Kiterunner Logo

Kiterunner

0
Free
Visit Website

For the longest of times, content discovery has been focused on finding files and folders. While this approach is effective for legacy web servers that host static files or respond with 3xx’s upon a partial path, it is no longer effective for modern web applications, specifically APIs. Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications. Modern application frameworks such as Flask, Rails, Express, Django and others follow the paradigm of explicitly defining routes which expect certain HTTP methods, headers, parameters and values. When using traditional content discovery tooling, such routes are often missed and cannot easily be discovered. By collating a dataset of Swagger specifications and condensing it into our own schema, Kiterunner can use this dataset to bruteforce API endpoints by sending the correct HTTP method, headers, path, parameters.

FEATURES

ALTERNATIVES

An AI-powered application security platform that provides automated discovery, testing, and continuous monitoring of applications and APIs with minimal operational impact.

A Burp Suite content discovery plugin that adds smart functionality to the Buster plugin.

A PHP/MySQL web application designed to aid security professionals in testing their skills and tools in a legal environment.

Search engine for open-source Git repositories with advanced features like case sensitivity and regular expressions.

DVTA is a Vulnerable Thick Client Application with various security vulnerabilities.

ffufai is an AI-enhanced wrapper for ffuf that automatically suggests file extensions for web fuzzing based on the target URL and headers.

A fast and minimal JS endpoint extractor

A brute-force protection middleware for express routes that rate-limits incoming requests.