spray
Spray is a high-performance HTTP directory fuzzing and reconnaissance tool written in Go, designed for security testing and red team operations. It offers dictionary generation (mask-based and rule-based), intelligent filtering, fingerprinting, and batch scanning capabilities, with claimed 50%+ performance advantage over similar tools like ffuf and feroxbuster in local benchmarks.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | chainreactors/spray |
| Owner | chainreactors |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 1k |
| Forks | 71 |
| Open issues | 15 |
| Latest release | v0.3.2 (2026-06-29) |
| Last updated | 2026-07-05 |
| Source | https://github.com/chainreactors/spray |
What spray is
A Go-based HTTP fuzzer featuring concurrent request fuzzing, dynamic response filtering via custom logic, integrated fingerprint matching (gogo, FingerprintHub, Wappalyzer), checkpoint/resume functionality, HTTP/2 support, and crawling/backup discovery modes. Supports proxy routing (HTTP/SOCKS) and integrates with external wordlist generation rules similar to hashcat syntax.
Get the spray source
Clone the repository and explore it locally.
git clone https://github.com/chainreactors/spray.gitcd spray# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go >= 1.13+ and git (with recursive submodules) to build from source; no pre-compiled binaries documented beyond release artifacts.
- Performance claims (50%+ vs. ffuf/feroxbuster) are based on local microbenchmarks; actual gains depend heavily on network latency, target responsiveness, and filter complexity.
- Custom filtering logic uses script-like syntax (similar to httpx); operators must understand rule syntax and test filters thoroughly before large-scale scanning.
- WAF/ban detection and auto-evasion are claimed but not detailed; effectiveness depends on target-specific protection mechanisms and may require tuning.
- Integrates third-party fingerprint databases (FingerprintHub, Wappalyzer, gogo); ensure those licenses and data freshness align with your use case.
When to avoid it — and what to weigh
- Requires commercial support or SLA — GPL-3.0 license and community-maintained project offer no formal commercial support, vendor backing, or service-level agreements. Requires review for production/enterprise deployment expectations.
- Need for closed-source or proprietary integration — GPL-3.0 copyleft license requires any derivative work or integration to also be open-sourced under GPL-3.0. Cannot be bundled into proprietary products without license compliance burden.
- Require off-the-shelf Windows GUI or cloud-hosted SaaS — Spray is CLI-only, *nix-oriented, and requires local compilation. No official Windows binary, managed cloud service, or graphical interface is documented.
- Zero-configuration or minimal security training required — Fuzzing tools carry inherent risk of generating unwanted traffic or triggering security controls. Users must understand HTTP fuzzing ethics, rate-limiting, WAF evasion, and authorized scope.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). Copyleft license requiring any modifications or derived works to remain open-source under the same license. Requires review before integrating into closed-source or proprietary products.
GPL-3.0 is not a permissive license. While the software can be used for commercial purposes (e.g., authorized penetration testing services), any modifications must be shared under GPL-3.0, and distribution as part of a proprietary product is prohibited without source code release. Requires legal review for compliance with your commercial model.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Spray is a fuzzing and reconnaissance tool; its security profile depends on operator discipline. Key considerations: (1) Fuzzing generates large volumes of HTTP traffic that may trigger IDS/WAF or violate terms of service if used on unauthorized targets; (2) No details provided on input validation, injection prevention, or secure credential handling; (3) GPL-3.0 source is available for code review but no independent security audit is documented; (4) Integrates external fingerprint databases (FingerprintHub, Wappalyzer)—verify data freshness and integrity; (5) Proxy/SOCKS support adds network complexity; operator must ensure secure proxy configuration and credential handling.
Alternatives to consider
ffuf
Established, high-performance HTTP fuzzer with simpler CLI and broader adoption. No GPL copyleft restrictions; permissive license. Spray claims 50%+ performance advantage but ffuf has deeper community validation and plugin ecosystem.
feroxbuster
Rust-based directory brute-force tool with excellent batch scanning and recursion handling. Active development, strong documentation, and MIT license (permissive). Trade-off: Rust compilation vs. Go; less built-in fingerprinting.
httpx (ProjectDiscovery)
Lightweight HTTP probing and information gathering; more focused on banner/fingerprint collection than fuzzing. Part of the ProjectDiscovery ecosystem (nuclei, nmap integration). Permissive license; lighter footprint but less fuzzing-specific functionality.
Build on spray with DEV.co software developers
Spray is a powerful open-source fuzzing tool suitable for red teams and penetration testers. Before adoption, verify GPL-3.0 license compliance with your deployment model, test performance on your infrastructure, and ensure your team is trained in responsible fuzzing practices.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
spray FAQ
Can I use Spray in a commercial penetration testing service?
How does Spray's performance compare to ffuf in real-world scenarios?
What platforms does Spray run on?
Does Spray include built-in WAF/IDS evasion?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like spray. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Evaluate Spray for Your Security Testing Pipeline
Spray is a powerful open-source fuzzing tool suitable for red teams and penetration testers. Before adoption, verify GPL-3.0 license compliance with your deployment model, test performance on your infrastructure, and ensure your team is trained in responsible fuzzing practices.