Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.
It’s very flexible, here are some functionalities:
- Recursion (When doing directory bruteforce)
- Post data bruteforcing
- Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
- Colored output on all systems
- Hide results by return code, word numbers, line numbers, etc.
- URL encoding
- Proxy support
- All parameters bruteforcing (POST and GET)
- Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.
wfuzz.py -c -z file -f commons.txt --hc 404 --html http://www.mysite.com/FUZZ
This will bruteforce the site http://www.mysite.com/FUZZ in search of resources (directories, scripts, files,etc), it will hide from the output the return code 404 (for easy reading the results), it will use the dictionary commons.txt for the bruteforce.
It was created to facilitate the task in Web Applications assessments, it’s a tool by pentesters for pentesters.
You can download Wfuzz here:
Or read more here.
- Web Security Dojo 2.0 – Self-Contained Web Hacking Training
- Plecost – WordPress Fingerprinting Tool
- InstaRecon – Automated Subdomain Discovery Tool
- Wfuzz v1.4 Released for Download – Bruteforcing & Fuzzing Web Applications
- GoLISMERO – Web Application Mapping Tool
- Keep on Fuzzing! Advice
Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,908,161 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,149,009 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 642,555 views