ENNAENNA

Kiterunner

AGPL-3.0

๐Ÿ•ธ Web Scanning ยท Go

Kiterunner performs content discovery specifically designed for modern APIs. Unlike traditional directory brute-forcers that only test GET requests against paths, Kiterunner understands API structure and tests multiple HTTP methods, parameter combinations, and route patterns derived from thousands of real-world API schemas. It ships with curated wordlists built from Swagger/OpenAPI definitions collected from public sources. This approach discovers endpoints that traditional tools miss entirely, making it essential for API penetration testing.

3.2kstars
333forks
51issues
Updated 1y ago
+I use this
View on GitHubOfficial Website

Installation

$ go install github.com/assetnote/kiterunner/cmd/kr@latest

Use Cases

  • Discovering hidden API endpoints and routes
  • Testing multiple HTTP methods against discovered paths
  • Finding undocumented REST API functionality
  • Supplementing traditional directory brute-forcing with API-aware scanning

Tags

api-discoverycontent-discoverybrute-forceapi-securityroute-fuzzing

Details

Category
๐Ÿ•ธ Web Scanning
Language
Go
License
AGPL-3.0
Platforms
๐Ÿงlinux๐ŸŽmacos๐ŸชŸwindows

Links

GitHub Repository

github.com/assetnote/kiterunner

Official Website

www.assetnote.io

Releases

github.com/assetnote/kiterunner/releases

Issues

github.com/assetnote/kiterunner/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

Gobuster

Go

Directory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.

Compare Kiterunner vs Gobuster

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

Compare Kiterunner vs Feroxbuster

ffuf

Go

Fast web fuzzer written in Go. Fuzz anything - URLs, headers, POST data - with blazing speed.

Compare Kiterunner vs ffuf

dirsearch

Python

Mature web path discovery tool with recursive scanning, wordlist-based bruteforcing, and extensive extension support.

Compare Kiterunner vs dirsearch

More in Web Scanning

httpx

Go

Fast multi-purpose HTTP toolkit. Probes for running HTTP servers with retries and fallbacks.

http-probetech-detectionprojectdiscovery

Nikto

Perl

Classic web server scanner. Tests for dangerous files, outdated server software, and version-specific problems.

web-serverclassiccgi-scan

Gobuster

Go

Directory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.

directory-brutedns-brutevhost

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

directory-bruterecursiverust

Burp Suite Community

Java

Web vulnerability scanner and proxy. Intercept, modify, and replay HTTP/S traffic for web app testing.

proxyweb-appinterceptor

ffuf

Go

Fast web fuzzer written in Go. Fuzz anything - URLs, headers, POST data - with blazing speed.

fuzzingdirectory-brutefast