31 July 2007 | 12,901 views

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.

It’s very flexible, here are some functionalities:

  • Recursion (When doing directory bruteforce)
  • Post data bruteforcing
  • Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
  • Colored output on all systems
  • Hide results by return code, word numbers, line numbers, etc.
  • URL encoding
  • Cookies
  • Multithreading
  • Proxy support
  • All parameters bruteforcing (POST and GET)
  • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.

Example:

This will bruteforce the site http://www.mysite.com/FUZZ in search of resources (directories, scripts, files,etc), it will hide from the output the return code 404 (for easy reading the results), it will use the dictionary commons.txt for the bruteforce.

It was created to facilitate the task in Web Applications assessments, it’s a tool by pentesters for pentesters.

You can download Wfuzz here:

Wfuzz 1.1 – Win32
Wfuzz 1.1 – Unix

Or read more here.


Tags: , , , , , , , , ,
# Posted in: Hacking Tools, Web Hacking | * 9 Comments


Recent in Hacking Tools:
- Web-Sorrow v1.48 – Version Detection, CMS Identification, Enumeration & Server Scanning Tool
- CrowdRE – Crowdsourced Reverse Engineering Service From CrowdStrike
- XMPPloit – A Tool to Attack XMPP Connections

Related Posts:
- Wfuzz v1.4 Released for Download – Bruteforcing & Fuzzing Web Applications
- GoLISMERO – Web Application Mapping Tool
- Keep on Fuzzing! Advice

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,794,654 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 992,521 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 587,627 views


9 Responses to “Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications”

  1. Sandeep Nain 31 July 2007 at 6:33 am Permalink

    Nice tool… really like it.. very quick an easy to use…
    added it to my favourites list.

  2. backbone 31 July 2007 at 10:57 am Permalink

    it’s a great tool, but mostly I like the fact that it can use proxy support, and threading which is a must at bruteforcing tools…

  3. SN 31 July 2007 at 12:33 pm Permalink

    nice tool.

  4. Sandeep Nain 31 July 2007 at 11:31 pm Permalink

    ohh yeah…. multi threading is a must in such tools to make the attack faster…
    i like the nice formatted output too..

  5. backbone 1 August 2007 at 1:50 am Permalink

    not to mention that time means money in such a critical situation… meaning in the moments when the tools isn’t used for pen-testing

  6. Sandeep Nain 1 August 2007 at 1:57 am Permalink

    yes you are right backbone…
    these tools are essential for pen testing jobs as most of the times (atleast for me), clients try not to spend much money on them and expect thorough testing… and its only possible by using good pen testing tools.

  7. cptInsane0 23 August 2007 at 1:26 pm Permalink

    I can’t seem to get wfuzz to work correctly. Whenever I try to run it I get a command not recognized error. I have installed pycurl, but it doesn’t seem to make a difference. If I have it output to an HTML file, the contents only say bash command not found. What am I doing wrong?

  8. Druid_masta4 3 September 2007 at 1:27 am Permalink

    it just pops up real quick, then closes, why?

  9. JP 19 August 2008 at 10:44 pm Permalink

    Can someone point me documentations/manual for this tool?