hacktricks/pentesting-web/web-tool-wfuzz.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


A tool to FUZZ web applications anywhere.

> Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

# Installation

Installed in Kali

Github: [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz)

```text
pip install wfuzz
```

# Filtering options

```bash
--hs/ss "regex" #Hide/Show
#Simple example, match a string: "Invalid username"
#Regex example: "Invalid *"

--hc/sc CODE #Hide/Show by code in response
--hl/sl NUM #ide/Show by number of lines in response
--hw/sw NUM #ide/Show by number of words in response
--hc/sc NUM #ide/Show by number of chars in response
```

# Output options

```bash
wfuzz -e printers #Prints the available output formats
-f /tmp/output,csv #Saves the output in that location in csv format
```

## Encoders options

```bash
wfuzz -e encoders #Prints the available encoders
#Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode
```

In order to use a encoder, you have to indicate it in the **"-w"** or **"-z"** option.

Examples:

```bash
-z file,/path/to/file,md5 #Will use a list inside the file, and will trnasform each value into its md5 hash before sending it
-w /path/to/file,base64 #Will use a list, and transforms to base64
-z list,each-element-here,hexlify #Inline list and to hex before sending values
```

# CheetSheet

## Login Form bruteforce

### **POST, Single list, filter string \(hide\)**

```bash
wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by line
```

### **POST, 2 lists, filder code \(show\)**

```bash
wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by code
```

### **GET, 2 lists, filter string \(show\), proxy, cookies**

```bash
wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"
```

## Bruteforce Dicrectory/RESTful bruteforce

[Arjun parameters wordlist](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt)

```text
wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ
```

## Path Parameters BF

```bash
wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'
```

## Header Authentication

### **Basic, 2 lists, filter string \(show\), proxy**

```bash
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"
```

### **NTLM, 2 lists, filter string \(show\), proxy**

```bash
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"
```

## Cookie/Header bruteforce \(vhost brute\)

### **Cookie, filter code \(show\), proxy**

```bash
wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"
```

### **User-Agent, filter code \(hide\), proxy**

```bash
wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"
```

### **Host**

```bash
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u 
http://example.com -t 100
```

## HTTP Verbs \(methods\) bruteforce

### **Using file**

```bash
wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"
```

### **Using inline list**

```bash
$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
```

## Directory & Files Bruteforce

```bash
#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ
```

# Tool to bypass Webs

[https://github.com/carlospolop/fuzzhttpbypass](https://github.com/carlospolop/fuzzhttpbypass)


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`A tool to FUZZ web applications anywhere.`

			`> Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.`

fix mess 2022-05-01 12:41:36 +00:00			`# Installation`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Installed in Kali`

			`Github: [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz)`

			```text
			`pip install wfuzz`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Filtering options`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`--hs/ss "regex" #Hide/Show`
			`#Simple example, match a string: "Invalid username"`
			`#Regex example: "Invalid *"`

			`--hc/sc CODE #Hide/Show by code in response`
			`--hl/sl NUM #ide/Show by number of lines in response`
			`--hw/sw NUM #ide/Show by number of words in response`
			`--hc/sc NUM #ide/Show by number of chars in response`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Output options`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`wfuzz -e printers #Prints the available output formats`
			`-f /tmp/output,csv #Saves the output in that location in csv format`
			```

fix mess 2022-05-01 12:41:36 +00:00			`## Encoders options`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`wfuzz -e encoders #Prints the available encoders`
			`#Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode`
			```

			`In order to use a encoder, you have to indicate it in the "-w" or "-z" option.`

			`Examples:`

GitBook: [master] one page modified 2020-12-01 15:32:24 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`-z file,/path/to/file,md5 #Will use a list inside the file, and will trnasform each value into its md5 hash before sending it`
			`-w /path/to/file,base64 #Will use a list, and transforms to base64`
			`-z list,each-element-here,hexlify #Inline list and to hex before sending values`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# CheetSheet`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`## Login Form bruteforce`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`### POST, Single list, filter string \(hide\)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php`
			`#Here we have filtered by line`
			```

fix mess 2022-05-01 12:41:36 +00:00			`### POST, 2 lists, filder code \(show\)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
GitBook: [master] one page modified 2020-12-01 15:37:13 +00:00			`wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#Here we have filtered by code`
			```

fix mess 2022-05-01 12:41:36 +00:00			`### GET, 2 lists, filter string \(show\), proxy, cookies`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-01 15:55:38 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`## Bruteforce Dicrectory/RESTful bruteforce`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fixed broken link link was broken. 2021-06-16 15:34:44 +00:00			`[Arjun parameters wordlist](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```text
			`wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ`
			```

fix mess 2022-05-01 12:41:36 +00:00			`## Path Parameters BF`
GitBook: [master] one page modified 2020-12-01 15:55:38 +00:00
			```bash
			`wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'`
			```

fix mess 2022-05-01 12:41:36 +00:00			`## Header Authentication`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`### Basic, 2 lists, filter string \(show\), proxy`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`### NTLM, 2 lists, filter string \(show\), proxy`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`## Cookie/Header bruteforce \(vhost brute\)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`### Cookie, filter code \(show\), proxy`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`### User-Agent, filter code \(hide\), proxy`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`### Host`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-`
			`top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u`
			`http://example.com -t 100`
			```

fix mess 2022-05-01 12:41:36 +00:00			`## HTTP Verbs \(methods\) bruteforce`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`### Using file`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
Fixes typo in the wfuzz proxy command HTML -> HTTP 2020-11-28 22:48:39 +00:00			`wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

fix mess 2022-05-01 12:41:36 +00:00			`### Using inline list`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-11 18:40:49 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/`
			```

fix mess 2022-05-01 12:41:36 +00:00			`## Directory & Files Bruteforce`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-01 15:55:38 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#Filter by whitelisting codes`
			`wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ`
			```

fix mess 2022-05-01 12:41:36 +00:00			`# Tool to bypass Webs`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`[https://github.com/carlospolop/fuzzhttpbypass](https://github.com/carlospolop/fuzzhttpbypass)`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`