wfuzz

22 May 2022, 12:20 p.m.

12 Apr 2022, 2:59 p.m.

03:26 minutes

Brute-force Web

Wfuzz is a tool designed for fuzzing Web Applications. It can be used for finding direct objects not referenced within a website such as files and folders, it allows any HTTP request filed to be injected such as parameters, authentication, forms and headers. It is modular and extendable by plugins and can check for different kinds of injections such as SQL, XSS and LDAP.

Wfuzz

Wfuzz provides some highly customisable fuzzing options that take it beyond a simple hidden content discovery tool.

You must be familiar with a few non-obvious options before you use the tool.

Flag	Description
-e	List of available encoders/payloads/iterators/printers/scripts
-c	Output with colours
-z	payload
-R depth	Recursive path Discovery
–hc	Hide content, so for example, hide 404 results.
–sc	Show content with specified code, i.e. 200
-p addr	Use Proxy in format ip:port:type
FUZZ	The parameter you want fuzzing. If you use the -V option, this is unnecessary as it will do all parameters.

Installing the tool

sudo apt install wfuzz

Typical usage syntax.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://website/FUZZ

Look for pages ending in a .php extension.

wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/big.txt --hc 404 http://website/FUZZ.php

Output

We can fuzz via a proxy using the -p option syntax.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/megabeast.txt -p 127.0.0.1:8080 http://website/FUZZ

When writing to a file, wfuzz has some choices. To see available formats

wfuzz -e printers

We can specify a format like so

wfuzz -f nonauth.txt,raw  -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://website/FUZZ
wfuzz -f myoutput,html -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://website/FUZZ
wfuzz -f moreoutput,json -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://website/FUZZ
wfuzz -f anotheroutput,magictree -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://website/FUZZ

Cookies

We can add cookies to our syntax (if the cookies contain characters that will escape the bash shell you need to quote them)

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt -b mycookie=true -b secondcookies=joiQXV0aFNlcnZlciIsImp http://website/FUZZ

Cookies can also be fuzzed using the FUZZ keyword

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt -b mycookie=FUZZ http://website/FUZZ

Useragent

Some filters might be looking for common tool user-agent signatures. You can specify one as follows

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt -H "User-Agent: evilbrowser" http://website/FUZZ

Recursion

To instruct recursion simply add the -R parameter followed by a depth

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/megabeast.txt --hc 404 -R1 https://pentesting.optasense.com/FUZZ

Scripts

Some locations where wfuzz scripts might be installed depending on version of kali.

ls -l /usr/lib/python2.7/dist-packages/wfuzz/plugins/scripts/
ls -ls /usr/share/wfuzz/plugins/scripts/

We can see a list of scripts using the -e option

wfuzz -e scripts

Run default scripts (--script=default)

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://website/FUZZ

Run multiple collections of scripts

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/megabeast.txt --script=active,default,discovery --hc 404  http://website/FUZZ

To get help on a script or script category.

wfuzz --script-help=default
wfuzz --script-help=wc_extractor

Special Cases

Headers can also be fuzzed:

wfuzz -z file,wordlist/general/common.txt -H "User-Agent: FUZZ" http://website/FUZZ

HTTP verbs fuzzing can be specified using the -X swith:

wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://website/FUZZ

a protected resource using Basic authentication can be fuzzed using the following command:

wfuzz -z list,nonvalid-httpwatch –basic FUZZ:FUZZ http://website/FUZZ

Fuzz id fields in URLs

wfuzz -z range,0-10 –hl 97 http://website/product.php?pid=FUZZ