Description
qsfuzz (Query String Fuzz) fuzzes query string parameters to find vulnerabilities. You define custom rules that test each parameter for specific vulnerability classes like XSS, SQLi, SSRF, open redirect, and more. Highly customizable and fast.
Installation
BASH
go install github.com/ameenmaali/qsfuzz@latestBasic Usage
BASH
# Fuzz URLs from stdin with default rules
cat urls.txt | qsfuzz -w rules.yaml
# Single URL
echo "https://target.com/search?q=test&page=1" | qsfuzz -w rules.yamlAdvanced Usage
BASH
# Custom concurrency
cat urls.txt | qsfuzz -w rules.yaml -c 30
# Timeout per request
cat urls.txt | qsfuzz -w rules.yaml -t 10
# Custom headers
cat urls.txt | qsfuzz -w rules.yaml -H "Cookie: session=abc"
# Output matches to file
cat urls.txt | qsfuzz -w rules.yaml -o findings.txtRule Example
YAML
# rules.yaml
rules:
- description: "Reflected XSS"
injections:
- "<script>alert(1)</script>"
- "'\"><img src=x onerror=alert(1)>"
detect:
- type: "body"
content: "<script>alert(1)</script>"
- description: "SQL Error"
injections:
- "' OR 1=1--"
- "\" OR \"\"=\""
detect:
- type: "body"
content: "SQL syntax"
- type: "body"
content: "mysql_fetch"Common Workflows
BASH
# Collect URLs → fuzz query strings
gau target.com | grep "=" | qsfuzz -w rules.yaml -c 20
# Wayback + GAU → filter parameterized → fuzz
(gau target.com; waybackurls target.com) | sort -u | grep "?" | qsfuzz -w rules.yaml