Tuesday, May 1, 2007

Wfuzz, the web bruteforcer is here...

It's been a while since the last tool were released, with deepbit we were working on a tool for Web Application testing, based on bruteforcing, very fast and useful. It can bruteforce GET and POST parameters, unlinked resources (directories, servlets, scripts), etc. It was used during our latest pentest and it shielded very good results. In the package is included a lot of dictionaries tailored for known applications like Weblogic, Websphere, Tomcat, IIS, Apache, Vignette, Fatwire, and many many more (thanks to Darkraver for letting us using Dirb's dictionaries).

Right now the ouput could be the console and a html file. The last one, is very useful for checking the results in the browser, and if you bruteforced a POST parameter, it will create a button in the Html that will send all the POST data, very cool.

If you are a pentester, you must have it ;)

Please check the Wfuzz page.

No comments: