How to use the command 'wfuzz' (with examples)

The ‘wfuzz’ command is a web application bruteforcer that can be used to discover hidden files and directories, fuzz URLs, and identify potential vulnerabilities in web applications. It allows you to automate the process of systematically testing URLs by substituting a specific pattern or word with the ‘FUZZ’ keyword.

Use case 1: Directory and file bruteforce with proxying

Code:

wfuzz -w path/to/file -p 127.0.0.1:8080 http://example.com/FUZZ

Motivation:

By using the ‘-w’ option followed by the path to a wordlist, you can specify a list of directories or file names to fuzz. Proxying the traffic through a specific IP and port is useful when you want to intercept and analyze the requests and responses using a web proxy tool like Burp Suite.

Explanation:

• ‘-w path/to/file’: Specifies the path to the file containing the wordlist to be used for fuzzing.
• ‘-p 127.0.0.1:8080’: Proxies the HTTP request through the specified IP (127.0.0.1) and port (8080).
• ‘http://example.com/FUZZ' : Specifies the target URL with the ‘FUZZ’ placeholder, which will be replaced with each word from the wordlist.

Example output:

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://example.com/FUZZ
Total requests: 10

==================================================================

ID           URL                                              Response
==================================================================

000000001:   http://example.com/about                          301 Moved Permanently     
000000002:   http://example.com/blog                           200 OK                    
...
==================================================================

Use case 2: Saving the results to a file

Code:

wfuzz -w path/to/file -f filename http://example.com/FUZZ

Motivation:

Saving the results to a file allows you to review and analyze them later or share them with others for further analysis or collaboration.

Explanation:

• ‘-f filename’: Specifies the file path and name to which the results will be saved.
• Other options and arguments remain the same as in the previous use case.

Example output:

The output will be displayed in the console as well as saved to the specified file (e.g., ‘filename’).

Use case 3: Colorized output with specific response codes

Code:

wfuzz -c -w path/to/file --sc 200,301,302 http://example.com/FUZZ

Motivation:

The colorized output makes it easier to identify different responses, while filtering only the declared response codes helps to focus on specific findings.

Explanation:

• ‘-c’: Displays the output with colorization for improved readability.
• ‘–sc 200,301,302’: Specifies the response codes to include in the output. In this example, only ‘200’, ‘301’, and ‘302’ response codes will be displayed in the output.
• Other options and arguments remain the same as in the previous use case.

Example output:

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://example.com/FUZZ
Total requests: 10

==================================================================

ID           URL                                              Response
==================================================================

000000001:   http://example.com/help                           200 OK
000000003:   http://example.com/contact                        301 Moved Permanently
...
==================================================================

Use case 4: Using custom headers and hiding specific response codes

Code:

wfuzz -w path/to/file -H "Host: FUZZ.example.com" --hc 301 --hw 222 -t 100 example.com

Motivation:

By using a custom header in the request, you can fuzz subdomains to identify any potential vulnerabilities specific to a particular hostname. Hiding specific response codes and word counts allows you to filter out noise and focus on relevant findings. Increasing the number of threads to 100 can speed up the fuzzing process.

Explanation:

• ‘-H “Host: FUZZ.example.com”’: Sets the ‘Host’ header in the request to ‘FUZZ.example.com’. The ‘FUZZ’ keyword will be replaced with each word from the wordlist.
• ‘–hc 301’: Hides responses with the ‘301’ status code from the output.
• ‘–hw 222’: Hides responses that contain the word ‘222’ from the output.
• ‘-t 100’: Specifies the number of threads to be used for the fuzzing process.
• ’example.com’: Specifies the target IP or domain.

Example output:

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://example.com/FUZZ
Total requests: 10

==================================================================

ID           URL                                              Response
==================================================================

000000001:   http://word1.example.com                           200 OK
000000005:   http://word5.example.com                           200 OK
...
==================================================================

Conclusion:

The ‘wfuzz’ command provides a powerful way to automate the process of discovering hidden files and directories, fuzzing URLs, and identifying potential vulnerabilities in web applications. By using different options and arguments, you can customize the fuzzing process to suit your specific needs, such as proxying traffic, saving results to a file, filtering responses, using custom headers, and controlling the number of threads.