GoobFuzz is a powerful, flexible web fuzzer designed for security testing, endpoint discovery, and API exploration. Built for penetration testers and security researchers, it supports customizable HTTP requests, wordlist transformations, multi-threaded fuzzing, and advanced response filtering. Whether you're testing a web application or brute-forcing API endpoints, GoobFuzz offers a robust set of features to streamline your workflow.
GoobFuzz includes 28 features to support a wide range of fuzzing scenarios. Each feature is described below with an example command to demonstrate its use.
Replace the GOOB placeholder in a URL with words from a wordlist to discover endpoints.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lstSpecify a wordlist file for fuzzing (required).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lstSet the number of concurrent threads for faster fuzzing (default: 10).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -t 20Choose the HTTP method (e.g., GET, POST) for requests (ignored with --request-file).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -m POSTExclude responses with specified status codes (comma-separated).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -fc 404Exclude responses with a specific content length (in bytes).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -fs 5Save results to a file.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -o results.txtDisable colored console output for compatibility.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --no-colorAdd custom HTTP headers (repeatable).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -H "Authorization: Bearer token123"Add custom cookies (semicolon-separated).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -c "session=abc123;user=admin"Follow HTTP redirects in responses.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --follow-redirectsRoute requests through a proxy (e.g., Burp Suite).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -p http://127.0.0.1:8080Base64-encode each word before fuzzing.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --base64Set a custom User-Agent (default: GoobFuzz v1.0).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --user-agent "Mozilla/5.0"Use a raw HTTP request file with GOOB placeholders instead of -u/-m.
python3 GoobFuzz.py --request-file login.req -w wordlist.lstLimit requests per second to avoid overwhelming servers.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --rps 5Specify wordlist file encoding (default: utf-8, falls back to latin-1).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --encoding latin-1Append extensions (comma-separated) to each word.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -x php,htmlShow all responses, including 404s (default: hide 404s).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -vFilter responses where the body matches a regex pattern.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -x php --match-regex "Hello"Set a custom request timeout in seconds (default: 5.0).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --timeout 2.0Apply transformations (e.g., upper, lower, cap, append_) to each word.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst --transform upper,append_123Shuffle the wordlist to randomize request order.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -v --randomizeHandle multiple GOOB placeholders (same: same word, combo: all combinations).
python3 GoobFuzz.py --request-file login.req -w wordlist.lst --multi-goob sameFilter responses by HTTP header key-value pairs (repeatable).
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -x php --match-header "Content-Type:text/html"Suppress non-result output (progress, warnings, ASCII art) for scripting.
python3 GoobFuzz.py -u http://127.0.0.1/GOOB -w wordlist.lst -x php --silentIgnore SSL certificate verification (default) or enforce it.
python3 GoobFuzz.py -u https://127.0.0.1/GOOB -w wordlist.lst --no-ignore-sslNOTE If you're using Kali Linux you may have to install on a python virtual environment. It's probably a good idea to do that anyways, but its optional.
python3 -m venv /path/to/venv (ex: python3 -m venv /home/glask1d/myvenv)source /path/to/env/bin/activate(If you dont need a virtual environment you can skip the above steps)
pip3 install -r requirements.txtYou should now be able to run the script
- Run into issues installing or running the tool?
- Found a bug?
- Have an idea for an additional feature?
Feel free to send me a DM on X(Twitter) or just tag me in a post. https://x.com/GLAsk1d
Disclaimer: For Educational Purposes Only GoobFuzz is a web fuzzing tool developed for educational purposes and ethical security research. It is intended to assist security professionals and researchers in testing and improving the security of systems and applications with explicit permission from the system owner. Unauthorized use of GoobFuzz to access, scan, or test systems without consent is strictly prohibited and may violate applicable laws. The developers and contributors of GoobFuzz assume no liability for any misuse or damage caused by the tool. By using GoobFuzz, you agree to use it responsibly, ethically, and in compliance with all relevant local, national, and international laws.