Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

Some features:

  • Multiple Injection points capability with multiple dictionaries

  • Recursion (When doing directory bruteforce)

  • Post, headers and authentication data brute forcing

  • Output to HTML

  • Colored output

  • Hide results by return code, word numbers, line numbers, regex

  • Cookies fuzzing

  • Multi threading

  • Proxy support

  • SOCK support

  • Time delays between requests

  • Authentication support (NTLM, Basic)

  • All parameters bruteforcing (POST and GET)

  • Multiple encoders per payload

  • Payload combinations with iterators

  • Baseline request (to filter results against)

  • Brute force HTTP methods

  • Multiple proxy support (each request through a different proxy)

  • HEAD scan (faster for resource discovery)

  • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more



wfuzz [options] <url>


-c			    : Output with colors
-v			    : Verbose information
-o printer		    : Output format by stderr

-p addr			    : use Proxy (ip:port or ip:port-ip:port-ip:port)
-x type			    : use SOCK proxy (SOCKS4,SOCKS5)
-t N			    : Specify the number of threads (20 default)
-s N			    : Specify time delay between requests (0 default)

-e <type>		    : List of available encodings/payloads/iterators/printers
-R depth		    : Recursive path discovery
-I			    : Use HTTP HEAD instead of GET method (No HTML body responses). 
--follow		    : Follow redirections

-m iterator		    : Specify iterator (product by default)
-z payload		    : Specify payload (type,parameters,encoding)
-V alltype		    : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.

-X			    : Payload within HTTP methods (ex: "FUZZ HTTP/1.0"). No need for FUZZ keyword.
-b cookie		    : Specify a cookie for the requests
-d postdata 		    : Use post data (ex: "id=FUZZ&catalogue=1")
-H headers  		    : Use headers (ex:",Cookie:id=1312321&user=FUZZ")

--basic/ntlm/digest auth    : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

--hc/hl/hw/hh N[,N]+	    : Hide resposnes with the specified[s] code/lines/words/chars (Use BBB for taking values from baseline)
--hs regex		    : Hide responses with the specified regex within the response


cyborg@cyborg:~$  sudo wfuzz -c -z file,/pentest/web/wfuzz/wordlist/general/common.txt --hc 404

* Wfuzz  2.0 - The Web Bruteforcer                     *

Payload type: file,/penteset/web/wfuzz/wordlist/general/common.txt

Total requests: 950
ID  Response   Lines      Word         Chars          Request    

00245:  C=200      4 L        19 W      153 Ch    " - index"
00253:  C=200     17 L        22 W      250 Ch    " - var"

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?