Wfuzz Cheat Sheet
Panoramica
Wfuzz è un web application fuzzer progettato per facilitare le valutazioni di applicazioni web. Può essere utilizzato per trovare risorse non collegate (directory, servlet, script, ecc.), effettuare bruteforce di parametri GET e POST, bruteforce di parametri di Form (Utente/Password), Fuzzing, ecc. Wfuzz è un potente strumento per scoprire contenuti nascosti, testare vulnerabilità e condurre valutazioni complete di sicurezza delle applicazioni web.
⚠️ Avvertenza: Utilizzare Wfuzz solo su applicazioni di proprietà o per le quali si ha un esplicito permesso di test. I test non autorizzati possono violare termini di servizio o leggi locali.
Installazione
Installazione Pacchetto Python
# Install via pip
pip install wfuzz
# Install with all dependencies
pip install wfuzz[complete]
# Install development version
pip install git+https://github.com/xmendez/wfuzz.git
# Verify installation
wfuzz --versionInstallazione Pacchetto di Sistema
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz
# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz
# Arch Linux
sudo pacman -S wfuzz
# macOS with Homebrew
brew install wfuzzInstallazione Docker
# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest
# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help
# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrcInstallazione Manuale
# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz
# Install dependencies
pip install -r requirements.txt
# Install
python setup.py install
# Or run directly
python wfuzz.py --helpUtilizzo Base
Scoperta di Directory e File
# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z
# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ
# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z
# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~Fuzzing di Parametri
# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"
# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php
# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"
# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/
# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/Scoperta Sottodomini
# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/
# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/Utilizzo Avanzato
Autenticazione e Sessioni
# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ
# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ
# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ
# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZFiltraggio Avanzato
# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ
# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ
# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ
# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ
# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ
# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZOpzioni Proxy e di Rete
# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ
# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ
# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ
# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ
# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZWordlist e Payload
Wordlist Comuni
# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt
# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt
# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txtCreazione di Wordlist Personalizzate
# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF
# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ
# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZGeneratori di Payload
# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ
# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ
# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ
# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"Tecniche Specializzate
Test di SQL Injection
# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"
# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"
# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"
# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.phpTest di XSS
# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"
# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php
# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"
# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"Test di Caricamento File
# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php
# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php
# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.phpTest di API
# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ
# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users
# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ
# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"
# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/loginOutput e Reporting
Formati di Output
# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ
# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ
# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ
# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ
# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZFormattazione Output Personalizzata
Would you like me to continue with the remaining sections or placeholders?```bash
Custom output format
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 —format “ID: %i|Code: %c|Size: %h|URL: %u” http://target.com/FUZZ
Verbose output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 -v http://target.com/FUZZ
Show request and response
wfuzz -c -w /usr/share/wordlists/dirb/common.txt —hc 404 —req-delay 1 -v http://target.com/FUZZ
```bash
#!/bin/bash
# Comprehensive web application fuzzing script
TARGET="$1"
OUTPUT_DIR="wfuzz_results_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting comprehensive web fuzzing for: $TARGET"
# Directory discovery
echo "[+] Directory discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/big.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/directories.json,json" \
"$TARGET/FUZZ" 2>/dev/null
# File discovery
echo "[+] File discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-w /usr/share/wordlists/wfuzz/general/extensions.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/files.json,json" \
"$TARGET/FUZZ.FUZ2Z" 2>/dev/null
# Backup file discovery
echo "[+] Backup file discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/backups.json,json" \
"$TARGET/FUZZ.bak" "$TARGET/FUZZ~" "$TARGET/FUZZ.old" 2>/dev/null
# Admin panel discovery
echo "[+] Admin panel discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \
--hc 404,403 \
-f "$OUTPUT_DIR/admin_panels.json,json" \
"$TARGET/FUZZ" 2>/dev/null
# Parameter discovery
echo "[+] Parameter discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
--hc 404 \
-f "$OUTPUT_DIR/parameters.json,json" \
"$TARGET/?FUZZ=test" 2>/dev/null
echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"
# Generate summary
echo "[+] Generating summary..."
python3 << EOF
import json
import os
results_dir = "$OUTPUT_DIR"
summary = \\\\{\\\\}
for filename in os.listdir(results_dir):
if filename.endswith('.json'):
with open(os.path.join(results_dir, filename), 'r') as f:
try:
data = json.load(f)
category = filename.replace('.json', '')
summary[category] = len(data)
except:
summary[filename] = 0
print("\\n=== FUZZING SUMMARY ===")
for category, count in summary.items():
print(f"\\\\{category\\\\}: \\\\{count\\\\} results")
with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
json.dump(summary, f, indent=2)
EOF
```### Script di Fuzzing API
```bash
#!/bin/bash
# API endpoint fuzzing script
API_BASE="$1"
OUTPUT_DIR="api_fuzz_$(date +%Y%m%d_%H%M%S)"
if [ -z "$API_BASE" ]; then
echo "Usage: $0 <api_base_url>"
echo "Example: $0 https://api.example.com"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting API fuzzing for: $API_BASE"
# API endpoint discovery
echo "[+] API endpoint discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
--hc 404,405 \
-f "$OUTPUT_DIR/endpoints.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
# API version discovery
echo "[+] API version discovery..."
