Wfuzz

Hacktricks Wfuzz

WFUZZ-WEB FUZZER

Advanced wfuzz

Another webfuzz tutorial

-c : colorize the output
-z : set the payload type (list, num, etc.)
-d : set the data to be sent with the request
-H : set the headers to be sent with the request
-e : set the encoding for the payload (urlencode, hex, etc.)
-w : set the wordlist to be used for fuzzing
-p : set the number of concurrent connections
-t : set the timeout for each request
-s : set the delay between each request
-L : follow redirects

Payload types:

list : use a wordlist to fuzz the target
num : use a range of numbers to fuzz the target
alpha : use the alphabet to fuzz the target
alphanum : use a combination of numbers and letters to fuzz the target
hex : use hexadecimal values to fuzz the target

common.txt” wordlist to fuzz the “FUZZ”

wfuzz -c -z list,common.txt https://example.com/FUZZ

range of numbers 1–10 to fuzz the “FUZZ”

wfuzz -c -z num,1-10 https://example.com/FUZZ

alphabet to fuzz the “FUZZ”

wfuzz -c -z alpha https://example.com/FUZZ

combination of numbers and letters to fuzz the “FUZZ”

wfuzz -c -z alphanum https://example.com/FUZZ

hexadecimal values to fuzz the “FUZZ”

wfuzz -c -z hex https://example.com/FUZZ

To specify a different output format, you can use the “-o” option followed by the format type. For example:

wfuzz -c -o json https://example.com/FUZZ

This command tells wfuzz to display the results in JSON format. Other output formats include XML, HTML, CSV, and YAML

VHOST DISCOVERY

![[Pasted image 20240505140356.png]] [Note:] --hc/hl/hw/hh Hide responses with the specified code/lines/words/chars (Use BBB for taking values from base‐line)

Advanced wfuzz Usage

In addition to setting the target URL and payload, you can also specify headers and cookies in wfuzz requests. This can be useful for testing web applications that require authentication or have specific header requirements.

To specify headers, you can use the “-H” option followed by the header value. For example:

wfuzz -c -H "Authorization: Bearer token" https://example.com/FUZZ

This command tells wfuzz to include the “Authorization” header with the value “Bearer token” in each request.

To specify cookies, you can use the “ — cookie” option followed by the cookie value. For example:

wfuzz -c --cookie "name=value" https://example.com/FUZZ

This command tells wfuzz to include the “name” cookie with the value “value” in each request.

You can specify multiple headers or cookies by separating them with a semicolon (;). For example:

wfuzz -c -H "Authorization: Bearer token; Content-Type: application/json" --cookie "name=value; session=1234" https://example.com/FUZZ

This command tells wfuzz to include the “Authorization” and “Content-Type” headers, as well as the “name” and “session” cookies in each request.

Fuzzing authentication systems

Fuzzing authentication systems is an important aspect of web application testing, as authentication vulnerabilities can lead to unauthorized access to sensitive data or functionality.

To fuzz authentication systems using wfuzz, you can use the “-d” option to specify the login credentials and the “-b” option to specify any necessary cookies. For example:

wfuzz -c -d "username=admin&password=FUZZ" -b "session=12345" https://example.com/login.php

This command tells wfuzz to use the specified login credentials and cookie value to fuzz the authentication system at the login.php endpoint. The “FUZZ” keyword will be replaced by each payload in turn.

You can also combine authentication fuzzing with other fuzzing techniques, such as brute force or injection, to test for a wider range of vulnerabilities. For example:

wfuzz -c -z brute-force -d "username=admin&password=FUZZ" -b "session=12345" https://example.com/login.php

This command tells wfuzz to use the brute force technique in combination with the specified login credentials and cookie value to test for weak passwords in the authentication system at the login.php endpoint.

By fuzzing authentication systems using wfuzz, you can identify vulnerabilities that could lead to unauthorized access to sensitive data or functionality, and take steps to remediate these vulnerabilities before they can be exploited by attackers.

wfuzz with Burp Suite

wfuzz can be integrated with Burp Suite to automate the fuzzing process and identify vulnerabilities in web applications. By using wfuzz with Burp Suite, you can leverage the power of both tools and streamline your testing process.

To run wfuzz from Burp Suite, follow these steps:

1. Install the wfuzz extension for Burp Suite.

2. Launch Burp Suite and navigate to the “Extender” tab.

3. Click on the “Extensions” tab and select “Add”.

4. Locate the wfuzz extension file and click “Next” to install it.

5. Navigate to the “Proxy” tab and send a request to the endpoint you want to fuzz.

6. Right-click on the request in the “Proxy” history and select “Send to wfuzz”.

7. In the wfuzz interface, specify the payload you want to use and any other options you want to configure.

8. Click “Start Fuzzer” to begin the fuzzing process.

Interpreting results in Burp Suite can be done in several ways. One way is to view the results in the “Proxy” history and look for unusual responses or error messages. Another way is to use the Burp Suite “Scanner” to automatically scan the target for vulnerabilities and generate a report.

By using wfuzz with Burp Suite, you can automate the fuzzing process and identify vulnerabilities in web applications more quickly and accurately. This approach allows you to save time and effort while ensuring the security of your web applications.

Some of the benefits of using wfuzz include:

• Automating the fuzzing process and saving time and effort

• Customizing payloads to identify specific vulnerabilities

• Identifying potential security issues before they can be exploited

• Integrating with other tools like Burp Suite to streamline the testing process