Unicode Fuzzing List Generator

A powerful CLI tool to generate comprehensive Unicode fuzzing lists with multiple representation formats. Built with Typer and Rich for an excellent command-line experience.

Features

• Generate fuzzing lists for different character types (letters, numbers, special characters)
• Support for 15+ Unicode representation formats
• Beautiful terminal output with Rich
• Export to files for use in security testing
• Custom range scanning
• Dangerous character detection for security testing

Installation

From Source

# Clone the repository
cd uni_fuzz

# Install with pip (editable mode for development)
pip install -e .

# Or install with development dependencies
pip install -e ".[dev]"

Using pipx (Recommended for CLI tools)

pipx install uni-fuzz

Development Setup

# Install with development dependencies
pip install -e ".[dev]"

# Setup pre-commit hooks
pre-commit install

Unicode Formats Supported

The tool supports the following Unicode representation formats:

Format	Example	Description
char	A	Direct character
python	\u0041	Python escape sequence
python-long	\U00000041	Python long escape
uplus	U+0041	U+ notation
html-dec	A	HTML decimal entity
html-hex	A	HTML hexadecimal entity
url	%41	URL encoded
css	\0041	CSS escape
xml	A	XML entity
json	\u0041	JSON escape
java	\u0041	Java escape
csharp	\u0041	C# escape
perl	\x{0041}	Perl escape
ruby	\u{0041}	Ruby escape
literal	0x0041	Hexadecimal literal

Usage

Basic Commands

1. Generate Letter Fuzzing List

# Generate A-Z, a-z in character format
uni-fuzz letters

# Custom range with multiple formats
uni-fuzz letters --start 0x0041 --end 0x0046 -f char -f python -f uplus

# Save to file
uni-fuzz letters -f python -o letters_fuzz.txt

Example Output:

╭────────────────────────────────╮
│ Generating Letter Fuzzing List │
│ Range: U+0041 to U+0046        │
╰────────────────────────────────╯

Total characters: 6

Output:
A | \u0041 | U+0041
B | \u0042 | U+0042
C | \u0043 | U+0043
D | \u0044 | U+0044
E | \u0045 | U+0045
F | \u0046 | U+0046

2. Generate Number Fuzzing List

# Generate 0-9 with variants (superscripts, subscripts, circled numbers)
uni-fuzz numbers

# Just basic digits in multiple formats
uni-fuzz numbers --no-variants -f char -f html-dec

# Save to file
uni-fuzz numbers -o numbers_fuzz.txt

Example Output:

╭────────────────────────────────╮
│ Generating Number Fuzzing List │
╰────────────────────────────────╯

Total characters: 10

Output:
0 | 0
1 | 1
2 | 2
3 | 3
4 | 4
5 | 5
6 | 6
7 | 7
8 | 8
9 | 9

3. Generate Special Characters

# Generate punctuation marks
uni-fuzz special

# Generate symbols and separators
uni-fuzz special -c S -c Z --start 0x0020 --end 0x00FF

# Multiple formats
uni-fuzz special -f char -f python -f url -o special_fuzz.txt

4. Generate Dangerous Characters (Security Testing)

# Generate list of potentially dangerous Unicode characters
uni-fuzz dangerous

# Multiple formats for comprehensive testing
uni-fuzz dangerous -f char -f python -f uplus -f url -o dangerous.txt

This includes:

• Null and control characters
• Zero-width characters
• Bidirectional text overrides
• Homoglyphs and confusables
• Line/paragraph separators

5. Generate All Character Types (Comprehensive)

# Generate ALL character types in one command
# Includes: letters, numbers, special chars, and dangerous chars
uni-fuzz all-types -f char -f python -f url -o complete_fuzz.txt

# Without number variants (faster)
uni-fuzz all-types --no-variants -f char -f python -o complete_basic.txt

# Multiple formats for comprehensive testing
uni-fuzz all-types -f char -f python -f url -f html-hex -f uplus -o comprehensive.txt

6. Custom Range Scan

# Scan specific Unicode range
uni-fuzz range-scan 0x0041 0x007A

# Emoji range
uni-fuzz range-scan 0x1F600 0x1F64F -o emoji_fuzz.txt

# CJK characters
uni-fuzz range-scan 0x4E00 0x9FFF -f char -f python

7. Show All Formats

# Show a character in all available formats
uni-fuzz all-formats "A"

# Multiple characters
uni-fuzz all-formats "Hello"

# Save to file
uni-fuzz all-formats "🔥" -o fire_emoji_formats.txt

Example Output:

╭────────────────────────────╮
│ All Format Representations │
│ Input: A                   │
╰────────────────────────────╯
         Format Representations
╭─────────────┬────────────────────────╮
│ Format      │ Representation         │
├─────────────┼────────────────────────┤
│ Character   │ A                      │
│ Name        │ LATIN CAPITAL LETTER A │
│ Codepoint   │ U+0041 (decimal: 65)   │
│ Category    │ Lu                     │
│ char        │ A                      │
│ python      │ \u0041                 │
│ python-long │ \U00000041             │
│ uplus       │ U+0041                 │
│ html-dec    │ A                  │
│ html-hex    │ A                 │
│ url         │ %41                    │
│ css         │ \0041                  │
│ xml         │ A                 │
│ json        │ \u0041                 │
│ java        │ \u0041                 │
│ csharp      │ \u0041                 │
│ perl        │ \x{0041}               │
│ ruby        │ \u{0041}               │
│ literal     │ 0x0041                 │
╰─────────────┴────────────────────────╯