wfuzz -c -z range,1-10 \
--hc 404,405 \
-f "$OUTPUT_DIR/versions.json,json" \
"$API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null
# Common API paths
echo "[+] Common API paths..."
cat > api_paths.txt << 'EOF'
users
user
admin
auth
login
logout
register
profile
settings
config
status
health
version
docs
swagger
api-docs
EOF
wfuzz -c -w api_paths.txt \
--hc 404,405 \
-f "$OUTPUT_DIR/api_paths.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
# HTTP methods testing
echo "[+] HTTP methods testing..."
wfuzz -c -w api_paths.txt \
-X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \
--hc 404 \
-f "$OUTPUT_DIR/methods.json,json" \
"$API_BASE/FUZZ" 2>/dev/null
rm api_paths.txt
echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
```### Script di Fuzzing Sottodomini
```bash
#!/bin/bash
# Subdomain discovery script
DOMAIN="$1"
OUTPUT_DIR="subdomain_fuzz_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
echo "Example: $0 example.com"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting subdomain fuzzing for: $DOMAIN"
# Common subdomains
echo "[+] Common subdomain fuzzing..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \
-H "Host: FUZZ.$DOMAIN" \
--hc 404 \
--hh 0 \
-f "$OUTPUT_DIR/subdomains.json,json" \
"http://$DOMAIN/" 2>/dev/null
# Development subdomains
echo "[+] Development subdomain fuzzing..."
cat > dev_subdomains.txt << 'EOF'
dev
test
staging
beta
alpha
demo
sandbox
lab
qa
uat
pre
preprod
prod
www
mail
ftp
admin
api
app
mobile
m
blog
shop
store
portal
dashboard
EOF
wfuzz -c -w dev_subdomains.txt \
-H "Host: FUZZ.$DOMAIN" \
--hc 404 \
--hh 0 \
-f "$OUTPUT_DIR/dev_subdomains.json,json" \
"http://$DOMAIN/" 2>/dev/null
rm dev_subdomains.txt
echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
```## Integrazione con Altri Strumenti
```bash
# Use Burp as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-p 127.0.0.1:8080 \
--hc 404 \
http://target.com/FUZZ
# Export results for Burp analysis
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
-f burp_targets.txt,raw \
http://target.com/FUZZ
```### Integrazione con Burp Suite
```bash
# Use ZAP as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-p 127.0.0.1:8080 \
--hc 404 \
http://target.com/FUZZ
# Generate ZAP-compatible URLs
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > zap_urls.txt
```### Integrazione con OWASP ZAP
```bash
# Generate URLs for Nuclei scanning
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--format "%u" \
http://target.com/FUZZ > discovered_urls.txt
# Run Nuclei on discovered URLs
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
```## Risoluzione dei Problemi
```bash
# Reduce request rate
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 2 \
--conn-delay 1 \
-t 5 \
--hc 404 \
http://target.com/FUZZ
# Random delay
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--req-delay 1-3 \
--hc 404 \
http://target.com/FUZZ
```### Problemi Comuni
```bash
# Ignore SSL certificate errors
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--insecure \
https://target.com/FUZZ
# Specify SSL version
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--hc 404 \
--ssl-version TLSv1.2 \
https://target.com/FUZZ
```#### Limitazione dei Tassi
```bash
# Reduce concurrent threads
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
-t 10 \
--hc 404 \
http://target.com/FUZZ
# Use smaller wordlists
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
--hc 404 \
http://target.com/FUZZ
```#### Problemi SSL/TLS
```bash
# Increase timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--conn-delay 5 \
--req-delay 2 \
--hc 404 \
http://target.com/FUZZ
# Retry failed requests
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
--retry 3 \
--hc 404 \
http://target.com/FUZZ
```#### Problemi di Memoria
https://wfuzz.readthedocs.io/###
# Problemi di Rete
https://github.com/xmendez/wfuzz#
# Risorse
https://owasp.org/www-project-web-security-testing-guide/- [Documentazione Ufficiale di Wfuzz](https://github.com/danielmiessler/SecLists)https://owasp.org/www-project-web-security-testing-guide/- [Repository GitHub di Wfuzz](https://portswigger.net/burp/documentation)https://www.sans.org/white-papers/2178/- [Guida ai Test di Sicurezza delle Applicazioni Web](