Fast and flexible HTTP fuzzer with multiple wordlist support, advanced filtering...
- Directory busting
- Parameter fuzzing
- Custom payloads
- Rate Limiting
Boofuzz is a high-performance HTTP web fuzzer written in Go, designed for directory busting, parameter fuzzing, and vulnerability discovery. It supports multiple wordlists with custom placeholders, advanced filtering options, rate limiting, authentication methods, WAF evasion techniques, and provides detailed response analysis including body and header inspection.
Important
Legal and Ethical Notice: This tool is strictly for educational purposes and authorized security testing. Do not use it against systems or networks you do not own or for which you lack explicit authorization to test.
Tip
Performance: Boofuzz can process thousands of requests per second with concurrent threading, efficient HTTP handling using fasthttp, smart rate limiting to avoid detection, and adaptive backoff strategies.
- Filter responses by status codes, size, lines, words, regex patterns, or file extensions
- Built-in evasion methods with automatic WAF detection to bypass common WAF/IPS systems
- Configurable rate limiting with adaptive backoff strategies (
linear,exponential,random) - Built-in support for various authentication methods (
Basic,Bearer,Form-based,OAuth2) - Multiple encoding options (
Base64,MD5,SHA1,SHA256,URL,HTML,Hex,Unicode,ROT13) - High-performance concurrent request handling with configurable thread counts
- Comprehensive response analysis with status codes, sizes, and timing
- Inspect response bodies and headers with dedicated display options
- Show/hide results based on file extensions (
.php,.html,.js, etc.) - JSON output support and colored terminal output
- Fuzzing Engine
- Rate Limiting & Performance
- Authentication System
- WAF Detection & Evasion
- Payload Encoding & Manipulation
- Response Analysis
- Output Options
- Go 1.21+: Required for building and running the application
- Git: For cloning the repository
# # Clone and build
git clone https://github.com/Yoswell/boofuzz.git
cd boofuzz
go build -o boofuzz# Simple directory busting
./boofuzz -u https://example.com/FUZZ -w wordlist.txt
# Multiple wordlists with custom placeholders
./boofuzz -u https://example.com/FUZZ1/FUZZ2 -w wordlist1.txt:FUZZ1 -w wordlist2.txt:FUZZ2
# POST request fuzzing
./boofuzz -u https://example.com/api -X POST -d "param=FUZZ" -w wordlist.txt
# Show response bodies and headers
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -sb -sh
# Filter responses (show only 200-299 status codes)
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -sc 200-299
# Rate limited fuzzing
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -rate-limit 10 -t 5
# Authentication and WAF evasion
./boofuzz -u https://example.com/admin/FUZZ -w admin.txt \
-auth-type form -auth-user admin -auth-pass password \
-auth-url https://example.com/login -detect-waf -evasion 3-u: Target URL (required)-X: HTTP method (default: GET)-d: POST data-b: Cookie data-H: Custom headers (multiple allowed)-x: Proxy URL
-w: Wordlist file with optional custom placeholder (e.g.,file.txt:FUZZ)
-sb: Show response body-sh: Show response headers-v: Verbose output-c: Colorize output-json: JSON output format-ne: No error messages
-sc: Show status codes (default: 200-299,301,302,307,401,403,405,500)-hc: Hide status codes-sl: Show by line count-hl: Hide by line count-sw: Show by word count-hw: Hide by word count-ss: Show by response size-hs: Hide by response size-sr: Show by regex-hr: Hide by regex-sx: Show only URLs with specific extensions (comma-separated, e.g., .php,.html,.js)-hx: Hide URLs with specific extensions (comma-separated, e.g., .php,.html,.js)-xc-c: Exclude comments (#, ~, /)-xc-d: Exclude dotfiles (.)-xc-n: Exclude numbers (0-9)-xc-upper: Exclude all-uppercase-xc-lower: Exclude all-lowercase-xc-s-upper: Exclude first-letter uppercase-xc-s-lower: Exclude first-letter lowercase
-t: Number of threads (default: 40)-L: Follow redirects-http2: Use HTTP2-raw: Don't encode URI-s: Silent mode-recursion: Recursive scanning-recursion-depth: Maximum recursion depth-ex: Add extensions (comma-separated, e.g., .php,.html,.js)