Examples

Example 1: Create SQL Injection Fuzzing List

uni-fuzz special -c P --start 0x0020 --end 0x007E \
  -f char -f python -f url -o sql_fuzz.txt

Example 2: Create XSS Testing List with Special Characters

uni-fuzz special -c P -c S \
  -f char -f html-hex -f url -f json \
  -o xss_fuzz.txt

Example 3: Unicode Homoglyph Testing

# Get dangerous characters including Cyrillic lookalikes
uni-fuzz dangerous -f char -f uplus -o homoglyphs.txt

# Full Cyrillic range
uni-fuzz range-scan 0x0400 0x04FF -f char -f python -o cyrillic.txt

Example 4: Generate All Number Variants

uni-fuzz numbers --variants \
  -f char -f python -f html-dec \
  -o numbers_all_variants.txt

Example 5: Dangerous Characters for Security Testing

# Generate all dangerous characters with multiple encoding formats
uni-fuzz dangerous -f char -f python -f url -f html-hex -o dangerous_chars.txt

# Focus on control characters and null bytes
uni-fuzz dangerous -f python -f url -o control_chars.txt

# Test with Unicode confusables and homoglyphs
uni-fuzz dangerous -f char -f uplus -o confusables.txt

What's included:

• Null bytes and control characters (U+0000-U+001F)
• Zero-width characters (ZWJ, ZWNJ, ZWSP)
• Bidirectional text overrides (RLO, LRO, PDF)
• Line and paragraph separators
• Homoglyphs (Cyrillic 'а' that looks like Latin 'a')

Example 6: Special Characters for Input Validation Testing

# Generate common punctuation for injection testing
uni-fuzz special -c P --start 0x0020 --end 0x007E -f char -f url -o punctuation.txt

# Generate mathematical and currency symbols
uni-fuzz special -c S --start 0x0020 --end 0x00FF -f char -f html-hex -o symbols.txt

# Generate all special characters with comprehensive encodings
uni-fuzz special -c P -c S -c Z -f char -f python -f url -f html-dec -o special_comprehensive.txt

Character categories:

• P: Punctuation (quotes, parentheses, brackets, etc.)
• S: Symbols (math operators, currency symbols, etc.)
• Z: Separators (spaces, non-breaking spaces, etc.)

Example 7: Create Comprehensive Fuzzing Payload (Single Command!)

# Generate everything in one command!
uni-fuzz all-types -f char -f python -f url -o complete_fuzz.txt

Command Options

Global Options

• -f, --format: Output format(s) - can specify multiple times. When multiple formats are used, each encoding is printed on a separate line.
• -o, --output: Output file path
• --table/--no-table: Show/hide results table (default: show)
• --silent: Silent mode - show only output, no UI elements (panels, tables, progress bars). Each format appears on its own line.
• --help: Show help message

Command-Specific Options

letters:

• -s, --start: Start codepoint (default: 0x0041 = 'A')
• -e, --end: End codepoint (default: 0x007A = 'z')

numbers:

• --variants/--no-variants: Include Unicode number variants

special:

• -c, --category: Unicode categories (P=Punctuation, S=Symbols, Z=Separator)
• -s, --start: Start codepoint
• -e, --end: End codepoint

all-types:

• --variants/--no-variants: Include Unicode number variants
• Note: Table display is disabled by default due to large output

range-scan:

• start: Start codepoint (required)
• end: End codepoint (required)

Use Cases

Security Testing

• SQL injection payloads
• XSS attack vectors
• Path traversal testing
• Unicode normalization attacks
• Homoglyph phishing detection

Web Development

• Input validation testing
• Character encoding testing
• Internationalization (i18n) testing
• Form validation fuzzing

Application Testing

• File name testing
• Username/password validation
• API endpoint fuzzing
• Data sanitization testing

Tips

1. Quick comprehensive list: Use all-types for everything at once:

   uni-fuzz all-types -f char -f python -f url -o complete.txt

2. Multiple formats: Use multiple -f flags to generate the same list in different formats:

   uni-fuzz letters -f char -f python -f url -f html-hex

3. Hex notation: You can use hex (0x41) or decimal (65) for codepoints:

   uni-fuzz range-scan 0x41 0x5A  # Same as 65 90

4. Combine outputs: Generate different lists and combine them manually:

   uni-fuzz letters -o a.txt
   uni-fuzz numbers -o b.txt
   cat a.txt b.txt > combined.txt

5. Silent mode for piping: Use --silent to suppress all UI and get only raw output:

   # Single format - one line per character
   uni-fuzz letters --start 0x41 --end 0x43 -f python --silent
   # Output:
   # \u0041
   # \u0042
   # \u0043
   
   # Multiple formats - each encoding on separate line
   uni-fuzz letters --start 0x41 --end 0x43 -f python -f url --silent
   # Output:
   # \u0041
   # %41
   # \u0042
   # %42
   # \u0043
   # %43
   
   # Perfect for piping to other tools
   uni-fuzz dangerous -f url --silent | your-fuzzer
   uni-fuzz special -c P --silent | grep -v "space"

6. Use with other tools: Pipe output to other fuzzing tools:

   uni-fuzz dangerous -f url --silent | ffuf -w - -u https://example.com/FUZZ

Warning

This tool is designed for legitimate security testing and development purposes only. Always ensure you have proper authorization before testing any systems.