DEV Community

Cover image for Building 404fuzz: A Multi-Core Fuzzer That Never Gets Tired
Nimesh Thakur
Nimesh Thakur

Posted on

Building 404fuzz: A Multi-Core Fuzzer That Never Gets Tired

#bugbounty #opensource #node #infosec

Most people think fuzzers are just “tools that send fast requests.”

That’s true.

But building a fuzzer that is fast, memory-safe, multi-core, stream-based, and developer-friendly is a completely different challenge.

This is the story of how 404fuzz was born — not from copying ffuf — but from real hacking pain, real performance problems, and real engineering trade-offs.

🧠 The Problem That Started Everything

As a bug bounty hunter, I faced the same issue again and again:

  • 📂 Huge wordlists (millions of lines)
  • 🐌 Tools eating RAM
  • 💥 Crashes on large scans
  • 🧠 Too many duplicate responses
  • ⚠️ Rate-limit (429) killing scans

  • 🧱 Tools that were either:

    • too dumb
    • or too heavy like a scanner

I didn’t want:

  • Another Burp
  • Another Nuclei
  • Another slow Python fuzzer

I wanted:

✅ A dumb but insanely fast fuzzer, with just enough intelligence to save my time.

That’s how 404fuzz started.

🐜 Philosophy of 404fuzz

“Like an ant, 404fuzz never gets tired.”

404fuzz follows only three core rules:

  1. Speed is non-negotiable
  2. 🧩 Memory safety comes first
  3. 🎯 Hunter decides what’s interesting — not the tool

This means:

  • ❌ No heavy “AI logic”
  • ❌ No scanning rules
  • ❌ No auto-vulnerability detection
  • ✅ Just pure high-performance fuzzing

⚙️ How 404fuzz Actually Works (Internals)

✅ 1. Streaming Wordlist (No Memory Bombs)

Instead of loading the entire wordlist into memory:

export async function* streamWordlist(path, workerId, totalWorkers) {
  for await (const line of rl) {
    if (index % totalWorkers === workerId) {
      yield payload;
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

This means:

  • You can fuzz with million-line wordlists
  • RAM stays stable
  • Each worker gets its own shard

✅ 2. Concurrency Without Promise.all Memory Leaks

Instead of doing this ❌:

await Promise.all(requests)
Enter fullscreen mode Exit fullscreen mode

404fuzz uses a real queue-based concurrency model:

class FuzzQueue {
  constructor(concurrency = 500) {
    this.running = 0;
    this.queue = [];
  }

  async add(task) {
    if (this.running >= this.concurrency) {
      await new Promise(resolve => this.queue.push(resolve));
    }
    this.running++;
    try {
      return await task();
    } finally {
      this.running--;
      if (this.queue.length) this.queue.shift()();
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

This gives:

  • ✅ Stable memory
  • ✅ Controlled throughput
  • ✅ No unhandled promise explosions

✅ 3. Multi-Core Parallelism with Cluster

404fuzz doesn’t fake performance with async only.

It uses:

  • Node.js cluster
  • One worker per CPU core
  • Automatic wordlist sharding
  • Real RPS aggregation

This is why 404fuzz scales like ffuf.

✅ 4. Live Dashboard (Like htop, but for Fuzzing)

Real-time:

  • RPS
  • Progress
  • ETA
  • Error rates
  • Worker stats

No log spam.
No blind fuzzing.

🎯 What 404fuzz Is (And Is Not)

✅ IS:

  • A fast fuzzer
  • A research tool
  • A behavioral explorer
  • A payload testing engine

❌ IS NOT:

  • A vulnerability scanner
  • A Burp replacement
  • A rule-based exploitation engine

404fuzz will always stay a fuzzer first.

🧠 The Real Pain: 70% Duplicate Responses

Every hunter knows this pain:

You fuzz 100,000 payloads…

And you get:

  • Same 404 page again and again
  • Same JSON error template
  • Same WAF response
  • Same backend validation message

📉 70–90% results are noise

Filtering such results manually is painful and slow.

✅ The Next Smart Step (Not “AI Brain”)

I deliberately decided NOT to make 404fuzz a scanner.

Instead, the near-future focus is only on:

🧠 1. Smart Response Deduplication

  • Merge identical backend behaviors
  • Group payloads by same response signature

  • Show:

    • ✅ unique behaviors
    • 📊 how many payloads hit the same logic

This reduces:

  • Noise
  • Output size
  • Mental fatigue

🛑 2. Simple 429 (Rate-Limit) Handling

No AI.
No guessing.

Just:

  • Detect 429
  • Respect Retry-After
  • Delay intelligently
  • Continue scan safely

🧑‍🤝‍🧑 Why I’m Writing This: Open Source Collaboration

404fuzz is fully open source:

👉 https://github.com/toklas495/404fuzz

This project is for:

  • Bug bounty hunters
  • Security engineers
  • Node.js devs
  • Tool builders
  • Performance nerds

You can contribute in many ways:

  • ✅ Core engine improvements
  • ✅ New output modes
  • ✅ Deduplication logic
  • ✅ Rate-limit handling
  • ✅ Dashboard features
  • ✅ Docs & testing
  • ✅ Bug fixes
  • ✅ Performance benchmarks

This is not a “solo ego tool.”
I want this to become a community-powered fuzzer.

🐜 Final Words

404fuzz exists because:

  • We needed speed without stupidity
  • We needed simplicity without weakness

  • We needed a tool that respects:

    • developers
    • hunters
    • and system performance

If you believe:

  • Fuzzing should stay fast
  • Tools should stay hackable
  • Open source should stay collaborative

Then I invite you to build this with me.

⭐ Star
🐛 Report issues
💡 Propose features
🔧 Send PRs

👉 https://github.com/toklas495/404fuzz

Top comments (0)