wfuzz ¶

wfuzz (5.6k ⭐, 2020 🪦) is a Fuzzing tool in Python. There are new modern alternatives, and it has not been updated since 2020.

Examples

$ wfuzz -w wordlist URL/account?id=FUZZZ        # GET
$ wfuzz -w wordlist -d "xxx=FUZZ" URL/login.php # POST
# ...

You can add some verbose with -v

$ wfuzz [...] -v

You can filter responses by code. -h will hide a response based on a criterion... And, -s, which is working the same, will do the opposite, and only show a response matching a criterion.

• c code: show/hide responses with this return code
• l n: show/hide responses with this $n$ number of lines
• w n: show/hide responses with this $n$ number of words
• c n: show/hide responses with this $n$ number of characters
• s regex: show/hide responses containing the regex

# ignore 404,500
$ wfuzz -w wordlist --hc 404,500 xxx.tld/account?id=FUZZ
# show only 200
$ wfuzz -w wordlist --sc 200 xxx.tld/account?id=FUZZ

Forced Browsing ¶

For forced browsing, you can use:

$ wfuzz -w wordlist -u URL/FUZZ # Forced browsing