‘Wfuzz – The Web Bruteforcer’

Summary

Credit:

‘The information has been provided by Christian Martorella.
To keep updated with the tool visit the project’s homepage at: http://www.edge-security.com/wfuzz.php


Details

‘Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

It’s very flexible, here are some functionalities:
 * Recursion (When doing directory bruteforce)
 * Post data bruteforcing
 * Output to HTML (easy for just clicking the links and checking the page, even with postdata)
 * Colored output on all systems 😉
 * Hide results by return code, word numbers, line numbers, etc.
 * URL encoding
 * Cookies
 * Multithreading
 * Proxy support
 * All parameters bruteforcing (POST and GET)
 * Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i,
 * Vignette, Coldfusion and many more. (All dictionaries are from Darkraver’s Dirb, www.open-labs.org)

It was created to facilitate the task in Web Applications assessments, it’s a tool by pentesters for pentesters 😉
One of the strengths of wfuzz is the speed, just try it…

How does it works?
The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.’

Categories: Tools