Wfuzz Cheat Sheet¶
Panoramica¶
Wfuzz è un web application fuzzer progettato per facilitare le valutazioni di applicazioni web. Può essere utilizzato per trovare risorse non collegate (directory, servlet, script, ecc.), effettuare bruteforce di parametri GET e POST, bruteforce di parametri di Form (Utente/Password), Fuzzing, ecc. Wfuzz è un potente strumento per scoprire contenuti nascosti, testare vulnerabilità e condurre valutazioni complete di sicurezza delle applicazioni web.
⚠️ Avvertenza: Utilizzare Wfuzz solo su applicazioni di proprietà o per le quali si ha un esplicito permesso di test. I test non autorizzati possono violare termini di servizio o leggi locali.
Installazione¶
Installazione Pacchetto Python¶
# Install via pip
pip install wfuzz
# Install with all dependencies
pip install wfuzz[complete]
# Install development version
pip install git+https://github.com/xmendez/wfuzz.git
# Verify installation
wfuzz --version
Installazione Pacchetto di Sistema¶
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz
# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz
# Arch Linux
sudo pacman -S wfuzz
# macOS with Homebrew
brew install wfuzz
Installazione Docker¶
# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest
# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help
# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrc
Installazione Manuale¶
# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz
# Install dependencies
pip install -r requirements.txt
# Install
python setup.py install
# Or run directly
python wfuzz.py --help
Utilizzo Base¶
Scoperta di Directory e File¶
# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z
# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ
# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z
# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~
Fuzzing di Parametri¶
# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"
# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php
# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"
# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/
# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/
Scoperta Sottodomini¶
# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/
Utilizzo Avanzato¶
Autenticazione e Sessioni¶
# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ
# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ
# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ
# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZ
Filtraggio Avanzato¶
# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ
# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ
# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ
# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ
# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ
# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZ
Opzioni Proxy e di Rete¶
# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ
# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ
# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ
# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ
# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZ
Wordlist e Payload¶
Wordlist Comuni¶
# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt
# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt
# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txt
Creazione di Wordlist Personalizzate¶
# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF
# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ
# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZ
Generatori di Payload¶
# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ
# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ
# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ
# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"
Tecniche Specializzate¶
Test di SQL Injection¶
# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"
# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"
# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"
# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.php
Test di XSS¶
# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"
# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php
# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"
# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"
Test di Caricamento File¶
# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php
# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php
# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.php
Test di API¶
# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ
# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users
# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ
# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"
# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/login
Output e Reporting¶
Formati di Output¶
# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ
# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ
# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ
# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ
# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZ
Formattazione Output Personalizzata¶
Would you like me to continue with the remaining sections or placeholders?```bash
Custom output format¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --format "ID: %i|Code: %c|Size: %h|URL: %u" http://target.com/FUZZ
Verbose output¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -v http://target.com/FUZZ
Show request and response¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --req-delay 1 -v http://target.com/FUZZ
## Script di Automazionebash
!/bin/bash¶
Comprehensive web application fuzzing script¶
TARGET="\(1" OUTPUT_DIR="wfuzz_results_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting comprehensive web fuzzing for: $TARGET"
Directory discovery¶
echo "[+] Directory discovery..." wfuzz -c -w /usr/share/wordlists/dirb/big.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/directories.json,json" \ "\)TARGET/FUZZ" 2>/dev/null
File discovery¶
echo "[+] File discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -w /usr/share/wordlists/wfuzz/general/extensions.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/files.json,json" \ "\)TARGET/FUZZ.FUZ2Z" 2>/dev/null
Backup file discovery¶
echo "[+] Backup file discovery..." wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/backups.json,json" \ "\)TARGET/FUZZ.bak" "\(TARGET/FUZZ~" "\)TARGET/FUZZ.old" 2>/dev/null
Admin panel discovery¶
echo "[+] Admin panel discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \ --hc 404,403 \ -f "\(OUTPUT_DIR/admin_panels.json,json" \ "\)TARGET/FUZZ" 2>/dev/null
Parameter discovery¶
echo "[+] Parameter discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404 \ -f "\(OUTPUT_DIR/parameters.json,json" \ "\)TARGET/?FUZZ=test" 2>/dev/null
echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"
Generate summary¶
echo "[+] Generating summary..." python3 << EOF import json import os
results_dir = "$OUTPUT_DIR" summary = \\{\\}
for filename in os.listdir(results_dir): if filename.endswith('.json'): with open(os.path.join(results_dir, filename), 'r') as f: try: data = json.load(f) category = filename.replace('.json', '') summary[category] = len(data) except: summary[filename] = 0
print("\n=== FUZZING SUMMARY ===") for category, count in summary.items(): print(f"\\{category\\}: \\{count\\} results")
with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
json.dump(summary, f, indent=2)
EOF
### Script di Fuzzing APIbash
!/bin/bash¶
API endpoint fuzzing script¶
API_BASE="\(1" OUTPUT_DIR="api_fuzz_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$API_BASE" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting API fuzzing for: $API_BASE"
API endpoint discovery¶
echo "[+] API endpoint discovery..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/endpoints.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
API version discovery¶
echo "[+] API version discovery..." wfuzz -c -z range,1-10 \ --hc 404,405 \ -f "\(OUTPUT_DIR/versions.json,json" \ "\)API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null
Common API paths¶
echo "[+] Common API paths..." cat > api_paths.txt << 'EOF' users user admin auth login logout register profile settings config status health version docs swagger api-docs EOF
wfuzz -c -w api_paths.txt \ --hc 404,405 \ -f "\(OUTPUT_DIR/api_paths.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
HTTP methods testing¶
echo "[+] HTTP methods testing..." wfuzz -c -w api_paths.txt \ -X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \ --hc 404 \ -f "\(OUTPUT_DIR/methods.json,json" \ "\)API_BASE/FUZZ" 2>/dev/null
rm api_paths.txt
echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
### Script di Fuzzing Sottodominibash
!/bin/bash¶
Subdomain discovery script¶
DOMAIN="\(1" OUTPUT_DIR="subdomain_fuzz_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting subdomain fuzzing for: $DOMAIN"
Common subdomains¶
echo "[+] Common subdomain fuzzing..." wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null
Development subdomains¶
echo "[+] Development subdomain fuzzing..." cat > dev_subdomains.txt << 'EOF' dev test staging beta alpha demo sandbox lab qa uat pre preprod prod www mail ftp admin api app mobile m blog shop store portal dashboard EOF
wfuzz -c -w dev_subdomains.txt \ -H "Host: FUZZ.\(DOMAIN" \ --hc 404 \ --hh 0 \ -f "\)OUTPUT_DIR/dev_subdomains.json,json" \ "http://$DOMAIN/" 2>/dev/null
rm dev_subdomains.txt
echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
## Integrazione con Altri Strumentibash
Use Burp as proxy¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ
Export results for Burp analysis¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
-f burp_targets.txt,raw \
http://target.com/FUZZ
### Integrazione con Burp Suitebash
Use ZAP as proxy¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -p 127.0.0.1:8080 \ --hc 404 \ http://target.com/FUZZ
Generate ZAP-compatible URLs¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > zap_urls.txt
### Integrazione con OWASP ZAPbash
Generate URLs for Nuclei scanning¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --format "%u" \ http://target.com/FUZZ > discovered_urls.txt
Run Nuclei on discovered URLs¶
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
## Risoluzione dei Problemibash
Reduce request rate¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --req-delay 2 \ --conn-delay 1 \ -t 5 \ --hc 404 \ http://target.com/FUZZ
Random delay¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 1-3 \
--hc 404 \
http://target.com/FUZZ
### Problemi Comunibash
Ignore SSL certificate errors¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --hc 404 \ --insecure \ https://target.com/FUZZ
Specify SSL version¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--ssl-version TLSv1.2 \
https://target.com/FUZZ
#### Limitazione dei Tassibash
Reduce concurrent threads¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ -t 10 \ --hc 404 \ http://target.com/FUZZ
Use smaller wordlists¶
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
--hc 404 \
http://target.com/FUZZ
#### Problemi SSL/TLSbash
Increase timeout¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --conn-delay 5 \ --req-delay 2 \ --hc 404 \ http://target.com/FUZZ
Retry failed requests¶
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \ --retry 3 \ --hc 404 \ http://target.com/FUZZ ```#### Problemi di Memoria https://wfuzz.readthedocs.io/###
Problemi di Rete¶
https://github.com/xmendez/wfuzz#
Risorse¶
https://owasp.org/www-project-web-security-testing-guide/- Documentazione Ufficiale di Wfuzzhttps://owasp.org/www-project-web-security-testing-guide/- Repository GitHub di Wfuzzhttps://www.sans.org/white-papers/2178/- [Guida ai Test di Sicurezza delle Applicazioni Web](