-rate-limit: Requests per second (0 = no limit)-max-retries: Maximum retries for failed requests (default: 3)-backoff: Backoff strategy: linear, exponential, random (default: exponential)
-auth-type: Authentication type: basic, bearer, form, oauth2-auth-user: Username for authentication-auth-pass: Password for authentication-auth-url: Login URL for form authentication
-encode: Encoder chain (e.g., 'base64(md5(input))')- Supported Encoders: base64, md5, sha1, sha256, urlencode, htmlencode, hex, unicode, rot13
-detect-waf: Detect WAF and adjust evasion-random-ua: Randomize User-Agent (default: true)-evasion: Evasion level (0-5, default: 0)
- Level 0: No evasion (default)
- Level 1: Basic URL encoding
- Level 2: Double encoding + header randomization
- Level 3: Partial hex encoding + random delays
- Level 4: Advanced character encoding + Unicode obfuscation
- Level 5: Maximum evasion with all techniques
# Basic authentication
./boofuzz -u https://example.com/admin -w admin-paths.txt \
-auth-type basic -auth-user admin -auth-pass password
# Bearer token authentication
./boofuzz -u https://api.example.com/data -w endpoints.txt \
-auth-type bearer -auth-pass YOUR_JWT_TOKEN
# Form-based with session handling
./boofuzz -u https://example.com/dashboard/FUZZ -w pages.txt \
-auth-type form -auth-user admin -auth-pass password \
-auth-url https://example.com/login# Single encoding
./boofuzz -u "https://example.com/search?q=FUZZ" -w xss-payloads.txt \
-encode "base64(input)"
# Complex encoding chain
./boofuzz -u "https://example.com/search?q=FUZZ" -w payloads.txt \
-encode "base64(md5(sha256(input)))"
# URL encoding with evasion
./boofuzz -u "https://example.com/search?q=FUZZ" -w payloads.txt \
-encode "urlencode(input)" -evasion 2# Detect WAF and enable automatic evasion
./boofuzz -u "https://example.com/FUZZ" -w wordlist.txt \
-detect-waf -evasion 3
# Manual evasion with specific techniques
./boofuzz -u "https://example.com/FUZZ" -w wordlist.txt \
-evasion 4 -random-ua -backoff exponential# Conservative rate limiting
./boofuzz -u https://example.com/FUZZ -w wordlist.txt \
-rate-limit 5 -backoff linear -max-retries 10
# Aggressive with exponential backoff
./boofuzz -u https://example.com/FUZZ -w wordlist.txt \
-rate-limit 50 -backoff exponential -max-retries 3# Show only PHP and HTML files
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -sx ".php,.html"
# Hide common file types
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -hx ".css,.js,.png,.jpg"
# Add extensions to wordlist
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -ex ".php,.html,.asp"# Machine-readable output
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -json | jq '.[] | select(.status == 200)'
# Filter and process results
./boofuzz -u https://example.com/FUZZ -w wordlist.txt -json -sc 200,403 \
| jq -r '.[] | select(.size > 1000) | .url'# Using authenticated proxy
./boofuzz -u https://example.com/FUZZ -w wordlist.txt \
-x http://user:pass@127.0.0.1:8080 -rate-limit 10
# Multiple proxies in rotation (configure via proxy chain)
./boofuzz -u https://example.com/FUZZ -w wordlist.txt \
-x http://127.0.0.1:8080 -evasion 2# Conservative recursive scan
./boofuzz -u https://example.com/FUZZ -w directories.txt \
-recursion -recursion-depth 2 -rate-limit 3
# Deep recursive with evasion
./boofuzz -u https://example.com/FUZZ -w directories.txt \
-recursion -recursion-depth 5 -rate-limit 10 -evasion 3# Automatic WAF detection and bypass
./boofuzz -u https://example.com/search?q=FUZZ -w xss-payloads.txt \
-detect-waf -evasion 4 -random-ua -rate-limit 3
# SQL injection with encoding bypass
./boofuzz -u https://example.com/product.php?id=FUZZ -w sqli-payloads.txt \
-encode "base64(input)" -evasion 3 -backoff exponential
# Header injection with IP spoofing
./boofuzz -u https://example.com/admin -w admin-paths.txt \
-H "X-Forwarded-For: 127.0.0.1" -H "X-Real-IP: 127.0.0.1" \
--evasion 2 --detect-wafThis project is licensed under the terms specified in the LICENSE file, was develop by VIshOk