Wfuzz Cheat Sheet¶
Überblick¶
Wfuzz ist ein Web-Anwendungs-Fuzzer, der entwickelt wurde, um Web-Anwendungsbewertungen zu erleichtern. Es kann verwendet werden, um nicht verlinkte Ressourcen zu finden (Verzeichnisse, Servlets, Skripte usw.), GET- und POST-Parameter zu bruteforcen, Formularparameter (Benutzer/Passwort) zu bruteforcen, Fuzzing durchzuführen usw. Wfuzz ist ein leistungsstarkes Tool zum Entdecken versteckter Inhalte, zum Testen von Schwachstellen und zur Durchführung umfassender Web-Anwendungssicherheitsbewertungen.
⚠️ Warnung: Verwenden Sie Wfuzz nur bei Anwendungen, die Ihnen gehören oder für deren Test Sie eine ausdrückliche Erlaubnis haben. Nicht autorisierte Tests können gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.
Installation¶
Python-Paket-Installation¶
# Install via pip
pip install wfuzz
# Install with all dependencies
pip install wfuzz[complete]
# Install development version
pip install git+https://github.com/xmendez/wfuzz.git
# Verify installation
wfuzz --version
System-Paket-Installation¶
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz
# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz
# Arch Linux
sudo pacman -S wfuzz
# macOS with Homebrew
brew install wfuzz
Docker-Installation¶
# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest
# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help
# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrc
Manuelle Installation¶
# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz
# Install dependencies
pip install -r requirements.txt
# Install
python setup.py install
# Or run directly
python wfuzz.py --help
Grundlegende Nutzung¶
Verzeichnis- und Datei-Erkennung¶
# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z
# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ
# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z
# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~
Parameter-Fuzzing¶
# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"
# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php
# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"
# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/
# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/
Subdomain-Erkennung¶
# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/
Erweiterte Nutzung¶
Authentifizierung und Sitzungen¶
# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ
# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ
# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ
# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZ
Erweitertes Filtern¶
# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ
# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ
# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ
# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ
# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ
# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZ
Proxy- und Netzwerkoptionen¶
# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ
# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ
# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ
# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ
# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZ
Wortlisten und Payloads¶
Gängige Wortlisten¶
# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt
# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt
# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txt
Erstellung benutzerdefinierter Wortlisten¶
# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF
# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ
# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZ
Payload-Generatoren¶
# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ
# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ
# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ
# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"
Spezialisierte Techniken¶
SQL-Injection-Test¶
# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"
# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"
# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"
# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.php
XSS-Test¶
# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"
# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php
# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"
# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"
Datei-Upload-Test¶
# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php
# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php
# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.php
API-Test¶
# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ
# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users
# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ
# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"
# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/login
Ausgabe und Berichterstattung¶
Ausgabeformate¶
# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ
# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ
# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ
# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ
# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZ
Benutzerdefinierte Ausgabeformatierung¶
Would you like me to continue with the remaining sections?```bash
Custom output format¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --format "ID: %i|Code: %c|Size: %h|URL: %u" http://target.com/FUZZ
Verbose output¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -v http://target.com/FUZZ
Show request and response¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --req-delay 1 -v http://target.com/FUZZ
## Automatisierungsscriptsbash
!/bin/bash¶
Comprehensive web application fuzzing script¶
TARGET="\(1" OUTPUT_DIR="wfuzz_results_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting comprehensive web fuzzing for: $TARGET"
