Friday, October 24, 2014

Wfuzz 2.1 released !

I'm pleased to announce  a new version of WFuzz!

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.

I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.

This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.

The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application's functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word "a" generates 8 different requests:


 $ python wfuzz.py --script=links -z list,a --follow  http://localhost:8000/FUZZ
********************************************************
* Wfuzz 2.1 - The Web Bruteforcer                      *
********************************************************

Target: http://localhost:8000/FUZZ
Total requests: 1

===========================================
ID      Response   Lines      Word         Chars          Request  
===========================================
00000:  C=200     17 L        89 W         1481 Ch        "a"
  |_ Plugin links enqueued 5 more requests (rlevel=1)
00001:  C=200     14 L        57 W          889 Ch        "/a/b/"
  |_ Plugin links enqueued 2 more requests (rlevel=2)
00002:  C=200      4 L        25 W          177 Ch        "/"
00003:  C=200      9 L         7 W           61 Ch        "/a/test.html"
00004:  C=200      4 L         6 W           47 Ch        "/a/test.js"
00005:  C=403     10 L        30 W          285 Ch        "/icons/"
00006:  C=200     17 L        89 W         1481 Ch        "/a/"
00007:  C=200     14 L        57 W          895 Ch        "/a/b/c/"
  |_ Plugin links enqueued 1 more requests (rlevel=3)
00008:  C=200     13 L        46 W          716 Ch        "/a/b/c/d/"

The project has been moved from Google code to Github. For a full list of the new features, check the Wfuzz v2.1 changelog.

Download the latest version at:

2 comments:

Unknown said...

Xavi,

Just downloaded wfuzz to test on a windows system. Readme says to use the exe. There is no exe in the download. Is Python needed to run wfuzz as I only see .py and txt files in the downloaded folders.

joe.greene@bentley.com

BLOG said...

File "C:\Users\Angelz\Desktop\wfuzz\wfuzz.py", line 6, in
from framework.fuzzer.Fuzzer import Fuzzer
File "C:\Users\Angelz\Desktop\wfuzz\framework\fuzzer\Fuzzer.py", line 5, in
from framework.fuzzer.fuzzobjects import FuzzResult
File "C:\Users\Angelz\Desktop\wfuzz\framework\fuzzer\fuzzobjects.py", line 8, in
from externals.reqresp import Request
File "C:\Users\Angelz\Desktop\wfuzz\externals\reqresp\__init__.py", line 1, in
from Request import Request
File "C:\Users\Angelz\Desktop\wfuzz\externals\reqresp\Request.py", line 8, in
import pycurl
ImportError: No module named pycurl


whats wrong here it dont work

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...