By name: wfuzz description: "Auth/lab ref: Classic web application fuzzer using FUZZ placeholders across URL, headers, forms, auth, and request components." license: GPL-2.0 compatibility: "Python on Linux/Windows/macOS." metadata: author: GitHub Copilot version: "1.1"
wfuzz
HTTP fuzzing tool built around payload injection via FUZZ tokens.
Quick Start
pip install wfuzz
# Directory fuzzing
wfuzz -c -w wordlist.txt --hc 404 https://target/FUZZ
# Parameter fuzzing
wfuzz -c -w payloads.txt "https://target/search?q=FUZZ"
Operator Flow
- Establish baseline response shape (status/lines/words/chars).
- Run discovery pass with hide filters (
--hc/--hl/--hw/--hh). - Switch to targeted payloads (params, headers, auth, verbs).
- Use filter language and plugin outputs for second-pass triage.
- Save/reuse sessions for reproducible follow-up tests.
Common Uses
- Path/file discovery.
- Query/form/header fuzzing.
- Auth and session edge-case probing.
- Semi-automatic testing around captured requests.
High-Value Features
- Baseline token (
FUZZ{baseline}+BBB) for differential filtering. - Multi-payload iterators (
product,zip,chain) for combination testing. - Advanced filter grammar (
--filter,--prefilter,--slice). - Scan plugins (
--script) for parse/discovery-assisted workflows. - Reuse prior sessions (
wfuzzp, Burp state/log payloads) for contextual fuzzing.
Practical Tricks
- Use
-Zscan mode when enumerating unstable hostnames/services; then filterXXXerrors explicitly. - When brute forcing behind proxies, tune
--conn-delayand--req-delayto avoid false noise. - Use
--field/--efieldto emit pipeline-friendly output into other tools.
Common Pitfalls
- Running large dictionaries without baseline filters (noise flood).
- Ignoring soft-404 patterns and relying only on status code.
- Fuzzing all components at once instead of phased request decomposition.
Notes
- In this repository,
ffufis often the faster default for bulk enumeration. - Use
wfuzzwhen you need its plugin/modular style and FUZZ-placement flexibility.