Wfuzz - The web bruteforcer

Wfuzz is a tool designed to bruteforce web applications.

Last release v2.1.4

Getting started

Wfuzz was created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the keyword FUZZ by the value of a given payload. A payload in Wfuzz is a source of data.

Below is shown an example:

$ wfuzz.py -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

********************************************************
* Wfuzz 2.1.4 - The Web Bruteforcer                    *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Request    
==================================================================

00006:  C=301      7 L        12 W          184 Ch        "admin"
00135:  C=403     10 L        29 W          263 Ch        "cgi-bin"
00379:  C=301      7 L        12 W          184 Ch        "images"
00686:  C=301      7 L        12 W          184 Ch        "secured"
...
00935:  C=301      7 L        12 W          184 Ch        "CVS"

Total time: 4.214460
Processed Requests: 950
Filtered Requests: 0
Requests/sec.: 225.414

Get the Source Code

Wfuzz is actively developed on GitHub:

$ git clone https://github.com/xmendez/wfuzz.git