Wfuzz 치트 시트

📋 Copy All Commands 📄 Generate PDF## 개요

Wfuzz는 웹 애플리케이션 평가를 용이하게 하도록 설계된 웹 애플리케이션 퍼저입니다. 연결되지 않은 리소스(디렉토리, 서블릿, 스크립트 등) 찾기, GET 및 POST 파라미터 브루트포스, 폼 파라미터(사용자/비밀번호) 브루트포스, 퍼징 등에 사용될 수 있습니다. Wfuzz는 숨겨진 콘텐츠 발견, 취약점 테스트, 포괄적인 웹 애플리케이션 보안 평가를 수행하는 강력한 도구입니다.

⚠️ 경고: Wfuzz는 소유하거나 명시적 허가를 받은 애플리케이션에 대해서만 사용하세요. 무단 테스트는 서비스 약관이나 현지 법률을 위반할 수 있습니다.

설치

Python 패키지 설치

시스템 패키지 설치

Docker 설치

수동 설치

기본 사용법

디렉토리 및 파일 검색

파라미터 퍼징

서브도메인 검색

고급 사용법

인증 및 세션

고급 필터링

프록시 및 네트워크 옵션

워드리스트 및 페이로드

일반적인 워드리스트

사용자 정의 워드리스트 생성

페이로드 생성기

특수 기술

SQL 인젝션 테스트

XSS 테스트

파일 업로드 테스트

API 테스트

출력 및 보고

출력 형식

사용자 정의 출력 포맷```bash

Install via pip

pip install wfuzz

Install with all dependencies

pip install wfuzz[complete]

Install development version

pip install git+https://github.com/xmendez/wfuzz.git

Verify installation

wfuzz —version

### System Package Installation
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz

# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz

# Arch Linux
sudo pacman -S wfuzz

# macOS with Homebrew
brew install wfuzz

Docker Installation

# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest

# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help

# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrc

Manual Installation

# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz

# Install dependencies
pip install -r requirements.txt

# Install
python setup.py install

# Or run directly
python wfuzz.py --help

Basic Usage

Directory and File Discovery

# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z

# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ

# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z

# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~

Parameter Fuzzing

# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"

# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php

# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"

# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/

# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/

Subdomain Discovery

# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/

Advanced Usage

Authentication and Sessions

# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ

# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ

# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ

# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZ

Advanced Filtering

# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ

# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ

# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ

# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ

# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ

# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZ

Proxy and Network Options

# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ

# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ

# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ

# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ

# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZ

Wordlists and Payloads

Common Wordlists

# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt

# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt

# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txt

Custom Wordlist Creation

# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF

# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ

# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZ

Payload Generators

# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ

# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ

# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ

# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"

Specialized Techniques

SQL Injection Testing

# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"

# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"

# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"

# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.php

XSS Testing

# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"

# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php

# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"

# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"

File Upload Testing

# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php

# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php

# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.php

API Testing

# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ

# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users

# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ

# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"

# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/login

Output and Reporting

Output Formats

# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ

# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ

# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ

# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ

# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZ

Custom Output Formatting

# Custom output format
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --format "ID: %i|Code: %c|Size: %h|URL: %u" http://target.com/FUZZ

# Verbose output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -v http://target.com/FUZZ

# Show request and response
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --req-delay 1 -v http://target.com/FUZZ
```## 자동화 스크립트
```bash
#!/bin/bash
# Comprehensive web application fuzzing script

TARGET="$1"
OUTPUT_DIR="wfuzz_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting comprehensive web fuzzing for: $TARGET"

# Directory discovery
echo "[+] Directory discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/big.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/directories.json,json" \
    "$TARGET/FUZZ" 2>/dev/null

# File discovery
echo "[+] File discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -w /usr/share/wordlists/wfuzz/general/extensions.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/files.json,json" \
    "$TARGET/FUZZ.FUZ2Z" 2>/dev/null

# Backup file discovery
echo "[+] Backup file discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/backups.json,json" \
    "$TARGET/FUZZ.bak" "$TARGET/FUZZ~" "$TARGET/FUZZ.old" 2>/dev/null

# Admin panel discovery
echo "[+] Admin panel discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/admin_panels.json,json" \
    "$TARGET/FUZZ" 2>/dev/null

# Parameter discovery
echo "[+] Parameter discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
    --hc 404 \
    -f "$OUTPUT_DIR/parameters.json,json" \
    "$TARGET/?FUZZ=test" 2>/dev/null

echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"

# Generate summary
echo "[+] Generating summary..."
python3 << EOF
import json
import os

results_dir = "$OUTPUT_DIR"
summary = \\\\{\\\\}

for filename in os.listdir(results_dir):
    if filename.endswith('.json'):
        with open(os.path.join(results_dir, filename), 'r') as f:
            try:
                data = json.load(f)
                category = filename.replace('.json', '')
                summary[category] = len(data)
            except:
                summary[filename] = 0

print("\\n=== FUZZING SUMMARY ===")
for category, count in summary.items():
    print(f"\\\\{category\\\\}: \\\\{count\\\\} results")

with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
    json.dump(summary, f, indent=2)
EOF
```### API 퍼징 스크립트
```bash
#!/bin/bash
# API endpoint fuzzing script

