` | `http:\u002F\u002Fsub.target.com\u002Fapi\u002Fv2\u002Fusers` |\n| `http:\u002F\u002Fsub.target.com\u002F` | `\u002Fapi\u002Fv2\u002Fusers` | `http:\u002F\u002Fsub.target.com\u002Fapi\u002Fv2\u002Fusers` |\n| `http:\u002F\u002Fsub.target.com` | `api\u002Fv2\u002Fusers` | `http:\u002F\u002Fsub.target.com\u002Fapi\u002Fv2\u002Fusers` |\n| `sub.target.com` | `\u002Fapi\u002Fv2\u002Fusers` | `https:\u002F\u002Fsub.target.com\u002Fapi\u002Fv2\u002Fusers` |\n\nIf no protocol is supplied in the host input, `https` is used by default.\n\n## Output\n\nDefault terminal output (colored when stdout is a TTY):\n\n```text\nhttps:\u002F\u002Fapi.jsmon.sh\u002Fapi\u002Fv2\u002Fusers [200] [application\u002Fjson] [12234] [Jsmon API]\n```\n\nEach line includes:\n\n1. URL\n2. Status code\n3. Content-Type\n4. Content-Length\n5. Page title (when available)\n\nOnly URLs that receive an HTTP response are shown. Connection errors, timeouts, and DNS failures are excluded.\n\nJSON output (`-oJ`) and CSV output (`-oC`) are also supported.\n\n## Safety notice\n\nWhen using `PUT`, `PATCH`, or `DELETE`, apiffuf prints a caution warning because these methods can modify or delete data. Only use against targets you are authorized to test.\n\n### Built by team [Jsmon](https:\u002F\u002Fjsmon.sh).\n\n## License\n\nAGPLv3\n","apiffuf 是一个用于API URL模糊测试的工具，它能够将主机和路径交叉组合成标准化的URL，通过HTTP协议进行探测，并报告响应的端点。该工具使用Go语言编写，支持自定义HTTP方法、请求头、并发数及请求速率限制等高级功能，同时具备URL标准化处理能力，确保在各种输入情况下都能生成正确的URL格式。适用于网络安全测试、漏洞挖掘以及API安全评估等场景，帮助开发者或安全研究人员发现潜在的未授权访问或其他安全问题。",2,"2026-06-11 04:06:40","CREATED_QUERY"]