Tuesday, May 1, 2007

Wfuzz, the web bruteforcer is here...

It's been a while since the last tool were released, with deepbit we were working on a tool for Web Application testing, based on bruteforcing, very fast and useful. It can bruteforce GET and POST parameters, unlinked resources (directories, servlets, scripts), etc. It was used during our latest pentest and it shielded very good results. In the package is included a lot of dictionaries tailored for known applications like Weblogic, Websphere, Tomcat, IIS, Apache, Vignette, Fatwire, and many many more (thanks to Darkraver for letting us using Dirb's dictionaries).

Right now the ouput could be the console and a html file. The last one, is very useful for checking the results in the browser, and if you bruteforced a POST parameter, it will create a button in the Html that will send all the POST data, very cool.

If you are a pentester, you must have it ;)

Please check the Wfuzz page.
By -

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scanning ports through SSH Port Forwarding
    In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS. The funny thing is that this server was ...