Fast web fuzzer in Go for directory and endpoint discovery. Single binary, common fuzzer-style CLI (FUZZ, -w, -mc, -x), with built-in response modules, recursion strategies, and optional AI-driven wordlist selection.
Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.
Requirements: Go 1.21+
go build -o psfuzz .
# or: make build
./psfuzz -u https://example.com/FUZZ -w default -o scan
# → scan.txt; use -of json for scan.json
With modules and recursion:
./psfuzz -u https://target/FUZZ -w wordlist.txt -c 20 -D 2 -modules fingerprint,cors,links -enqueue-module-urls links -of json -o scan
Full flag reference: ./psfuzz -h. Copy-paste examples: CHEATSHEET.md.
FUZZ placeholder, wordlists, filters (-mc, -fc, -ms, -fr), proxy (-x), replay proxy, raw request file-enqueue-module-urls links), depth limit-w/-e-recursion-strategy default|greedy, 403/401 bypass variants, WAF-adaptive slowdown, per-host wildcard-maxtime / -maxtime-job, resume, stop on status/matches/errors, HTTP/2, VHost, audit log (NDJSON)| Module | Description |
|---|---|
fingerprint |
Tech detection (nginx, PHP, WordPress, etc.) |
cors |
CORS header evaluation |
headers |
Security headers (CSP, HSTS, X-Frame-Options, Set-Cookie) |
secrets |
Secret patterns in body/headers (AWS, JWT, etc.) |
auth |
Login form, 401, redirect-to-login, session cookies |
ai |
AI verdict (openai | ollama | gemini); -ai-prompt, -ai-provider |
urlextract |
URLs from body + Location |
links |
HTML links → absolute URLs; use with -enqueue-module-urls links |
Details: MODULES.md.
-cf config.json. Load order: config → preset → CLI. Example: config.example.json. Options: auditLog, enqueueModuleUrls, extractedUrlsFile, etc.
file:// or internal IPs). -safe=false for local use.-timeout 0 → 30s. -max-size 0 → 10 MiB body cap.-insecure / -k to skip certificate verification.-allow-hosts host1,host2. Login: -login-url, -login-user, -login-pass or -login-body.| Doc | Description |
|---|---|
| CHEATSHEET.md | Commands and examples |
| MODULES.md | Response modules |
| RECURSION.md | Recursion and strategy |
| DOCKER.md | Docker build and run |
| TESTING.md | Tests and param script |
| CONTRIBUTING.md | Contributing |
| ROADMAP.md | Planned features |
| IDEAS.md | Future ideas |
| CHANGELOG.md | Release history |
CI: go build, go test, go vet on push/PR (.github/workflows/ci.yml).
main.go # CLI
internal/config # Flags, config file, validation
internal/encoder # Payload encoders (urlencode, base64, etc.)
internal/httpx # HTTP client, safe-mode, redirect checks
internal/engine # Task queue, workers, recursion, report
internal/filter # Status/length/regex/dedupe
internal/llm # LLM client (OpenAI, Ollama, Gemini) for AI/Explore
internal/output # TXT, JSON, HTML, CSV, NDJSON, compat JSON
internal/modules # Response analyzers
Use only on systems you are authorized to test.
$ claude mcp add PSFuzz \
-- python -m otcore.mcp_server <graph>