KiteRunner
Fast API endpoint and content discovery tool that uses JWT patterns, K8s service account tokens, and swagger specs to discover hidden API routes
Methods12 commands
#api#discovery#fuzzing#go
Installation
1Install using Go
2Download API wordlists
3Verify installation
# Using Go
go install github.com/assetnote/kiterunner@latest
# Verify
kr -VBasic Usage
Discover API endpoints using built-in wordlists and JWT/K8s patterns
# List all routes from a wordlist
kr list wordlist.txt
# Basic API scan against a target
kr scan https://api.target.com -w wordlist.txt
# Scan with JWT authentication
kr scan https://api.target.com -w wordlist.txt -H "Authorization: Bearer <token>"
# Bruteforce API paths recursively
kr scan https://target.com -w wordlist.txt -kCommand Reference
12 commands
1Scan target URL with wordlist
kr scan2List and inspect routes from a wordlist
kr list3Skip TLS certificate verification
-k4Path to wordlist file
-w5Number of concurrent threads
-t6Output results to file
-o7Add custom HTTP header
-H8Proxy URL for routing traffic
-x9Follow redirects
-r10Delay between requests in ms
-d11Verbose output
-v12Silent mode (suppress banner)
-sWhen to Use
1
Discovering hidden API endpoints during black-box testing2
Mapping API attack surface from JWT/K8s token contexts3
Finding undocumented or deprecated API routes4
Validating API route permissions and access control5
Combining with swagger/openapi specs for route enumerationNotes & Tips
1
Use assetnote's API-specific wordlists for best results2
JWT tokens used during scan should have minimal privileges3
Combining with proxy (-x) enables request inspection in Burp Suite4
Kiterunner works best against REST and GraphQL APIsCommon Errors & Solutions
No routes discovered
Try a larger wordlist or check if the target requires authentication headers
TLS certificate errors
Use -k to skip TLS verification if testing internal/staging environments
Rate limiting blocks requests
Reduce thread count with -t and add delay with -d between requests