Wfuzz 2.1 released !
I’m pleased to announce a new version of WFuzz!
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.
I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.
This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.
The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application’s functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word “a” generates 8 different requests:
$ python wfuzz.py — script=links -z list,a — follow http://localhost:8000/FUZZ
********************************************************
* Wfuzz 2.1 — The Web Bruteforcer *
********************************************************
Target: http://localhost:8000/FUZZ
Total requests: 1
===========================================
ID Response Lines Word Chars Request
===========================================
00000: C=200 17 L 89 W 1481 Ch “a”
|_ Plugin links enqueued 5 more requests (rlevel=1)
00001: C=200 14 L 57 W 889 Ch “/a/b/”
|_ Plugin links enqueued 2 more requests (rlevel=2)
00002: C=200 4 L 25 W 177 Ch “/”
00003: C=200 9 L 7 W 61 Ch “/a/test.html”
00004: C=200 4 L 6 W 47 Ch “/a/test.js”
00005: C=403 10 L 30 W 285 Ch “/icons/”
00006: C=200 17 L 89 W 1481 Ch “/a/”
00007: C=200 14 L 57 W 895 Ch “/a/b/c/”
|_ Plugin links enqueued 1 more requests (rlevel=3)
00008: C=200 13 L 46 W 716 Ch “/a/b/c/d/”
The project has been moved from Google code to Github. For a full list of the new features, check the Wfuzz v2.1 changelog.
Download the latest version at:
