A new version of Wfuzz is available, many improvements and fixes since first release which was in the middle of 2007. Fuzzing is definitely in, an article was posted recently about how everyone should keep on fuzzing! Will post it up soon.
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources that are not publically linked such as directories & files, it can bruteforce HEADERS, GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), it can also bruteforce forms parameters (User/Password) and carry out general Fuzzing,etc.
- Recursion (When doing directory bruteforce)
- Post, headers and authentication data bruteforcing
- Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
- Colored output on all systems
- Hide results by return code, word numbers, line numbers, etc.
- Many Encodings (random_upper, urlencode, sHA1, bin_ascii, base64, double_nibble_hex, uri_hex, md5, double_urlencode etc)
- Cookies fuzzing
- Proxy support
- Multiple FUZZ capability with multiple dictionaries
- Authentication support (NTLM, Digest, Basic)
- All parameter bruteforcing (POST and GET)
- Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more)
The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.
You can download wfuzz v1.4 here:
Or read more here.