Hoja de Referencia de Wfuzz
Descripción General
Wfuzz es un fuzzer de aplicaciones web diseñado para facilitar evaluaciones de aplicaciones web. Puede usarse para encontrar recursos no vinculados (directorios, servlets, scripts, etc.), forzar parámetros GET y POST, forzar parámetros de Formularios (Usuario/Contraseña), Fuzzing, etc. Wfuzz es una herramienta potente para descubrir contenido oculto, probar vulnerabilidades y realizar evaluaciones exhaustivas de seguridad de aplicaciones web.
⚠️ Advertencia: Utilice Wfuzz solo en aplicaciones que posea o para las que tenga permiso explícito de prueba. Las pruebas no autorizadas pueden violar los términos de servicio o leyes locales.
Instalación
Instalación de Paquete Python
# Install via pip
pip install wfuzz
# Install with all dependencies
pip install wfuzz[complete]
# Install development version
pip install git+https://github.com/xmendez/wfuzz.git
# Verify installation
wfuzz --versionInstalación de Paquete de Sistema
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz
# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz
# Arch Linux
sudo pacman -S wfuzz
# macOS with Homebrew
brew install wfuzzInstalación de Docker
# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest
# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help
# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrcInstalación Manual
# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz
# Install dependencies
pip install -r requirements.txt
# Install
python setup.py install
# Or run directly
python wfuzz.py --helpUso Básico
Descubrimiento de Directorios y Archivos
# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z
# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ
# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z
# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~Fuzzing de Parámetros
# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"
# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php
# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"
# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/
# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/Descubrimiento de Subdominios
# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/Uso Avanzado
Autenticación y Sesiones
# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ
# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ
# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ
# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZFiltrado Avanzado
# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ
# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ
# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ
# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ
# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ
# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZOpciones de Proxy y Red
# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ
# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ
# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ
# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ
# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZListas de Palabras y Payloads
Listas de Palabras Comunes
# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt
# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt
# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txtCreación de Lista de Palabras Personalizada
# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF
# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ
# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZGeneradores de Payloads
# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ
# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ
# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ
# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"Técnicas Especializadas
Pruebas de Inyección SQL
# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"
# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"
# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"
# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.phpPruebas de XSS
# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"
# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php
# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"
# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"Pruebas de Carga de Archivos
# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php
# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php
# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.phpPruebas de API
# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ
# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users
# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ
# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"
# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/loginSalida e Informes
Formatos de Salida
# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ
# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ
# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ
# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ
# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZFormato de Salida Personalizado
Note: I’ve translated the text while preserving markdown formatting, keeping technical terms in English, and maintaining the overall structure. The placeholders for sections 3-20 are left as-is, waiting for specific content to translate.```bash
Custom output format
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 —format “ID: %i|Code: %c|Size: %h|URL: %u” http://target.com/FUZZ
Verbose output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 -v http://target.com/FUZZ
Show request and response
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 —req-delay 1 -v http://target.com/FUZZ
```bash
#!/bin/bash
# Comprehensive web application fuzzing script
TARGET="$1"
OUTPUT_DIR="wfuzz_results_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting comprehensive web fuzzing for: $TARGET"
# Directory discovery
echo "[+] Directory discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/big.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/directories.json,json" \
"$TARGET/FUZZ" 2>/dev/null
# File discovery
echo "[+] File discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-w /usr/share/wordlists/wfuzz/general/extensions.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/files.json,json" \
"$TARGET/FUZZ.FUZ2Z" 2>/dev/null
# Backup file discovery
echo "[+] Backup file discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/backups.json,json" \
"$TARGET/FUZZ.bak" "$TARGET/FUZZ~" "$TARGET/FUZZ.old" 2>/dev/null
# Admin panel discovery
echo "[+] Admin panel discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/admin_panels.json,json" \
"$TARGET/FUZZ" 2>/dev/null
# Parameter discovery
echo "[+] Parameter discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
--hc 404 \
-f "$OUTPUT_DIR/parameters.json,json" \
"$TARGET/?FUZZ=test" 2>/dev/null
echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"
# Generate summary
echo "[+] Generating summary..."
python3 << EOF
import json
import os
results_dir = "$OUTPUT_DIR"
summary = \\\\{\\\\}
for filename in os.listdir(results_dir):
if filename.endswith('.json'):
with open(os.path.join(results_dir, filename), 'r') as f:
try:
data = json.load(f)
category = filename.replace('.json', '')
summary[category] = len(data)
except:
summary[filename] = 0
print("\\n=== FUZZING SUMMARY ===")
for category, count in summary.items():
print(f"\\\\{category\\\\}: \\\\{count\\\\} results")
with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
json.dump(summary, f, indent=2)
EOF
```### Script de Fuzzing Web Integral
```bash
#!/bin/bash
# API endpoint fuzzing script
API_BASE="$1"
OUTPUT_DIR="api_fuzz_$(date +%Y%m%d_%H%M%S)"
if [ -z "$API_BASE" ]; then
echo "Usage: $0 <api_base_url>"
echo "Example: $0 https://api.example.com"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting API fuzzing for: $API_BASE"
# API endpoint discovery
echo "[+] API endpoint discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
--hc 404,405 \
-f "$OUTPUT_DIR/endpoints.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
# API version discovery
echo "[+] API version discovery..."