Directory discovery¶
echo "[+] Directory discovery..." wfuzz -c -w /usr/share/wordlists/dirb/big.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/directories.json,json" \ "\)TARGET/FUZZ" 2>/dev/null
File discovery¶
echo "[+] File discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -w /usr/share/wordlists/wfuzz/general/extensions.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/files.json,json" \ "\)TARGET/FUZZ.FUZ2Z" 2>/dev/null
Backup file discovery¶
echo "[+] Backup file discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/backups.json,json" \ "\)TARGET/FUZZ.bak" "\(TARGET/FUZZ~" "\)TARGET/FUZZ.old" 2>/dev/null
Admin panel discovery¶
echo "[+] Admin panel discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/admin_panels.json,json" \ "\)TARGET/FUZZ" 2>/dev/null
Parameter discovery¶
echo "[+] Parameter discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404 \ -f "\(OUTPUT_DIR/parameters.json,json" \ "\)TARGET/?FUZZ=test" 2>/dev/null
echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"
Generate summary¶
echo "[+] Generating summary..." python3 << EOF import json import os
results_dir = "$OUTPUT_DIR" summary = \\{\\}
for filename in os.listdir(results_dir): if filename.endswith('.json'): with open(os.path.join(results_dir, filename), 'r') as f: try: data = json.load(f) category = filename.replace('.json', '') summary[category] = len(data) except: summary[filename] = 0
print("\n=== FUZZING SUMMARY ===") for category, count in summary.items(): print(f"\\{category\\}: \\{count\\} results")
with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
json.dump(summary, f, indent=2)
EOF
### API Fuzzing Scriptbash
!/bin/bash¶
API endpoint fuzzing script¶
API_BASE="\(1" OUTPUT_DIR="api_fuzz_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$API_BASE" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting API fuzzing for: $API_BASE"
API endpoint discovery¶
echo "[+] API endpoint discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/endpoints.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
API version discovery¶
echo "[+] API version discovery..." wfuzz -c -z range,1-10 \ --hc 404,405 \ -f "\(OUTPUT_DIR/versions.json,json" \ "\)API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null
Common API paths¶
echo "[+] Common API paths..." cat > api_paths.txt << 'EOF' users user admin auth login logout register profile settings config status health version docs swagger api-docs EOF
wfuzz -c -w api_paths.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/api_paths.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
HTTP methods testing¶
echo "[+] HTTP methods testing..." wfuzz -c -w api_paths.txt \ -X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \ --hc 404 \ -f "\(OUTPUT_DIR/methods.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
rm api_paths.txt
echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
### Subdomain Fuzzing Scriptbash
!/bin/bash¶
Subdomain discovery script¶
DOMAIN="\(1" OUTPUT_DIR="subdomain_fuzz_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting subdomain fuzzing for: $DOMAIN"
Common subdomains¶
echo "[+] Common subdomain fuzzing..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null
Development subdomains¶
echo "[+] Development subdomain fuzzing..." cat > dev_subdomains.txt << 'EOF' dev test staging beta alpha demo sandbox lab qa uat pre preprod prod www mail ftp admin api app mobile m blog shop store portal dashboard EOF
wfuzz -c -w dev_subdomains.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/dev_subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null
rm dev_subdomains.txt
echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
## Integration mit anderen Toolsbash
Use Burp as proxy¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ
Export results for Burp analysis¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
-f burp_targets.txt,raw \
http://target.com/FUZZ
### Burp Suite Integrationbash
Use ZAP as proxy¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ
Generate ZAP-compatible URLs¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > zap_urls.txt
### OWASP ZAP Integrationbash
Generate URLs for Nuclei scanning¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --format "%u" \ http://target.com/FUZZ > discovered_urls.txt
Run Nuclei on discovered URLs¶
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
### Nuclei Integrationbash
Reduce request rate¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --req-delay 2 \ --conn-delay 1 \ -t 5 \ --hc 404 \ http://target.com/FUZZ
Random delay¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 1-3 \
--hc 404 \
http://target.com/FUZZ
## Fehlerbehebungbash
Ignore SSL certificate errors¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --insecure \ https://target.com/FUZZ
Specify SSL version¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--ssl-version TLSv1.2 \
https://target.com/FUZZ
### Häufige Problemebash
Reduce concurrent threads¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -t 10 \ --hc 404 \ http://target.com/FUZZ
Use smaller wordlists¶
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
--hc 404 \
http://target.com/FUZZ
#### Ratenlimitierungbash
Increase timeout¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --conn-delay 5 \ --req-delay 2 \ --hc 404 \ http://target.com/FUZZ
Retry failed requests¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --retry 3 \ --hc 404 \ http://target.com/FUZZ ```#### SSL/TLS Probleme https://wfuzz.readthedocs.io/###
Speicherprobleme¶
https://github.com/xmendez/wfuzz###
Netzwerkprobleme¶
https://owasp.org/www-project-web-security-testing-guide/#
Ressourcen¶
https://github.com/danielmiessler/SecLists- Offizielle Wfuzz Dokumentationhttps://portswigger.net/burp/documentation- Wfuzz GitHub Repository