Introduction:
Wfuzz is a command line tool written in python. It is used to discover common vulnerabilities in web applications through the method of fuzzing. Fuzzing is the concept of trying many known vulnerable inputs with a web application to determine if any of the inputs compromise the web application. It is a great tool to be able to quickly check common vulnerabilities against an application. It is also valuable for testing previously reported vulnerabilities to ensure that regressions don’t occur in an application.
We can able to test for several types of vulnerabilities exists in the web application by the common method known as fuzzing. By using wfuzz we can test the input validation bugs primarily by fuzzing the application. A payload in Wfuzz is a source of data.
This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.
- Injection based vulnerabilities, such as directory traversals, SQL injections, XSS injections, and XXE injections
- Brute forcing common credentials
- Discovery of important web pages that don’t provide proper access control (think admin panels or configuration files)
- Known open source vulnerabilities, such as apache and sharepoint based attacks
Demo
Wfuzz is more than a web application scanner:
- Wfuzz is a completely modular framework and makes it easy for even the newest of Python developers to contribute.It is really simple to build plugins with wfuzz.you could also use wfuzz as the python library to make use to build the other programs.
- Wfuzz exposes a simple language interface to the previous HTTP requests/responses performed using Wfuzz or other tools, such as Burp. This allows you to perform manual and semi-automatic tests with full context and understanding of your actions, without relying on a web application scanner underlying implementation.
Installation:
Installation of wfuzz is really straight forward. You can install wfuzz using the pip. Make sure that you have installed python3.
pip install wfuzz
You can either clone the public repository:
-
git clone git://github.com/xmendez/wfuzz.git
Once you have a copy of the source, you can embed it in your own Python package, or install it into your site-packages easily:
python3 setup.py install
Usecases:
Type wfuzz -h for help,Wfuzz can be used to look for hidden content, such as files and directories, within a web server, allowing to find further attack vectors. It is worth noting that, the success of this task depends highly on the dictionaries used. By default wfuzz contains fuzzdb and seclists wordlists files some of the basic usecases of wfuzz are mentioned below:
Fuzzing the paths and files:
wfuzz -w
In the above url the FUZZ keyword must be specified because the FUZZ keyword is like a kind of place holder for the tool to perform where to fuzz.
wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ.php
Fuzzing Parameters In URLs:
You often want to fuzz some sort of data in the URL’s query string, this can be achieved by specifying the FUZZ keyword in the URL after a question mark:
wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
Fuzzing POST Requests:
If you want to fuzz some form-encoded data like an HTML form will do, simply pass a -d command line argument:
wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php
Fuzzing Cookies:
To send your own cookies to the server, for example, to associate a request to HTTP sessions, you can use the -b parameter (repeat for various cookies):
wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ
cookies can also be fuzzed like this
wfuzz -z file,wordlist/general/common.txt -b cookie=FUZZ http://testphp.vulnweb.com/
Fuzzing Custom headers:
If you’d like to add HTTP headers to a request, simply use the -H parameter (repeat for various headers):
wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "myheader2: headervalue2" http://testphp.vulnweb.com/FUZZ
You can modify existing headers, for example, for specifying a custom user agent, execute the following:
wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "User-Agent: Googlebot-News" http://testphp.vulnweb.com/FUZZ
Headers can also be fuzzed like this
wfuzz -z file,wordlist/general/common.txt -H "User-Agent: FUZZ" http://testphp.vulnweb.com/
HTTP Verbs:
HTTP verbs fuzzing can be specified using the -X switch
wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
Authentication
Wfuzz can set an authentication headers by using the –basic/ntlm/digest command line switches.
For example, a protected resource using Basic authentication can be fuzzed using the following command:
wfuzz -z list,nonvalid-httpwatch --basic FUZZ:FUZZ https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx
Recursion
The -R switch can be used to specify a payload recursion’s depth. For example, if you want to search for existing directories and then fuzz within these directories again using the same payload you can use the following command:
wfuzz -z list,"admin-CVS-cgi\-bin" -R1 http://testphp.vulnweb.com/FUZZ
These are all the simple and basic usecases of wfuzz. Wfuzz must be one of the important tool in your checklist while you performing the security testing on web applications.Take a look at the wfuzz docs for advanced usecases.
References:
https://wfuzz.readthedocs.io/en/latest/user/advanced.html
https://github.com/xmendez/wfuzz