API_BASE="$1"
OUTPUT_DIR="api_fuzz_$(date +%Y%m%d_%H%M%S)"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    echo "Example: $0 https://api.example.com"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting API fuzzing for: $API_BASE"

# API endpoint discovery
echo "[+] API endpoint discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
    --hc 404,405 \
    -f "$OUTPUT_DIR/endpoints.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

# API version discovery
echo "[+] API version discovery..."
wfuzz -c -z range,1-10 \
    --hc 404,405 \
    -f "$OUTPUT_DIR/versions.json,json" \
    "$API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null

# Common API paths
echo "[+] Common API paths..."
cat > api_paths.txt << 'EOF'
users
user
admin
auth
login
logout
register
profile
settings
config
status
health
version
docs
swagger
api-docs
EOF

wfuzz -c -w api_paths.txt \
    --hc 404,405 \
    -f "$OUTPUT_DIR/api_paths.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

# HTTP methods testing
echo "[+] HTTP methods testing..."
wfuzz -c -w api_paths.txt \
    -X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \
    --hc 404 \
    -f "$OUTPUT_DIR/methods.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

rm api_paths.txt

echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
```### 서브도메인 퍼징 스크립트
```bash
#!/bin/bash
# Subdomain discovery script

DOMAIN="$1"
OUTPUT_DIR="subdomain_fuzz_$(date +%Y%m%d_%H%M%S)"

if [ -z "$DOMAIN" ]; then
    echo "Usage: $0 <domain>"
    echo "Example: $0 example.com"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting subdomain fuzzing for: $DOMAIN"

# Common subdomains
echo "[+] Common subdomain fuzzing..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \
    -H "Host: FUZZ.$DOMAIN" \
    --hc 404 \
    --hh 0 \
    -f "$OUTPUT_DIR/subdomains.json,json" \
    "http://$DOMAIN/" 2>/dev/null

# Development subdomains
echo "[+] Development subdomain fuzzing..."
cat > dev_subdomains.txt << 'EOF'
dev
test
staging
beta
alpha
demo
sandbox
lab
qa
uat
pre
preprod
prod
www
mail
ftp
admin
api
app
mobile
m
blog
shop
store
portal
dashboard
EOF

wfuzz -c -w dev_subdomains.txt \
    -H "Host: FUZZ.$DOMAIN" \
    --hc 404 \
    --hh 0 \
    -f "$OUTPUT_DIR/dev_subdomains.json,json" \
    "http://$DOMAIN/" 2>/dev/null

rm dev_subdomains.txt

echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
```## 다른 도구와의 통합
```bash
# Use Burp as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -p 127.0.0.1:8080 \
    --hc 404 \
    http://target.com/FUZZ

# Export results for Burp analysis
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    -f burp_targets.txt,raw \
    http://target.com/FUZZ
```### Burp Suite 통합
```bash
# Use ZAP as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -p 127.0.0.1:8080 \
    --hc 404 \
    http://target.com/FUZZ

# Generate ZAP-compatible URLs
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --format "%u" \
    http://target.com/FUZZ > zap_urls.txt
```### OWASP ZAP 통합
```bash
# Generate URLs for Nuclei scanning
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --format "%u" \
    http://target.com/FUZZ > discovered_urls.txt

# Run Nuclei on discovered URLs
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
```### Nuclei 통합
```bash
# Reduce request rate
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --req-delay 2 \
    --conn-delay 1 \
    -t 5 \
    --hc 404 \
    http://target.com/FUZZ

# Random delay
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --req-delay 1-3 \
    --hc 404 \
    http://target.com/FUZZ
```## 문제 해결
```bash
# Ignore SSL certificate errors
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --insecure \
    https://target.com/FUZZ

# Specify SSL version
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --ssl-version TLSv1.2 \
    https://target.com/FUZZ
```### 일반적인 문제들
```bash
# Reduce concurrent threads
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -t 10 \
    --hc 404 \
    http://target.com/FUZZ

# Use smaller wordlists
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
    --hc 404 \
    http://target.com/FUZZ
```#### 속도 제한
```bash
# Increase timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --conn-delay 5 \
    --req-delay 2 \
    --hc 404 \
    http://target.com/FUZZ

# Retry failed requests
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --retry 3 \
    --hc 404 \
    http://target.com/FUZZ
```#### SSL/TLS 문제
https://wfuzz.readthedocs.io/###

# 메모리 문제
https://github.com/xmendez/wfuzz###

# 네트워크 문제
https://owasp.org/www-project-web-security-testing-guide/#

# 리소스
https://github.com/danielmiessler/SecLists- [공식 Wfuzz 문서](https://owasp.org/www-project-web-security-testing-guide/)https://portswigger.net/burp/documentation- [Wfuzz GitHub 저장소](https://www.sans.org/white-papers/2178/)