I'm pleased to announce a new version of WFuzz!
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.
I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.
This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.
The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application's functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word "a" generates 8 different requests:
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.
I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.
This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.
The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application's functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word "a" generates 8 different requests:
$ python wfuzz.py --script=links -z list,a --follow http://localhost:8000/FUZZ
********************************************************
* Wfuzz 2.1 - The Web Bruteforcer *
********************************************************
Target: http://localhost:8000/FUZZ
Total requests: 1
===========================================
ID Response Lines Word Chars Request
===========================================
00000: C=200 17 L 89 W 1481 Ch "a"
|_ Plugin links enqueued 5 more requests (rlevel=1)
00001: C=200 14 L 57 W 889 Ch "/a/b/"
|_ Plugin links enqueued 2 more requests (rlevel=2)
00002: C=200 4 L 25 W 177 Ch "/"
00003: C=200 9 L 7 W 61 Ch "/a/test.html"
00004: C=200 4 L 6 W 47 Ch "/a/test.js"
00005: C=403 10 L 30 W 285 Ch "/icons/"
00006: C=200 17 L 89 W 1481 Ch "/a/"
00007: C=200 14 L 57 W 895 Ch "/a/b/c/"
|_ Plugin links enqueued 1 more requests (rlevel=3)
00008: C=200 13 L 46 W 716 Ch "/a/b/c/d/"
The project has been moved from Google code to Github. For a full list of the new features, check the Wfuzz v2.1 changelog.
2 comments:
Xavi,
Just downloaded wfuzz to test on a windows system. Readme says to use the exe. There is no exe in the download. Is Python needed to run wfuzz as I only see .py and txt files in the downloaded folders.
joe.greene@bentley.com
File "C:\Users\Angelz\Desktop\wfuzz\wfuzz.py", line 6, in
from framework.fuzzer.Fuzzer import Fuzzer
File "C:\Users\Angelz\Desktop\wfuzz\framework\fuzzer\Fuzzer.py", line 5, in
from framework.fuzzer.fuzzobjects import FuzzResult
File "C:\Users\Angelz\Desktop\wfuzz\framework\fuzzer\fuzzobjects.py", line 8, in
from externals.reqresp import Request
File "C:\Users\Angelz\Desktop\wfuzz\externals\reqresp\__init__.py", line 1, in
from Request import Request
File "C:\Users\Angelz\Desktop\wfuzz\externals\reqresp\Request.py", line 8, in
import pycurl
ImportError: No module named pycurl
whats wrong here it dont work
Post a Comment