A modern, lightning-fast login page bruteforcer written in Go. Blitz is built for speed and efficiency, leveraging Go's concurrent processing to deliver results 10x faster than traditional Python-based tools.
- Blazing fast concurrent processing - 10x faster than Python equivalents
- Smart form and field detection - Automatically identifies login forms and input fields
- CSRF and Clickjacking scanner - Built-in security analysis
- Cloudflare and WAF detector - Identifies protection mechanisms
- SQL injection bypass detection - Tests for login bypass vulnerabilities
- Multi-threaded worker pool - Configurable 5-20 threads
- Intelligent success detection - Smart analysis of login responses
- Rate limiting protection - Prevents getting blocked during testing
- Cross-platform - Windows, Linux, macOS support
- Browser automation for JavaScript-heavy sites
- Proxy support for distributed testing
- Custom success detection patterns
- Session management
- Report generation
- Go 1.21 or higher
Clone the repository:
git clone https://github.com/moscovium-mc/blitz
cd blitzOption 1: Using build.bat
# Simply double-click build.batOption 2: Manual build
go mod tidy
go build -o blitz.exe .Option 1: Using setup.sh
chmod +x setup.sh
./setup.shOption 2: Manual build
go mod tidy
go build -o blitz .Basic scan:
./blitz -url http://example.com/loginWith all the options:
./blitz -url http://example.com/login -threads 10 -usernames users.txt -passwords pass.txt -verboseOptions:
| Option | Description |
|---|---|
-url |
Target login page URL (required) |
-threads |
Number of concurrent threads (default: 5, max: 20) |
-rate |
Rate limit in seconds between requests (default: 1) |
-usernames |
Custom username wordlist file |
-passwords |
Custom password wordlist file |
-verbose |
Show detailed output during scan |
Basic scan with default settings:
./blitz -url http://example.com/loginFast mode (10 threads):
./blitz -url http://target.com/login -threads 10Stealth mode (slow and careful):
./blitz -url http://target.com/login -threads 2 -rate 5Custom wordlists:
./blitz -url http://target.com/login -usernames users.txt -passwords pass.txtVerbose output for detailed analysis:
./blitz -url http://target.com/login -verboseMaximum speed (use with caution):
./blitz -url http://target.com/login -threads 20 -rate 0Blitz automatically analyzes the target page to identify:
- Login forms and input fields
- Hidden fields (CSRF tokens, session IDs)
- Form submission methods (POST/GET)
- Required vs optional fields
Built-in security scanner checks for:
- CSRF token implementation
- Clickjacking protection headers
- Cloudflare and WAF presence
- Common SQL injection vulnerabilities
- Written in Go for maximum performance
- Concurrent request processing
- Efficient memory usage
- Smart rate limiting to avoid detection
Core Features:
- Multi-threaded login bruteforcing
- Smart form and field detection
- CSRF and Clickjacking scanner
- Cloudflare and WAF detection
- SQL injection bypass testing
- Rate limiting protection
- Cross-platform support
Technical:
- Go 1.21+ support
- Configurable worker pool (5-20 threads)
- Intelligent success detection
- Built-in wordlists
Contributions are welcome! Here's how you can help:
If you find a bug, please open an issue with:
- Your operating system and version
- Go version (
go version) - Steps to reproduce the bug
- Expected vs actual behavior
- Any error messages
Want to contribute code?
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a pull request
Guidelines:
- Follow Go best practices and conventions
- Add tests for new features
- Update documentation as needed
- Keep commits focused and descriptive
If you find this project useful, consider supporting my work:
Crypto donations:
bc1quavqz6cxqzfy4qtvq4zxc4fjgap3s7cmxja0k40x5287af72afbc152b09b3bf20af3693157db9e425HYZjfEx8NbEMJX1vL1GmGj39zA6TgMsHm5KCHWSZxF4j86zv6vTDuG35sdBzBpwVAsD71hbt2gjH14qiesyrSsMkUAWHQkPZyY9TreeQ5dXRuP57yitP4Yn13SQEcMK4MhtwFzPoRR1
Warning
FOR AUTHORIZED SECURITY TESTING ONLY
Only use Blitz on systems you have explicit permission to test. This tool is designed for ethical security research, authorized penetration testing, and educational purposes only.
Unauthorized access to computer systems is illegal and may result in criminal prosecution under various laws including:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Similar legislation in other jurisdictions
You are solely responsible for how you use this tool. The author assumes NO LIABILITY for any misuse, damage, or illegal activity conducted with Blitz.
Ethical Use Required:
- Obtain written authorization before testing
- Respect rate limits and system resources
- Follow responsible disclosure practices
- Comply with all applicable laws and regulations
MIT License - See LICENSE for details.
Star this repo if you find it useful