FuzzSwarm is a powerful multi-threaded fuzzing tool designed for brute-forcing HTTP endpoints and identifying vulnerabilities in web applications and APIs. It supports GET and POST requests, custom headers, and can load headers from a file. Users can perform precise fuzzing with numeric ranges, wordlists, and filter responses by size. FuzzSwarm also offers rate limit and timeout controls, as well as proxy and SSL support for secure testing environments, making it ideal for pentesters and security professionals seeking to uncover web security flaws.
First, download and install Go. Version 1.23 or
higher is required.
Clone FuzzSwarm Repository:
git clone https://github.com/0xBl4nk/FuzzSwarm2Build the project or use the precompiled binary:
# Build project:
cd FuzzSwarm2
make build
# Usage:
./FuzzSwarm --helpThe best way to better explore all the features of the Fuzz Swarm 2 is to read the project Wiki.
Yes, the most frequently asked questions (FAQ) are also here.
Cheat sheet for some uses of Fuzz Swarm 2
./FuzzSwarm -X POST -u http://127.0.0.1/api/2fa \
-R 1-10000,1 -d '{"number": FUZZ}' \
-H "Content-Type: application/json" \
-f 34 -v| Option | Description | Type | Default | Required? |
|---|---|---|---|---|
-X |
Select HTTP method | string |
GET |
No |
-R |
Use number range instead of word list | string |
yes, if you don't use word list | |
-d |
Set POST data | string |
No | |
-H |
Set custom headers | string |
No | |
-f |
Skip answer with answer length | int |
No | |
-v |
Show response body | bool |
False |
No |
You can use scripts in FuzzSwarm to automate specific attack types, such as SSTI fuzzing, with predefined payloads for more targeted vulnerability testing.
./FuzzSwam --script ssti -u 'http://127.0.0.1/vulnerable?input=FUZZ' -v| Option | Description | Type | Default | Required? |
|---|---|---|---|---|
--script |
Select the script to use | string |
No |
