Basic Usage

Fuzzing Paths and Files

Wfuzz can be used to look for hidden content, such as files and directories, within a web server, allowing to find further attack vectors. It is worth noting that, the success of this task depends highly on the dictionaries used.

However, due to the limited number of platforms, default installations, known resources such as logfiles, administrative directories, a considerable number of resources are located in predictable locations. Therefore, brute forcing these contents becomes a more feasible task.

Wfuzz contains some dictionaries, other larger and up to date open source word lists are:

Below is shown an example of wfuzz looking for common directories:

$ python wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

Below is shown an example of wfuzz looking for common files:

$ python wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ.php

Fuzzing Parameters In URLs

You often want to fuzz some sort of data in the URL’s query string, this can be achieved by specifying the FUZZ keyword in the URL after a question mark:

$ python wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ

Fuzzing POST Requests

If you want to fuzz some form-encoded data like an HTML form will do, simply pass a -d command line argument:

$ python wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php
********************************************************
* Wfuzz 2.2 - The Web Fuzzer                           *
********************************************************

Target: http://testphp.vulnweb.com/userinfo.php
Total requests: 52

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================

00044:  C=200    114 L       356 W         5111 Ch        "test"

Total time: 2.140146
Processed Requests: 52
Filtered Requests: 51
Requests/sec.: 24.29739

Fuzzing Cookies

To send your own cookies to the server, for example, to associate a request to HTTP sessions, you can use the -b parameter (repeat for various cookies):

$ wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ

The command above will generate HTTP requests such as the one below:

GET /attach HTTP/1.1
Host: testphp.vulnweb.com
Accept: */*
Content-Type:  application/x-www-form-urlencoded
Cookie:  cookie=value1; cookie2=value2
User-Agent:  Wfuzz/2.2
Connection: close

Cookies can also be fuzzed:

$ wfuzz -z file,wordlist/general/common.txt -b cookie=FUZZ http://testphp.vulnweb.com/

Fuzzing Custom headers

If you’d like to add HTTP headers to a request, simply use the -H parameter (repeat for various headers):

$ python wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "myheader2: headervalue2" http://testphp.vulnweb.com/FUZZ

The command above will generate HTTP requests such as the one below:

GET /agent HTTP/1.1
Host: testphp.vulnweb.com
Accept: */*
Myheader2:  headervalue2
Myheader:  headervalue
Content-Type:  application/x-www-form-urlencoded
User-Agent:  Wfuzz/2.2
Connection: close

You can modify existing headers, for example, for specifying a custom user agent, execute the following:

$ wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "User-Agent: Googlebot-News" http://testphp.vulnweb.com/FUZZ

The command above will generate HTTP requests such as the one below:

GET /asp HTTP/1.1
Host: testphp.vulnweb.com
Accept: */*
Myheader:  headervalue
Content-Type:  application/x-www-form-urlencoded
User-Agent:  Googlebot-News
Connection: close

Headers can also be fuzzed:

$ wfuzz -z file,wordlist/general/common.txt -H "User-Agent: FUZZ" http://testphp.vulnweb.com/

Fuzzing HTTP Verbs

HTTP verbs fuzzing can be specified using the -X swith:

$ python wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
********************************************************
* Wfuzz 2.2 - The Web Fuzzer                           *
********************************************************

Target: http://testphp.vulnweb.com/
Total requests: 5

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================

00002:  C=200      0 L         0 W            0 Ch        "HEAD"
00004:  C=405      7 L        12 W          172 Ch        "TRACE"
00005:  C=405      7 L        12 W          172 Ch        "OPTIONS"
00001:  C=200    104 L       296 W         4096 Ch        "GET"
00003:  C=200    104 L       296 W         4096 Ch        "POST"

Total time: 1.030354
Processed Requests: 5
Filtered Requests: 0
Requests/sec.: 4.852696

If you want to perform the requests using a specific verb you can also use “-X HEAD”.

Proxies

If you need to use a proxy, simply use the -p parameter:

$ wfuzz -z file,wordlist/general/common.txt -p localhost:8080 http://testphp.vulnweb.com/FUZZ

In addition to basic HTTP proxies, Wfuzz also supports proxies using the SOCKS4 and SOCKS5 protocol:

$ wfuzz -z file,wordlist/general/common.txt -p localhost:2222:SOCKS5 http://testphp.vulnweb.com/FUZZ

Multiple proxies can be used simultaneously by supplying various -p parameters:

$ wfuzz -z file,wordlist/general/common.txt -p localhost:8080 -p localhost:9090 http://testphp.vulnweb.com/FUZZ

Each request will be performed using a different proxy each time.

Authentication

Wfuzz can set an authentication headers by using the –basic/ntlm/digest command line switches.

For example, a protected resource using Basic authentication can be fuzzed using the following command:

$ python wfuzz -z list,nonvalid-httpwatch --basic FUZZ:FUZZ https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx
********************************************************
* Wfuzz 2.2 - The Web Fuzzer                           *
********************************************************

Target: https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx
Total requests: 2

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================

00001:  C=401      0 L        11 W           58 Ch        "nonvalid"
00002:  C=200     20 L        91 W         5294 Ch        "httpwatch"

Total time: 0.820029
Processed Requests: 2
Filtered Requests: 0
Requests/sec.: 2.438938

If you want to fuzz a resource from a protected website you can also use “–basic user:pass”.

Recursion

The -R swith can be used to specify a payload recursion’s depth. For example, if you want to search for existing directories and then fuzz within these directories again using the same payload you can use the following command:

$ python wfuzz -z list,"admin-CVS-cgi\-bin"  -R1 http://testphp.vulnweb.com/FUZZ
********************************************************
* Wfuzz 2.2 - The Web Fuzzer                           *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 3

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================

00003:  C=403     10 L        29 W          263 Ch        "cgi-bin"
00002:  C=301      7 L        12 W          184 Ch        "CVS"
|_ Enqueued response for recursion (level=1)
00001:  C=301      7 L        12 W          184 Ch        "admin"
|_ Enqueued response for recursion (level=1)
00008:  C=404      7 L        12 W          168 Ch        "admin - CVS"
00007:  C=404      7 L        12 W          168 Ch        "admin - admin"
00005:  C=404      7 L        12 W          168 Ch        "CVS - CVS"
00006:  C=404      7 L        12 W          168 Ch        "CVS - cgi-bin"
00009:  C=404      7 L        12 W          168 Ch        "admin - cgi-bin"
00004:  C=404      7 L        12 W          168 Ch        "CVS - admin"

Perfomance

Several options lets you fine tune the HTTP request engine, depending on the performance impact on the application, and on your own processing power and bandwidth.

You can increase or decrease the number of simultaneous requests to make your attack proceed faster or slower by using the -t switch.

You can tell Wfuzz to stop a given number of seconds before performing another request using the -s parameter.

Writing to a file

Wfuzz supports writing the results to a file in a different format. This is performed by plugins called “printers”. The available printers can be listed executing:

$ python wfuzz -e printers

For example, to write results to an output file in json format use the following command:

$ python wfuzz -f /tmp/outfile,json -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

Different output

Wfuzz supports showing the results in various formats. This is performed by plugins called “printers”. The available printers can be listed executing:

$ python wfuzz -e printers

For example, to show results in json format use the following command:

$ python wfuzz -o json -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