LinuxCommandLibrary

kiterunner-brute

Brute-force subdomains and hidden endpoints

TLDR

Bruteforce a target with an Assetnote wordlist (e.g., first 20,000 API routes)

$ kiterunner brute [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210328:20000]
copy

Bruteforce a target with a custom wordlist
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt]
copy

Bruteforce using a dirsearch-style wordlist with extension substitution
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/dirsearch.txt] [[-D|--dirsearch-compat]] [[-e|--extensions]] [json,txt]
copy

Bruteforce with specific file extensions appended and output in JSON format
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-e|--extensions]] [aspx,ashx] [[-o|--output]] [json]
copy

Bruteforce a list of targets from a file with custom concurrency settings for performance
$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] [[-x|--max-connection-per-host]] [5] [[-j|--max-parallel-hosts]] [100]
copy

Bruteforce and ignore specific content length responses
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] --ignore-length [100-105]
copy

Bruteforce with custom HTTP headers
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-H|--header]] "[Authorization: Bearer token]"
copy

Bruteforce a list of targets from a file with fail status code filtering
$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] --fail-status-codes [400,401,404]
copy

SYNOPSIS

kiterunner-brute [flags] <URL> <WORDLIST>

PARAMETERS

-H, --header <value>
    HTTP Header (repeatable)

--delay <duration>
    Delay between requests (default 0s)

--http2
    Use HTTP/2

--insecure
    Skip certificate verification

--json
    Output as JSON

-P, --proxy <string>
    Proxy server (format: [proto://]host[:port])

-r, --rate <int>
    Max requests per second (0=unlimited)

--raw
    Send raw queries from wordlist

-s, --silent
    Suppress output

-T, --threads <int>
    Number of threads (default 25)

-t, --timeout <duration>
    Request timeout (default 10s)

-v, --verbose
    Verbose logging

--version
    Print version and exit

-h, --help
    Show help

DESCRIPTION

kiterunner-brute is a powerful tool from the Kiterunner suite for brute-forcing GraphQL endpoints to uncover hidden queries and mutations, especially when introspection is disabled.

It ingests a wordlist of potential query names and dynamically generates GraphQL queries in the form query { name { __typename } }, sending them via POST requests to the target URL. Responses are parsed for indicators of success, such as the presence of a data field or specific error messages, flagging valid endpoints.

Designed for security researchers and pentesters, it accelerates API surface mapping in GraphQL applications. Features like multi-threading, rate limiting, custom headers, and proxy support enable efficient, stealthy scans. Output lists discovered queries with introspection-like details for further exploitation.

Unlike directory busters, it targets GraphQL-specific structures, making it indispensable for modern API testing workflows.

CAVEATS

Generates high-volume requests; may trigger WAFs or bans. Test responsibly on authorized targets only. Assumes POST-based GraphQL endpoints.

EXAMPLE

kiterunner-brute -T 50 -r 100 https://target.com/graphql queries.txt

Brutes with 50 threads, 100 req/s rate limit.

WORDLISTS

Use Kiterunner's kr wordlist graphql for optimized query/mutation lists.

HISTORY

Developed by Tom H. Lyndon as part of the Kiterunner project; initial release in 2021. Gained popularity for GraphQL pentesting, with updates enhancing speed and evasion features.

SEE ALSO

curl(1), ffuf(1), gobuster(1)

Copied to clipboard