WFUZZ in Application Security Tests


Wfuzz is a tool designed for brute forcing, fuzzing and sensitive file scanning for Web Applications.

It can be used for finding resources not linked to directories, servlets, scripts, etc, bruteforce GET and POST parameters for checking different kind of vulnerabilities (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing, etc. A payload in Wfuzz is a source of data.

WFuzz home page (https://github.com/xmendez/wfuzz)

Why Fuzzing is Important for Application Security Test

Fuzzing is a Black Box application security testing technique, which basically consists in finding implementation vulnerabilities using a payload (SQL, XSS, LFI/RFI) with data injection in an automated fashion.

WFUZZ Installation

I am going to use Kali Linux for installation.

pip3 install wfuzz

I already installed WFUZZ. So, I don’t need to install it again. Pip3 is an easy way to complete the installation. There is also one more way for installation.

Download release’s version from here with WGET command.
Download location: https://github.com/xmendez/wfuzz/releases/latest

wget https://github.com/xmendez/wfuzz/archive/refs/tags/v3.1.0.zip

After that, we have the zip file. Let’s unzip it.

unzip v3.1.0.zip

So, we have unzipped the wfuzz source file into the directory with CD command

cd wfuzz-3.1.0

Use ./wfuzz or wfuzz to start up the application process.

Installation is completed! Let’s start hacking!

HTTP Status Code’s

HTTP Status codes are most important point for fuzzing web applications. If you have no idea about which response code is returned from your request, you can’t analyze the fuzzing results. 

These are the most common HTTP response codes.