LinuxCommandLibrary

kiterunner-wordlist

Generate wordlists for web content discovery

TLDR

List all cached and available Assetnote wordlists

$ kiterunner wordlist list
copy

List wordlists with JSON output
$ kiterunner wordlist list [[-o|--output]] [json]
copy

List wordlists with verbose debug output
$ kiterunner wordlist list [[-v|--verbose]] [debug]
copy

Save a specific Assetnote wordlist by alias
$ kiterunner wordlist save [apiroutes-210328]
copy

Save a specific Assetnote wordlist by full filename
$ kiterunner wordlist save [path/to/httparchive_apiroutes_2024_05_28.txt]
copy

Save multiple wordlists by alias
$ kiterunner wordlist save [apiroutes-210328,aspx-210328]
copy

Save a wordlist with quiet mode to suppress output
$ kiterunner wordlist save [apiroutes-210328] [[-q|--quiet]]
copy

SYNOPSIS

kiterunner-wordlist [-d DICTIONARY] [-i INPUT] [-o OUTPUT] [-m METHOD] [-r] [--recurse-depth N] [--charset-filter TYPE] [-t THREADS] [--csv] [--quiet]

PARAMETERS

-d, --dictionary DICT
    Required. Path to dictionary file with words to combine into payloads.

-i, --input INPUT
    Required. Input template string or file (e.g., 'GET:/api/{endpoint}').

-o, --output OUTPUT
    Output wordlist file. Default: wordlist.json.

-m, --method METHOD
    HTTP method (e.g., POST, GET). Default: GET.

-r, --recursive
    Enable recursive wordlist generation.

--recurse-depth N
    Maximum recursion depth. Default: 1.

--min-ratio FLOAT
    Minimum word length ratio filter. Default: 0.1.

--max-ratio FLOAT
    Maximum word length ratio filter. Default: 10.0.

--charset-filter TYPE
    Filter charset: letters, numbers, symbols, etc. Default: letters.

--case CASE
    Case: lower, upper, mixed. Default: mixed.

--numbers
    Include numbers in generation.

--symbols
    Include symbols in generation.

-t, --threads N
    Number of threads. Default: CPU cores.

--csv
    Output as CSV instead of JSON.

--quiet
    Suppress progress output.

DESCRIPTION

kiterunner-wordlist is a utility from the KiteRunner toolkit for creating tailored wordlists used in API brute-force and fuzzing attacks. It combines words from a dictionary with input templates (e.g., URL paths, query parameters) to produce payloads for endpoints like REST APIs or GraphQL queries.

The tool excels at recursive expansion, where words are nested to depths specified by the user, generating millions of variations efficiently via multi-threading. Options control HTTP methods, character sets, case transformations, word length filters, and output formats (JSON or CSV).

Typical workflow: provide a dictionary of API keywords (e.g., 'user', 'query', 'admin'), an input like 'POST:/api/graphql?query={placeholder}', and generate a wordlist for use with kiterunner scan or kiterunner brute. Filters like min/max ratios prevent explosion in size while maintaining coverage.

Ideal for pentesters discovering hidden routes without generic web dirbusters, focusing on semantic API structures. Outputs are sorted by word ratio for prioritized scanning.

CAVEATS

Recursive options can generate gigabytes of data; always set depth/limits and test small. High thread counts may strain resources.

INPUT EXAMPLE

File with lines like:
POST:/v1/graphql?query={word}
GET:/admin/{word}.json

USAGE WITH SCANNER

Pipe or use output: kiterunner scan --wordlist output.json https://target.com

HISTORY

Introduced in KiteRunner v1.0 (2021) by Corben Leo (tiltedtree). Enhanced in v2+ for faster recursion, charset support, and integration with API scanners. Widely adopted in Kali Linux for pentesting.

SEE ALSO

kiterunner(1), ffuf(1), gobuster(1), dirsearch(1)

Copied to clipboard