Wfuzz Command Cheatsheet
About Wfuzz
Wfuzz is a powerful web application fuzzer that replaces any reference to the FUZZ keyword in URLs, headers, cookies, or other HTTP request elements with values from a specified payload. This makes it an essential tool for web application security assessments.
Commmon Snippets
wfuzz -c -w $wordlist -t $threads -v --hc 404 $host/FUZZwfuzz -c -w $wordlist -t $threads -v --hc 404 -H "Host: FUZZ.$host" $hostTable of Contents
- Installation
- Basic Concepts
- Filtering Options
- Authentication Methods
- Payload Types
- Common Attack Scenarios
- Advanced Features
- Output Management
- Performance Tips
Installation
# Using pippip install wfuzz
# On Kali Linux# Pre-installed, but can be updated via aptsudo apt update && sudo apt install wfuzz# Clone repositorygit clone https://github.com/xmendez/wfuzzcd wfuzz
# Installpython setup.py installBasic Concepts
The fundamental concept of Wfuzz is replacing the FUZZ keyword with payloads:
# Basic syntaxwfuzz -z payload,wordlist URL/FUZZ
# Multiple FUZZ keywordswfuzz -z payload,list1 -z payload,list2 URL/FUZZ/FUZ2ZFiltering Options
# Hide/Show by string or regex--hs/ss "regex" # Hide/Show responses with match--hc/sc CODE # Hide/Show by response code--hl/sl NUM # Hide/Show by line count--hw/sw NUM # Hide/Show by word count--hh/sh NUM # Hide/Show by char count
# Examples--hs "Invalid username" # Hide responses containing text--hs "Invalid *" # Hide responses matching regex--hc 404,503 # Hide specific response codes# Combining filterswfuzz -c -w wordlist.txt \ --hc 404 \ --hw 180 \ --hs "Invalid" \ http://example.com/FUZZ
# Show only successful responseswfuzz -c -w wordlist.txt \ --sc 200,301,302 \ --sw 200 \ http://example.com/FUZZAuthentication Methods
# Basic authenticationwfuzz -c -w users.txt -w passes.txt \ --basic FUZZ:FUZ2Z \ http://example.com/
# NTLM authenticationwfuzz -c -w users.txt -w passes.txt \ --ntlm 'domain\FUZZ:FUZ2Z' \ http://example.com/# Cookie authenticationwfuzz -c -w tokens.txt \ -H "Cookie: session=FUZZ" \ http://example.com/
# Custom header authenticationwfuzz -c -w tokens.txt \ -H "Authorization: Bearer FUZZ" \ http://example.com/Common Attack Scenarios
Login Form Bruteforce
# Single listwfuzz -c -w users.txt \ --hs "Login name" \ -d "name=FUZZ&password=FUZZ&autologin=1" \ http://example.com/login
# Two listswfuzz -c -z file,users.txt -z file,passes.txt \ --sc 200 \ -d "name=FUZZ&password=FUZ2Z" \ http://example.com/login# With proxy and cookieswfuzz -c -w users.txt -w passes.txt \ --ss "Welcome" \ -p 127.0.0.1:8080:HTTP \ -b "PHPSESSIONID=1234567890abcdef" \ "http://example.com/login?user=FUZZ&pass=FUZ2Z"Directory and File Discovery
# Basic directory scanningwfuzz -c \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ --sc 200,202,301,302,307,401 \ http://example.com/FUZZ
# File extension fuzzingwfuzz -c \ -w wordlist.txt \ -z list,.php-.txt-.html \ http://example.com/FUZZ/FUZ2ZVirtual Host Discovery
# Subdomain enumerationwfuzz -c \ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt \ --hc 400,404,403 \ -H "Host: FUZZ.example.com" \ -u http://example.com \ -t 100API Endpoint Fuzzing
# RESTful API endpointswfuzz -c \ -w /usr/share/wordlists/api_endpoints.txt \ --hc 404 \ https://api.example.com/FUZZ
# Path parameterswfuzz -c \ -w params.txt \ --hw 11 \ 'http://example.com/api/FUZZ=value'Advanced Features
Encoders
# List available encoderswfuzz -e encoders
# Common encoders:# - urlencode# - md5# - base64# - hexlify# - uri_hex# MD5 encode payload-z file,wordlist.txt,md5
# Base64 encode payload-w wordlist.txt,base64
# URL encode payload-z list,items-here,urlencodeOutput Management
# List available output formatswfuzz -e printers
# Save output to file-f /tmp/output,csv
# Custom output format--oF custom_format.txt
# Color output-c