i Wfuzz bruteforcing web applications – All things in moderation

Wfuzz bruteforcing web applications


Wfuzz is a python based tool, it’s designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

Source code: https://github.com/xmendez/wfuzz

Home page: http://www.edge-security.com/wfuzz.php

You can use wfuzz to find some vulnerabilities:

  • Predictable credentials
  • Predictable sessions identifier (session idʼs)
  • Predictable resource location (directories and files)
  • Injections
  • Path traversals
  • Overflows
  • Cross site scripting
  • Authentication flaws
  • Insecure direct object references


  • Multiple Injection points capability with multiple dictionaries

  • Recursion (When doing directory bruteforce)
  • Post, headers and authentication data brute forcing
  • Output to HTML
  • Colored output
  • Hide results by return code, word numbers, line numbers, regex
  • Cookies fuzzing
  • Multi threading
  • Proxy support
  • SOCK support
  • Time delays between requests
  • Authentication support (NTLM, Basic)
  • All parameters bruteforcing (POST and GET)
  • Multiple encoders per payload
  • Payload combinations with iterators
  • Baseline request (to filter results against)
  • Brute force HTTP methods
  • Multiple proxy support (each request through a different proxy)
  • HEAD scan (faster for resource discovery)
  • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more


you can install Python 2 Environment and download wfuzz from https://github.com/xmendez/wfuzz/tree/v2.1.4 then check it by run:

[email protected]:/wfuzz/wfuzz.py -h
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella ([email protected]) *
* Carlos del ojo ([email protected])                   *
*                                                      *
* Version 1.4d to 2.1.3 coded by:                        *
* Xavier Mendez ([email protected])            *

Usage: ./wfuzz.py [options] -z payload,params <url>

-h/--help           : This help
--version           : Wfuzz version details
-e <type>         : List of available encoders/payloads/iterators/printers/scripts

-c              : Output with colors
-v              : Verbose information. Alias for -o verbose
-o printer          : Format output using the specified printer (default printer if omitted).
--interact          : (beta) If selected,all key presses are captured. This allows you to interact with the program.

-p addr             : Use Proxy in format ip:port:type or ip:port:type-...-ip:port:type for using various proxies.
                  Where type could be SOCKS4,SOCKS5 or HTTP if omitted.

-t N                : Specify the number of concurrent connections (10 default)
-s N                : Specify time delay between requests (0 default)
-R depth            : Recursive path discovery being depth the maximum recursion level.
-I              : Use HTTP HEAD method (No HTML body responses). 
--follow            : Follow HTTP redirections
-Z              : Scan mode (Connection errors will be ignored).

-A              : Alias for --script=default -v -c
--script=           : Equivalent to --script=default
--script=<plugins>        : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
--script-help=<plugins>       : Show help about scripts.
--script-args n1=v1,...     : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"

-m iterator         : Specify an iterator for combining payloads (product by default)
-z payload          : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
                  A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. [email protected]
                  Encoders category can be used. ie. url
-w wordlist         : Specify a wordlist file (alias for -z file,wordlist).
-V alltype          : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X              : Payload within HTTP methods (ex: "FUZZ HTTP/1.0"). No need for FUZZ keyword.

-b cookie           : Specify a cookie for the requests
-d postdata             : Use post data (ex: "id=FUZZ&catalogue=1")
-H headers              : Use headers (ex:"Host:www.mysite.com,Cookie:id=1312321&user=FUZZ")
--basic/ntlm/digest auth    : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

--hc/hl/hw/hh N[,N]+        : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+        : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex           : Show/Hide responses with the specified regex within the content
--filter <filter>     : Filter responses using the specified expression (Use BBB for taking values from baseline)
                  It should be composed of: c,l,w,h/and,or/=,<,>,!=,<=,>=

Keyword: FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload. 
Baseline: FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.

Examples: - wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z
      - wfuzz.py -c -z range,1-10 --hc=BBB http://www.site.com/FUZZ{something not there}
      - wfuzz.py --script=robots -z list,robots.txt http://www.webscantest.com/FUZZ

Usage example

  1. You want to bruteforce the site http://example.com/FUZZ in search of resources (directories, scripts, files,etc), it will hide from the output the return code 404 (for easy reading results), it will use the dictionary common.txt for the bruteforce.


python wfuzz.py -c -v -w wordlist/general/common.txt --hc 404 http://example.com/FUZZ

Sample output:

  1. This example check SQL injection in parameter “id”.


python wfuzz.py -c -v -z file,wordlist/Injections/SQL.txt --hc 404 http://www.example.com/index.php?id=FUZZ

Sample output:

  1. This example instead of using a file as dictionary, it will use a range from 1-100, and will bruteforce the parameter “id”.


python wfuzz.py -c -z range,1-10 --hc 404 http://www.mysite.com/list.asp?id=FUZZ

Sample output:

  1. Use POST data brute force login, with the option “-d”.
python wfuzz.py -c -z -v --sc 200 -z file,pass.txt -d "username=admin&password=FUZZ" http://example.com/login.php

Sample output:

Read more example:

Leave a Reply