wfuzz–web application Web application bruteforcer

Wfuzz is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

It’s very flexible, here are some functionalities:

  • Multiple Injection points capability with multiple dictionaries
  • Recursion (When doing directory bruteforce)
  • Post, headers and authentication data brute forcing
  • Output to HTML
  • Colored output
  • Hide results by return code, word numbers, line numbers, regex.
  • Cookies fuzzing
  • Multi threading
  • Proxy support
  • SOCK support
  • Time delays between requests
  • Authentication support (NTLM, Basic)
  • All parameters bruteforcing (POST and GET)
  • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more. (Many dictionaries are from Darkraver’s Dirb, www.open-labs.org)
  • Payloads:
    • File
    • List
    • hexrand
    • range
    • names
    • hexrange
  • Encodings:
    • random_uppercase
    • urlencode
    • binary_ascii
    • base64
    • double_nibble_hex
    • uri_hex
    • sha1
    • md5
    • double_urlencode
    • utf8
    • utf8_binary
    • html
    • html decimal
    • custom
    • many more…
  • Iterators:
    • Product
    • Zip
    • Chain

Click here to download Project site! or http://code.google.com/p/wfuzz/downloads/list

Leave a Reply

Your email address will not be published. Required fields are marked *