loading
loading
Discovery
Lightning-fast content discovery that also brute-forces routes and endpoints in modern applications.
overview
kiterunner does content discovery at high speed, but its strength is API routes. It reads kitebuilder schemas built from real API definitions, so it sends requests with the methods, headers, and paths a modern endpoint expects instead of blind GETs against a directory wordlist.
Scan mode replays those schema-aware requests; brute mode enumerates paths from a plain wordlist; and either can pull curated route lists straight from the Assetnote research wordlists. Preflight checks, wildcard quarantine, content-length filtering, and per-host concurrency limits keep large runs accurate without drowning a target.
In a Trickest workflow it takes a file of target hosts and writes a file and a folder of discovered routes. Chain it after a prober that confirms live hosts, then feed the routes it surfaces into a parameter or vulnerability stage.
use cases
Scan hosts with kitebuilder schemas so requests carry the right methods and headers, surfacing API endpoints a plain directory brute-force never finds.
Use brute mode with a wordlist and extensions to enumerate paths at speed across a list of target hosts.
Pull a named Assetnote API-routes wordlist directly so the scan draws on curated, research-backed route lists without hosting them yourself.
Tune the ignore-length filter and wildcard quarantine threshold so wildcard responses and noise do not flood the results on a large scan.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| hosts | FILE | · | File of target hosts to scan. |
| scan-mode | BOOLEAN | scan | Scan mode: replay kitebuilder route schemas against the hosts. |
| brute-mode | BOOLEAN | brute | Bruteforce mode: enumerate paths from a plain wordlist. |
| wordlist | FILE | -w | Normal or ogl wordlist to use for scanning. |
| assetnote-wordlist | STRING | --assetnote-wordlist | Pull a named Assetnote wordlist, e.g. apiroutes-210228. |
| kitebuilder-list | FILE | --kitebuilder-list | Ogl (kitebuilder) wordlist to use for scanning. |
| output | STRING | --output | Output format: json, text, or pretty (default pretty). |
| max-parallel-hosts | STRING | --max-parallel-hosts | Max number of concurrent hosts to scan at once (default 50). |
Showing key inputs. kiterunner exposes 42 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| delay | STRING | --delay | Delay to place in between requests to a single host. |
| hosts | FILE | · | Target hosts to scan (positional input). |
| quiet | BOOLEAN | --quiet | Quiet mode; mute unnecessary pretty text. |
| header | STRING | --header | Headers to add to requests (default x-forwarded-for: 127.0.0.1). |
| output | STRING | --output | Output format: json, text, or pretty (default pretty). |
| kb-mode | BOOLEAN | kb | kb mode; manipulate the kitebuilder schema. |
| timeout | STRING | --timeout | Timeout to use on all requests (default 3s). |
| verbose | STRING | --verbose | Logging verbosity: error, info, debug, or trace (default info). |
| wordlist | FILE | -w | Normal or ogl wordlist to use for scanning. |
| scan-mode | BOOLEAN | scan | Scan mode; run route schemas against the target hosts. |
| brute-mode | BOOLEAN | brute | Bruteforce mode; enumerate paths from a plain wordlist. |
| filter-api | STRING | --filter-api | Only scan APIs matching this ksuid. |
| user-agent | STRING | --user-agent | User agent to use for requests (defaults to a Chrome UA). |
| config-file | FILE | --config | Specify the config file. |
| force-method | STRING | --force-method | Ignore the methods in the ogl file and force this method. |
| profile-name | STRING | --profile-name | Name for the profile output file. |
| ignore-length | STRING | --ignore-length | Content-length byte ranges to ignore, e.g. 100-105 or 123,34-53 (inclusive). |
| kb-mode-debug | BOOLEAN | -d | Debug mode; convert the schema with error handling. |
| kb-mode-parse | FILE | parse | Parse a kitebuilder schema and print the prettified data. |
| max-redirects | STRING | --max-redirects | Maximum number of redirects to follow (default 3). |
