Saltar a contenido

Hoja de Referencia de Wfuzz

Descripción General

Wfuzz es un fuzzer de aplicaciones web diseñado para facilitar evaluaciones de aplicaciones web. Puede usarse para encontrar recursos no vinculados (directorios, servlets, scripts, etc.), forzar parámetros GET y POST, forzar parámetros de Formularios (Usuario/Contraseña), Fuzzing, etc. Wfuzz es una herramienta potente para descubrir contenido oculto, probar vulnerabilidades y realizar evaluaciones exhaustivas de seguridad de aplicaciones web.

⚠️ Advertencia: Utilice Wfuzz solo en aplicaciones que posea o para las que tenga permiso explícito de prueba. Las pruebas no autorizadas pueden violar los términos de servicio o leyes locales.

Instalación

Instalación de Paquete Python

# Install via pip
pip install wfuzz

# Install with all dependencies
pip install wfuzz[complete]

# Install development version
pip install git+https://github.com/xmendez/wfuzz.git

# Verify installation
wfuzz --version

Instalación de Paquete de Sistema

# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz

# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz

# Arch Linux
sudo pacman -S wfuzz

# macOS with Homebrew
brew install wfuzz

Instalación de Docker

# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest

# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help

# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrc

Instalación Manual

# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz

# Install dependencies
pip install -r requirements.txt

# Install
python setup.py install

# Or run directly
python wfuzz.py --help

Uso Básico

Descubrimiento de Directorios y Archivos

# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z

# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ

# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z

# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~

Fuzzing de Parámetros

# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"

# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php

# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"

# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/

# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/

Descubrimiento de Subdominios

# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/

Uso Avanzado

Autenticación y Sesiones

# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ

# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ

# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ

# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZ

Filtrado Avanzado

# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ

# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ

# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ

# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ

# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ

# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZ

Opciones de Proxy y Red

# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ

# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ

# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ

# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ

# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZ

Listas de Palabras y Payloads

Listas de Palabras Comunes

# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt

# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt

# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txt

Creación de Lista de Palabras Personalizada

# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF

# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ

# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZ

Generadores de Payloads

# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ

# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ

# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ

# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"

Técnicas Especializadas

Pruebas de Inyección SQL

# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"

# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"

# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"

# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.php

Pruebas de XSS

# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"

# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php

# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"

# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"

Pruebas de Carga de Archivos

# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php

# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php

# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.php

Pruebas de API

# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ

# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users

# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ

# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"

# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/login

Salida e Informes

Formatos de Salida

# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ

# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ

# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ

# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ

# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZ

Formato de Salida Personalizado

Note: I've translated the text while preserving markdown formatting, keeping technical terms in English, and maintaining the overall structure. The placeholders for sections 3-20 are left as-is, waiting for specific content to translate.```bash

Custom output format

wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --format "ID: %i|Code: %c|Size: %h|URL: %u" http://target.com/FUZZ

Verbose output

wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -v http://target.com/FUZZ

Show request and response

wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --req-delay 1 -v http://target.com/FUZZ ## Scripts de Automatizaciónbash

!/bin/bash

Comprehensive web application fuzzing script

TARGET="\(1" OUTPUT_DIR="wfuzz_results_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting comprehensive web fuzzing for: $TARGET"

Directory discovery

echo "[+] Directory discovery..." wfuzz -c -w /usr/share/wordlists/dirb/big.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/directories.json,json" \ "\)TARGET/FUZZ" 2>/dev/null

File discovery

echo "[+] File discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -w /usr/share/wordlists/wfuzz/general/extensions.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/files.json,json" \ "\)TARGET/FUZZ.FUZ2Z" 2>/dev/null

Backup file discovery

echo "[+] Backup file discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/backups.json,json" \ "\)TARGET/FUZZ.bak" "\(TARGET/FUZZ~" "\)TARGET/FUZZ.old" 2>/dev/null

Admin panel discovery

echo "[+] Admin panel discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/admin_panels.json,json" \ "\)TARGET/FUZZ" 2>/dev/null

Parameter discovery

echo "[+] Parameter discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404 \ -f "\(OUTPUT_DIR/parameters.json,json" \ "\)TARGET/?FUZZ=test" 2>/dev/null

echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"

