Building 404fuzz: A Multi-Core Fuzzer That Never Gets Tired
Source: Dev.to
Most people think fuzzers are just “tools that send fast requests.”
That’s true, but building a fuzzer that is fast, memory‑safe, multi‑core, stream‑based, and developer‑friendly is a completely different challenge.
This is the story of how 404fuzz was born — not from copying ffuf, but from real hacking pain, performance problems, and engineering trade‑offs.
Why 404fuzz was created
- 📂 Huge wordlists (millions of lines)
- 🐌 Tools eating RAM
- 💥 Crashes on large scans
- 🧠 Too many duplicate responses
- ⚠️ Rate‑limit (429) killing scans
- 🧱 Tools that were either too dumb or too heavy like a scanner
I didn’t want another Burp, another Nuclei, or another slow Python fuzzer.
I wanted a dumb but insanely fast fuzzer, with just enough intelligence to save my time.
“Like an ant, 404fuzz never gets tired.”
Core principles
- ⚡ Speed is non‑negotiable
- 🧩 Memory safety comes first
- 🎯 The hunter decides what’s interesting — not the tool
Consequently:
- ❌ No heavy “AI logic”
- ❌ No scanning rules
- ❌ No auto‑vulnerability detection
- ✅ Pure high‑performance fuzzing
How 404fuzz works (Internals)
1. Streaming wordlist (No memory bombs)
Instead of loading the entire wordlist into memory, 404fuzz streams it and shards it across workers:
// streamWordlist.js
export async function* streamWordlist(path, workerId, totalWorkers) {
const rl = require('readline').createInterface({
input: require('fs').createReadStream(path),
crlfDelay: Infinity,
});
let index = 0;
for await (const line of rl) {
if (index % totalWorkers === workerId) {
yield line; // payload
}
index++;
}
}- Result: You can fuzz with million‑line wordlists while RAM stays stable; each worker gets its own shard.
2. Concurrency without Promise.all memory leaks
Instead of await Promise.all(requests), 404fuzz uses a queue‑based concurrency model:
// FuzzQueue.js
class FuzzQueue {
constructor(concurrency = 500) {
this.concurrency = concurrency;
this.running = 0;
this.queue = [];
}
async add(task) {
if (this.running >= this.concurrency) {
await new Promise(resolve => this.queue.push(resolve));
}
this.running++;
try {
return await task();
} finally {
this.running--;
if (this.queue.length) this.queue.shift()();
}
}
}- Result: Stable memory usage, controlled throughput, and no unhandled promise explosions.
3. Scaling and real‑time feedback
- Node.js cluster: One worker per CPU core.
- Automatic wordlist sharding per worker.
- Real RPS aggregation with live display of:
- Requests per second
- Progress / ETA
- Error rates
- Worker statistics
No log spam—just concise, actionable output.
What 404fuzz is (and isn’t)
404fuzz is:
- A fast fuzzer
- A research tool
- A behavioral explorer
- A payload‑testing engine
404fuzz is NOT:
- A vulnerability scanner
- A Burp replacement
- A rule‑based exploitation engine
Reducing noise with deduplication
Scanning 100 k+ payloads often yields repetitive responses (same 404 page, JSON error, WAF block, etc.). 70‑90 % of results can be noise.
404fuzz focuses on:
- Merging identical backend behaviors
- Grouping payloads by response signature
The output shows:
- ✅ Unique behaviors
- 📊 How many payloads triggered the same logic
This reduces noise, output size, and mental fatigue—without any AI.
Additional features:
- Detect 429 responses and respect
Retry-After - Intelligent delay handling to continue scans safely
Open source & contributions
404fuzz is fully open source:
👉
Who should use it
- Bug bounty hunters
- Security engineers
- Node.js developers
- Tool builders
- Performance enthusiasts
How to contribute
- Core engine improvements
- New output modes
- Deduplication logic
- Rate‑limit handling
- Dashboard features
- Documentation & testing
- Bug fixes
- Performance benchmarks
This is a community‑powered fuzzer, not a solo ego project.
Join the project
If you believe fuzzing should stay fast, tools should stay hackable, and open source should stay collaborative, star the repo and help build 404fuzz together.
⭐