| wordlist-mode | BOOLEAN | wordlist | Wordlist mode; inspect cached and remote wordlists. |
| kb-mode-replay | STRING | replay | Replay a kitebuilder request based on the input. |
| kb-mode-convert | FILE | convert | Convert an input file format into the specified output format. |
| preflight-depth | STRING | --preflight-depth | Directory depth to check during preflight; 0 checks only the docroot (default 1). |
| blacklist-domain | STRING | --blacklist-domain | Domains blacklisted for redirects; redirects to these are not followed. |
| disable-precheck | BOOLEAN | --disable-precheck | Skip host discovery. |
| kitebuilder-list | FILE | --kitebuilder-list | Ogl wordlist to use for scanning. |
| fail-status-codes | STRING | --fail-status-codes | Status codes to treat as failure; overrides success-status-codes when set. |
| assetnote-wordlist | STRING | --assetnote-wordlist | Use a wordlist from wordlist.assetnote.io by type/name, e.g. apiroutes-210228; append ;N to cap it to the first N lines. |
| max-parallel-hosts | STRING | --max-parallel-hosts | Max number of concurrent hosts to scan at once (default 50). |
| wildcard-detection | STRING | --wildcard-detection | Set to false to disable wildcard redirect detection (default true). |
| wordlist-mode-list | BOOLEAN | list | List the wordlists cached and available. |
| wordlist-mode-save | STRING | save | Save the wordlists specified (full filename or alias). |
| quarantine-threshold | STRING | --quarantine-threshold | Quarantine a host as wildcard after N consecutive hits; 0 disables (default 10). |
| success-status-codes | STRING | --success-status-codes | Status codes to treat as success; this is the default mode. |
| brute-mode-extensions | STRING | --extensions | Extensions to append while scanning. |
| kitebuilder-full-scan | BOOLEAN | --kitebuilder-full-scan | Perform a full scan without first running a phase scan. |
| max-connection-per-host | STRING | --max-connection-per-host | Max connections to a single host (default 3). |
| kb-mode-compile-wordlist | FILE | compile | Compile a kitebuilder schema and write the data to the specified file. |
| brute-mode-dirsearch-compat | BOOLEAN | --dirsearch-compat | Replace %EXT% with the provided extensions for dirsearch compatibility. |
| kb-mode-compile-output-file | STRING | · | Output file for the compiled kitebuilder schema (kb compile). |
| kb-mode-convert-output-file-format | STRING | · | kb convert mode output file format. |
example
# kiterunner (kr): scan hosts with an Assetnote API-routes wordlist, JSON outputkr scan hosts.txt --assetnote-wordlist apiroutes-210228 --output json --ignore-length 34GET 200 [ 1876, 402, 58] https://example.com/api/v1/users apiroutes-210228 90a3c1f7POST 405 [ 167, 9, 2] https://example.com/api/v1/auth/login apiroutes-210228 5e2b8d04GET 403 [ 284, 14, 5] https://example.com/api/v2/admin/config apiroutes-210228 c47af9b1PUT 401 [ 122, 7, 1] https://example.com/api/v1/orders/{id} apiroutes-210228 1fd6e880GET 200 [ 9210, 1204, 173] https://example.com/api/v1/products apiroutes-210228 7ac0b3e2DELETE 204 [ 0, 0, 0] https://example.com/api/v2/sessions/{token} apiroutes-210228 b93c1a55GET 500 [ 841, 52, 11] https://example.com/api/internal/debug apiroutes-210228 e0d47f26GET 200 [ 3480, 410, 62] https://example.com/api/v3/docs apiroutes-210228 4b1e9f37guidance
Use kiterunner when the target exposes an API and you want route discovery that sends real, schema-aware requests. It discovers routes, it does not test them for flaws, so feed live hosts in and pass found routes out. For path and file brute-forcing of classic apps, ffuf or feroxbuster fit better.
General FUZZ engine for paths, params, and vhosts. kiterunner is API-route-aware with kitebuilder schemas.
Recursive content discovery with smart defaults. kiterunner targets modern API endpoints specifically.
Classic directory and file brute-forcer. kiterunner adds method-aware API route discovery.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A host list and a wordlist feed kiterunner, which brute-forces API routes and writes the discovered endpoints as a queryable output.
Facts on this page come from the live Trickest tool library.