Skip to main content

Browser-based web fuzzer with ffuf-like UX, powered by undetected-chromedriver

Project description


██╗   ██╗ ██████╗███████╗██╗   ██╗███████╗███████╗
██║   ██║██╔════╝██╔════╝██║   ██║╚══███╔╝╚══███╔╝
██║   ██║██║     █████╗  ██║   ██║  ███╔╝   ███╔╝ 
██║   ██║██║     ██╔══╝  ██║   ██║ ███╔╝   ███╔╝  
╚██████╔╝╚██████╗██║     ╚██████╔╝███████╗███████╗
 ╚═════╝  ╚═════╝╚═╝      ╚═════╝ ╚══════╝╚══════╝

Browser-based web fuzzer. Bypasses WAFs, solves CAPTCHAs, looks like a real user.


PyPI version Python License PyPI downloads



🚀 Why UCFuzz?

Most fuzzers send raw HTTP requests. That works — until the target runs Cloudflare, has browser fingerprinting, requires a login session, or throws a CAPTCHA on suspicious traffic.

UCFuzz runs a real Chrome browser via undetected-chromedriver. Every request has a real TLS fingerprint, real browser headers, and real JavaScript execution. To the server, it looks like a human clicking links.

Feature Traditional Fuzzer UCFuzz
Engine Raw HTTP (requests/aiohttp) 🌐 Full Chrome Browser
WAF Evasion Blocked by Cloudflare / Akamai Naturally Bypasses
JS Support None (Static only) Full JS & SPA Handling

📦 Installation

Choose the method that fits your needs:

🐍 Via PyPI

Install the stable version instantly:

pip install ucfuzz

🛠️ Or from source:

git clone https://github.com/raceoverflow/ucfuzz
cd ucfuzz
pip install .

Quick start

ucfuzz -u https://target.com/FUZZ -w wordlist.txt

The browser opens. Log in, solve any CAPTCHA, then press Enter — UCFuzz takes over from there.


Usage

ucfuzz [OPTIONS]

Options:
  -u, --url TEXT              Target URL with FUZZ placeholder  [required]
  -w, --wordlist PATH         Path to wordlist  [required]
  -o, --output PATH           Save results as JSONL
  --delay TEXT                Delay between requests: 100ms, 1s, 2m  [default: 0s]
  --timeout FLOAT             Response timeout in seconds  [default: 10.0]
  --exclude-status INTEGER    Hide this status code (repeatable)  [default: 404]
  --exclude-length INTEGER    Hide this content length (repeatable)
  --extension TEXT            Append extension to every word: php, html, js
  --headless                  Run browser without a window
  --start                     Specify index of word in wordlist to start scan from
  --captcha-flag              Specify word whic appears on the page when captcha is triggered to solve it automatically
  --headers                   Specify custom headers
  --cookies                   Specify custom cookies
  --help                      Show this message and exit

Use cases

Discovery

Standard brute-force on a site protected by Cloudflare. UCFuzz navigates through the challenge automatically.

ucfuzz -u https://target.com/FUZZ -w raft-large-dirs.txt --delay 50ms

Slow, human-like scanning

Avoid rate-limiting and IDS alerts by mimicking realistic browsing speed.

ucfuzz -u https://target.com/FUZZ -w wordlist.txt --delay 2s --timeout 30

Output

Results print live to the terminal, colour-coded by status:

https://target.com/admin          (Status: 200) [Size: 4821]
https://target.com/backup.zip     (Status: 200) [Size: 204800]
https://target.com/config         (Status: 403) [Size: 312]
https://target.com/.env           (Status: 200) [Size: 89]

Save to JSONL with -o results.jsonl for further processing:

cat results.jsonl | jq 'select(.status_code == 200)'

Roadmap

Things coming next, roughly in priority order:

  • Parallel browser sessions — run N browsers simultaneously for faster scans without looking like a bot
  • Recursive mode — automatically fuzz newly discovered directories with specified recursion depth
  • Custom headers & cookies — inject Authorization, X-API-Key, or any arbitrary header per request
  • POST / PUT fuzzing — fuzz request bodies, not just URLs
  • Report export — generate HTML/Markdown reports from JSONL output
  • Smarter response handling - parse robots.txt, sitemap, ds_store and opendir responses
  • Save the state - save the state of scans in sqlite database
  • Web GUI - modern minimalistic web GUI based on FastAPI
  • Random delay - random delay to prevent waf from detecting us in some cases
  • CAPTCHA flag - indicate captcha by inclusion of specific markers to prevent it from wasting wordlist until solved
  • Survive network errors - keep going from the same place when stopped due to the network issues
  • Proxy mode - proxify http requests of any app over the browser

Have a feature request? Open an issue.


Legal

UCFuzz is intended for authorized security testing only. Only use it against systems you own or have explicit written permission to test. Unauthorized use is illegal and unethical.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ucfuzz-0.5.5.tar.gz (20.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ucfuzz-0.5.5-py3-none-any.whl (20.4 kB view details)

Uploaded Python 3

File details

Details for the file ucfuzz-0.5.5.tar.gz.

File metadata

  • Download URL: ucfuzz-0.5.5.tar.gz
  • Upload date:
  • Size: 20.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for ucfuzz-0.5.5.tar.gz
Algorithm Hash digest
SHA256 d226f4c6f3b4a8e0202cd638763074b69f311b00f9ccd5f3fea69e2b117f7280
MD5 ffe424e2c3473d5eb3acf01f68d3130a
BLAKE2b-256 b0c01a844242dea0ddd62abf96cca628e5e412e10b0be9aa5d0860b50957d5b4

See more details on using hashes here.

File details

Details for the file ucfuzz-0.5.5-py3-none-any.whl.

File metadata

  • Download URL: ucfuzz-0.5.5-py3-none-any.whl
  • Upload date:
  • Size: 20.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for ucfuzz-0.5.5-py3-none-any.whl
Algorithm Hash digest
SHA256 d592d30f852555088c92fd416f1506861db9c7dd1a75b1ae5d698a8395527508
MD5 737e6effb6195c006a1cebb32d46d0fe
BLAKE2b-256 37849b125068ab0fa32450e50fa9b20d33f8dd146ca480fbe14d10cf25b4ac18

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page