Skip to main content

Browser-based web fuzzer with ffuf-like UX, powered by undetected-chromedriver

Project description


██╗   ██╗ ██████╗███████╗██╗   ██╗███████╗███████╗
██║   ██║██╔════╝██╔════╝██║   ██║╚══███╔╝╚══███╔╝
██║   ██║██║     █████╗  ██║   ██║  ███╔╝   ███╔╝ 
██║   ██║██║     ██╔══╝  ██║   ██║ ███╔╝   ███╔╝  
╚██████╔╝╚██████╗██║     ╚██████╔╝███████╗███████╗
 ╚═════╝  ╚═════╝╚═╝      ╚═════╝ ╚══════╝╚══════╝

Browser-based web fuzzer. Bypasses WAFs, solves CAPTCHAs, looks like a real user.


PyPI version Python License PyPI downloads



Why UCFuzz?

Most fuzzers send raw HTTP requests. That works — until the target runs Cloudflare, has browser fingerprinting, requires a login session, or throws a CAPTCHA on suspicious traffic.

UCFuzz runs a real Chrome browser via undetected-chromedriver. Every request has a real TLS fingerprint, real browser headers, real JavaScript execution. To the server, it looks like a human clicking links.

Traditional fuzzer          UCFuzz
─────────────────           ──────────────────────────────
raw HTTP request   vs.      full Chrome browser session
blocked by WAF              bypasses Cloudflare, Akamai
no JS execution             executes JS, handles SPAs
no cookie session           keeps your login session
fails on CAPTCHA            pauses for you to solve it

Install

pip install ucfuzz

Or from source:

git clone https://github.com/raceoverflow/ucfuzz
cd ucfuzz
pip install .

Quick start

ucfuzz -u https://target.com/FUZZ -w wordlist.txt

The browser opens. Log in, solve any CAPTCHA, then press Enter — UCFuzz takes over from there.


Usage

ucfuzz [OPTIONS]

Options:
  -u, --url TEXT              Target URL with FUZZ placeholder  [required]
  -w, --wordlist PATH         Path to wordlist  [required]
  -o, --output PATH           Save results as JSONL
  --delay TEXT                Delay between requests: 100ms, 1s, 2m  [default: 0s]
  --timeout FLOAT             Response timeout in seconds  [default: 10.0]
  --exclude-status INTEGER    Hide this status code (repeatable)  [default: 404]
  --exclude-length INTEGER    Hide this content length (repeatable)
  --extension TEXT            Append extension to every word: php, html, js
  --headless                  Run browser without a window
  --help                      Show this message and exit

Use cases

Directory discovery

Standard directory brute-force on a site protected by Cloudflare. UCFuzz navigates through the challenge automatically.

ucfuzz -u https://target.com/FUZZ -w raft-large-dirs.txt --delay 50ms

📽️ [GIF: directory scan running, hits showing in green/yellow]


File extension fuzzing

Find hidden files with specific extensions. Combine with --exclude-length to filter out identical error pages.

ucfuzz -u https://target.com/FUZZ          \
       -w raft-small-words.txt             \
       --extension php                     \
       --exclude-length 1234               \
       -o results.jsonl

📽️ [GIF: extension scan, filtering noise, clean hits]


Authenticated scanning

UCFuzz keeps the full browser session alive. Log in through the browser window when it opens — cookies, tokens, and session state are all preserved for every subsequent request.

ucfuzz -u https://app.target.com/api/FUZZ \
       -w api-endpoints.txt               \
       --delay 200ms

📽️ [GIF: browser login step, then scan continuing with authenticated session]


Slow, human-like scanning

Avoid rate-limiting and IDS alerts by mimicking realistic browsing speed.

ucfuzz -u https://target.com/FUZZ -w wordlist.txt --delay 2s --timeout 30

Output

Results print live to the terminal, colour-coded by status:

https://target.com/admin          (Status: 200) [Size: 4821]
https://target.com/backup.zip     (Status: 200) [Size: 204800]
https://target.com/config         (Status: 403) [Size: 312]
https://target.com/.env           (Status: 200) [Size: 89]

Save to JSONL with -o results.jsonl for further processing:

cat results.jsonl | jq 'select(.status_code == 200)'

Recommended wordlists

UCFuzz works with any plain-text wordlist.


Roadmap

Things coming next, roughly in priority order:

  • Parallel browser sessions — run N browsers simultaneously for faster scans without looking like a bot
  • Recursive mode — automatically fuzz newly discovered directories with specified recursion depth
  • Custom headers & cookies — inject Authorization, X-API-Key, or any arbitrary header per request
  • POST / PUT fuzzing — fuzz request bodies, not just URLs
  • Report export — generate HTML/Markdown reports from JSONL output
  • Smarter response handling - parse robots.txt, sitemap, ds_store and opendir responses
  • Save the state - save the state of scans in sqlite database
  • Web GUI - modern minimalistic web GUI based on FastAPI
  • More evasion - more evasion with random delay option in specified range
  • CAPTCHA indicator - indicate captcha by inclusion of specific markers to prevent it from wasting wordlist until solved
  • Optimization - add flags for disabling css and media loading
  • Survive network errors - keep going from the same place when stopped due to the network issues
  • AuthFlow support - make possible to record auth flow with seleniumbase recorder extension and use it to automate authentication

Have a feature request? Open an issue.


Legal

UCFuzz is intended for authorized security testing only. Only use it against systems you own or have explicit written permission to test. Unauthorized use is illegal and unethical.


MIT License — © 2026 raceoverflow

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ucfuzz-0.1.0.tar.gz (19.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ucfuzz-0.1.0-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file ucfuzz-0.1.0.tar.gz.

File metadata

  • Download URL: ucfuzz-0.1.0.tar.gz
  • Upload date:
  • Size: 19.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for ucfuzz-0.1.0.tar.gz
Algorithm Hash digest
SHA256 9d65017d812e23a851bf0b03727dd2121f38f6103c65d819da570dbe9bd3a7a7
MD5 c551c5d3973e455a9adc0a56a7459632
BLAKE2b-256 d6980588b1a36fd456a4cd4c8855a9ba04a932b19d8c151bb693763168b4ac53

See more details on using hashes here.

File details

Details for the file ucfuzz-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: ucfuzz-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 19.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for ucfuzz-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 edc18e4d13146454cce0b7769a1d3115f55b49194581557f37584f78de3026e4
MD5 6ff49892cc7e00870183018579d8fbc6
BLAKE2b-256 e4d54dff71a881708ea22537ceabd8cf26e307b9fcb861ba6c020a0339ef076b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page