Wfuzz

Flexible web application fuzzer

Description

Wfuzz is a web application brute forcer that can be used to find hidden resources, fuzz parameters, find injection points, and brute-force authentication. It replaces any reference to the FUZZ keyword with the payload data.

Installation

BASH

pip install wfuzz

Basic Usage

                        BASH
                        
                            # Directory fuzzing
wfuzz -w wordlist.txt https://target.com/FUZZ

# Parameter fuzzing
wfuzz -w payloads.txt "https://target.com/?param=FUZZ"

Advanced Usage

                        BASH
                        
                    

                            # Hide responses by code
wfuzz -w wordlist.txt --hc 404 https://target.com/FUZZ

# Hide by word count
wfuzz -w wordlist.txt --hw 42 https://target.com/FUZZ

# POST data
wfuzz -w passwords.txt -d "user=admin&pass=FUZZ" https://target.com/login

# With cookies
wfuzz -w wordlist.txt -b "session=abc123" https://target.com/FUZZ

# Multiple payloads
wfuzz -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" https://target.com/login

# Header fuzzing
wfuzz -w wordlist.txt -H "X-Header: FUZZ" https://target.com
                        

Back to Fuzzing