Generate summary

echo "[+] Generating summary..." python3 << EOF import json import os

results_dir = "$OUTPUT_DIR" summary = \\{\\}

for filename in os.listdir(results_dir): if filename.endswith('.json'): with open(os.path.join(results_dir, filename), 'r') as f: try: data = json.load(f) category = filename.replace('.json', '') summary[category] = len(data) except: summary[filename] = 0

print("\n=== FUZZING SUMMARY ===") for category, count in summary.items(): print(f"\\{category\\}: \\{count\\} results")

with open(os.path.join(results_dir, 'summary.json'), 'w') as f: json.dump(summary, f, indent=2) EOF ### Script de Fuzzing Web Integralbash

!/bin/bash

API endpoint fuzzing script

API_BASE="\(1" OUTPUT_DIR="api_fuzz_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$API_BASE" ]; then echo "Usage: $0 " echo "Example: $0 https://api.example.com" exit 1 fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting API fuzzing for: $API_BASE"

API endpoint discovery

echo "[+] API endpoint discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/endpoints.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null

API version discovery

echo "[+] API version discovery..." wfuzz -c -z range,1-10 \ --hc 404,405 \ -f "\(OUTPUT_DIR/versions.json,json" \ "\)API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null

Common API paths

echo "[+] Common API paths..." cat > api_paths.txt << 'EOF' users user admin auth login logout register profile settings config status health version docs swagger api-docs EOF

wfuzz -c -w api_paths.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/api_paths.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null

HTTP methods testing

echo "[+] HTTP methods testing..." wfuzz -c -w api_paths.txt \ -X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \ --hc 404 \ -f "\(OUTPUT_DIR/methods.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null

rm api_paths.txt

echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR" ### Script de Fuzzing de APIbash

!/bin/bash

Subdomain discovery script

DOMAIN="\(1" OUTPUT_DIR="subdomain_fuzz_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$DOMAIN" ]; then echo "Usage: $0 " echo "Example: $0 example.com" exit 1 fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting subdomain fuzzing for: $DOMAIN"

Common subdomains

echo "[+] Common subdomain fuzzing..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null

Development subdomains

echo "[+] Development subdomain fuzzing..." cat > dev_subdomains.txt << 'EOF' dev test staging beta alpha demo sandbox lab qa uat pre preprod prod www mail ftp admin api app mobile m blog shop store portal dashboard EOF

wfuzz -c -w dev_subdomains.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/dev_subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null

rm dev_subdomains.txt

echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR" ### Script de Fuzzing de Subdominiosbash

Use Burp as proxy

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ

Export results for Burp analysis

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ -f burp_targets.txt,raw \ http://target.com/FUZZ ## Integración con Otras Herramientasbash

Use ZAP as proxy

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ

Generate ZAP-compatible URLs

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --format "%u" \ http://target.com/FUZZ > zap_urls.txt ### Integración con Burp Suitebash

Generate URLs for Nuclei scanning

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --format "%u" \ http://target.com/FUZZ > discovered_urls.txt

Run Nuclei on discovered URLs

nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/ ### Integración con OWASP ZAPbash

Reduce request rate

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --req-delay 2 \ --conn-delay 1 \ -t 5 \ --hc 404 \ http://target.com/FUZZ

Random delay

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --req-delay 1-3 \ --hc 404 \ http://target.com/FUZZ ### Integración con Nucleibash

Ignore SSL certificate errors

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --insecure \ https://target.com/FUZZ

Specify SSL version

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --ssl-version TLSv1.2 \ https://target.com/FUZZ ## Resolución de Problemasbash

Reduce concurrent threads

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -t 10 \ --hc 404 \ http://target.com/FUZZ

Use smaller wordlists

wfuzz -c -w /usr/share/wordlists/dirb/small.txt \ --hc 404 \ http://target.com/FUZZ ### Problemas Comunesbash

Increase timeout

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --conn-delay 5 \ --req-delay 2 \ --hc 404 \ http://target.com/FUZZ

Retry failed requests

wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --retry 3 \ --hc 404 \ http://target.com/FUZZ ```#### Limitación de Tasa https://wfuzz.readthedocs.io/#### Problemas de SSL/TLS https://github.com/xmendez/wfuzz#### Problemas de Memoria https://owasp.org/www-project-web-security-testing-guide/#### Problemas de Red https://github.com/danielmiessler/SecLists## Recursos https://owasp.org/www-project-web-security-testing-guide/- Documentación Oficial de Wfuzzhttps://www.sans.org/white-papers/2178/- [Repositorio de GitHub de Wfuzz](