kiterunner

View documentation for bruteforcing API paths and web endpoints

$ tldr kiterunner brute

$ tldr kiterunner scan

$ tldr kiterunner kb

$ tldr kiterunner wordlist

kr command [-flags] [target URL or input]
Examples:
kr scan https://target.com -w wordlist.krarc
kr brute /api https://target.com -w extensions.krarc

-a, --append
    Append discovered paths to provided wordlist

-b, --blacklist
    Blacklist regex for excluding responses

-c, --config
    Path to YAML config file

-d, --delay
    Delay between requests (ms)

-e, --extensions
    Comma-separated file extensions to append

-f, --filter
    Response size/status filter (e.g., 200-299)

-H, --header
    Custom header (repeatable, e.g., 'X-Auth: token')

-i, --input
    Input file with URLs

-j, --json
    Output results in JSON format

-l, --limit
    Max results per wordlist section

-m, --matcher
    Custom response matcher regex

-o, --output
    Output file path

-p, --probe
    Probe wordlist for response fingerprinting

-r, --ratelimit
    Max requests per second

-s, --status
    Comma-separated status codes to include

-t, --threads
    Number of concurrent threads (default 50)

-T, --timeout
    Request timeout (seconds)

-u, --urls
    URLs input (comma or file)

-w, --wordlist
    Path to .krarc wordlist file

-x, --exclude
    Exclude paths matching regex

-v, --verbose
    Verbose output

-z, --gzip
    Enable gzip decompression

Kiterunner (kr) is a high-performance command-line tool for discovering hidden web endpoints through brute-force fuzzing and scanning. Developed by PortSwigger's James Kettle, it excels at rapidly testing HTTP(S) paths using optimized, pre-compiled wordlists that support automatic encoding and parameterization.

Key strengths include massive parallelization (up to thousands of requests per second), smart filtering to reduce false positives, support for custom headers/probes, and specialized modes for directory brute-forcing, full scans, and request race conditions. It handles extensions, status code filtering, rate limiting, and outputs in JSON or standard formats for easy integration with tools like Burp Suite.

Ideal for penetration testing, bug bounties, and security assessments, Kiterunner minimizes noise with matchers and blacklists, ensuring efficient discovery of APIs, admin panels, and backups. Users must download or compile wordlists for optimal use, as it ships with none by default.

High-speed scanning may trigger WAFs or rate limits; use responsibly on authorized targets only. Requires separate wordlist downloads (e.g., kr wordlist pull). Not for production traffic analysis.

Via Go: go install github.com/PortSwigger/kiterunner/cmd/kr@latest
Or binaries from GitHub releases.

Manage with kr wordlist pull <name> (e.g., raft-medium). Ships with none; pull collections like kitrunner's-collection.

scan: Full endpoint scan.
brute: Directory/file brute-force.
race: HTTP race condition tests.
wordlist: Manage wordlists.

Released in 2021 by James Kettle (@albinowax) of PortSwigger, Kiterunner evolved from research on efficient fuzzing. GitHub repo under PortSwigger since v1.0; active development focuses on wordlist optimization and new modes like race condition testing.

ffuf(1), gobuster(1), dirsearch(1)