wfuzz -c -z range,1-10 \
--hc 404,405 \
-f "$OUTPUT_DIR/versions.json,json" \
"$API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null
# Common API paths
echo "[+] Common API paths..."
cat > api_paths.txt << 'EOF'
users
user
admin
auth
login
logout
register
profile
settings
config
status
health
version
docs
swagger
api-docs
EOF
wfuzz -c -w api_paths.txt \
--hc 404,405 \
-f "$OUTPUT_DIR/api_paths.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
# HTTP methods testing
echo "[+] HTTP methods testing..."
wfuzz -c -w api_paths.txt \
-X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \
--hc 404 \
-f "$OUTPUT_DIR/methods.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
rm api_paths.txt
echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
```### Script de Fuzzing de API
```bash
#!/bin/bash
# Subdomain discovery script
DOMAIN="$1"
OUTPUT_DIR="subdomain_fuzz_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
echo "Example: $0 example.com"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting subdomain fuzzing for: $DOMAIN"
# Common subdomains
echo "[+] Common subdomain fuzzing..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \
-H "Host: FUZZ.$DOMAIN" \
--hc 404 \
--hh 0 \
-f "$OUTPUT_DIR/subdomains.json,json" \
"http://$DOMAIN/" 2>/dev/null
# Development subdomains
echo "[+] Development subdomain fuzzing..."
cat > dev_subdomains.txt << 'EOF'
dev
test
staging
beta
alpha
demo
sandbox
lab
qa
uat
pre
preprod
prod
www
mail
ftp
admin
api
app
mobile
m
blog
shop
store
portal
dashboard
EOF
wfuzz -c -w dev_subdomains.txt \
-H "Host: FUZZ.$DOMAIN" \
--hc 404 \
--hh 0 \
-f "$OUTPUT_DIR/dev_subdomains.json,json" \
"http://$DOMAIN/" 2>/dev/null
rm dev_subdomains.txt
echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
```### Script de Fuzzing de Subdominios
```bash
# Use Burp as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-p 127.0.0.1:8080 \
--hc 404 \
http://target.com/FUZZ
# Export results for Burp analysis
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
-f burp_targets.txt,raw \
http://target.com/FUZZ
```## Integración con Otras Herramientas
```bash
# Use ZAP as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-p 127.0.0.1:8080 \
--hc 404 \
http://target.com/FUZZ
# Generate ZAP-compatible URLs
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > zap_urls.txt
```### Integración con Burp Suite
```bash
# Generate URLs for Nuclei scanning
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > discovered_urls.txt
# Run Nuclei on discovered URLs
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
```### Integración con OWASP ZAP
```bash
# Reduce request rate
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 2 \
--conn-delay 1 \
-t 5 \
--hc 404 \
http://target.com/FUZZ
# Random delay
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 1-3 \
--hc 404 \
http://target.com/FUZZ
```### Integración con Nuclei
```bash
# Ignore SSL certificate errors
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--insecure \
https://target.com/FUZZ
# Specify SSL version
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--ssl-version TLSv1.2 \
https://target.com/FUZZ
```## Resolución de Problemas
```bash
# Reduce concurrent threads
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-t 10 \
--hc 404 \
http://target.com/FUZZ
# Use smaller wordlists
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
--hc 404 \
http://target.com/FUZZ
```### Problemas Comunes
```bash
# Increase timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--conn-delay 5 \
--req-delay 2 \
--hc 404 \
http://target.com/FUZZ
# Retry failed requests
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--retry 3 \
--hc 404 \
http://target.com/FUZZ
```#### Limitación de Tasa
https://wfuzz.readthedocs.io/#### Problemas de SSL/TLS
https://github.com/xmendez/wfuzz#### Problemas de Memoria
https://owasp.org/www-project-web-security-testing-guide/#### Problemas de Red
https://github.com/danielmiessler/SecLists## Recursos
https://owasp.org/www-project-web-security-testing-guide/- [Documentación Oficial de Wfuzz](https://portswigger.net/burp/documentation)https://www.sans.org/white-papers/2178/- [Repositorio de GitHub de Wfuzz](