Sec-Art: Wfuzz : How to install, Configure and start with wfuzz in linux based systems (Ubuntu)

Wfuzz is a Python-based flexible web application bruteforcer that can be considered an alternative to Burp Intruder as they both have some common features. It supports various methods and techniques to expose web application vulnerabilities. With Wfuzz we can audit parameters, authentication, forms with brute-forcing GET and POST parameters, cookies, forms, discover unlinked resources such as directories/files, headers and so on.

Wfuzz is developed by edge-security. Wfuzz was created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the keyword FUZZ by the value of a given payload. A payload in Wfuzz is a source of input data. For further details and documentation visit the link : http://wfuzz.readthedocs.io/en/latest/

Installation:

I am going to install wfuzz on ubuntu 16.04. First of all clone wfuzz from git repository

 git clone https://github.com/xmendez/wfuzz.git

For wfuzz installation you need to install setuptools and pycurl python module

 sudo apt install python-setuptools python-pycurl

Then change directory to wfuzz directory and run the below command

 sudo python setup.py install

Now wfuzz is successfully installed.

The basic architecture of wfuzz

The Wfuzz contains the following elements :

Payloads :

The payloads are list of data to be sent to the target server. To see all payloads options :

 wfuzz -e payloads

Range :

Suppose we have a webapp with with pages like example1.php, example2.php... etc, now to find find out how many pages are here we can use range payload :

 wfuzz -c -z range,0-20 http://192.168.0.103/xss/exampleFUZZ.php?name=hello

and the output will be :

 ********************************************************
* Wfuzz 2.2.8 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.0.103/xss/exampleFUZZ.php?name=hello
Total requests: 21

==================================================================
ID Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=404      9 L       32 W     293 Ch   "0"
000002:  C=200     61 L      101 W    1466 Ch   "1"
000003:  C=200     59 L      100 W    1458 Ch   "2"
000004:  C=200     60 L      100 W    1459 Ch   "3"
000005:  C=200     60 L      100 W    1460 Ch   "4"
000010:  C=200     62 L      101 W    1512 Ch   "9"
000012:  C=404      9 L       32 W     294 Ch   "11"
000013:  C=404      9 L       32 W     294 Ch   "12"
000014:  C=404      9 L       32 W     294 Ch   "13"
000015:  C=404      9 L       32 W     294 Ch   "14"
000016:  C=404      9 L       32 W     294 Ch   "15"
000017:  C=404      9 L       32 W     294 Ch   "16"
000018:  C=404      9 L       32 W     294 Ch   "17"
000021:  C=404      9 L       32 W     294 Ch   "20"
000019:  C=404      9 L       32 W     294 Ch   "18"
000020:  C=404      9 L       32 W     294 Ch   "19"
000006:  C=200     60 L      100 W    1460 Ch   "5"
000007:  C=200     62 L      104 W    1491 Ch   "6"
000008:  C=200     64 L      104 W    1493 Ch   "7"
000009:  C=200     61 L      109 W    1579 Ch   "8"
000011:  C=404      9 L       32 W     294 Ch   "10"

Total time: 2.908727
Processed Requests: 21
Filtered Requests: 0
Requests/sec.: 7.219650

At the above command :

-c : for color output
-z range,0-20 : z for payload where range is payload after comma ',' the range is specified which is 0-20.

and at the target url 'FUZZ' is used where we want to fuzz.

Now to filter the output we can use --hc [response code] flag which filter the given response code

 wfuzz -c --hc 404 -z range,0-20 http://192.168.0.103/xss/exampleFUZZ.php?name=hello

output:

 ********************************************************
* Wfuzz 2.2.8 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.0.103/xss/exampleFUZZ.php?name=hello
Total requests: 21

==================================================================
ID Response   Lines      Word         Chars          Payload    
==================================================================

000002:  C=200     61 L      101 W    1466 Ch   "1"
000003:  C=200     59 L      100 W    1458 Ch   "2"
000004:  C=200     60 L      100 W    1459 Ch   "3"
000005:  C=200     60 L      100 W    1460 Ch   "4"
000006:  C=200     60 L      100 W    1460 Ch   "5"
000007:  C=200     62 L      104 W    1491 Ch   "6"
000008:  C=200     64 L      104 W    1493 Ch   "7"
000009:  C=200     61 L      109 W    1579 Ch   "8"
000010:  C=200     62 L      101 W    1512 Ch   "9"

Total time: 0.067469
Processed Requests: 21
Filtered Requests: 12
Requests/sec.: 311.2502

Use -sc [response code] for show only given response code

 wfuzz -c --sc 200 -z range,0-20 http://192.168.0.103/xss/exampleFUZZ.php?name=hello

File :

With file we can provide a file with list of filenames or data to fuzz a url parameter or data etc.

 wfuzz -c --sc 200 -z file,/home/ajay/pentest/wordlist/general/admin-panels.txt  http://192.168.56.102/mutillidae/FUZZ

output :

 ********************************************************
* Wfuzz 2.2.8 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.101/mutillidae/FUZZ
Total requests: 137

==================================================================
ID Response   Lines      Word         Chars          Payload    
==================================================================

000120:  C=200     53 L      189 W    2930 Ch   "home.php"
000021:  C=200    129 L      330 W    4102 Ch   "login.php"

Total time: 2.633481
Processed Requests: 137
Filtered Requests: 135
Requests/sec.: 52.02237

Brute forcing post data :

 wfuzz -c -z file,/home/ajay/pentest/wordlist/general/common.txt --hs Error -d "log=user&pwd=FUZZ"  http://192.168.56.101/wordpress/wp-login.php

output :

 ********************************************************
* Wfuzz 2.2.8 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.102/wordpress/wp-login.php
Total requests: 950

==================================================================
ID Response   Lines      Word         Chars          Payload    
==================================================================

000870:  C=302      0 L        0 W       0 Ch   "user"

Total time: 72.38094
Processed Requests: 950
Filtered Requests: 949
Requests/sec.: 13.12500

where -d is used for post data. and --hs is used for hide responses which contain Error word. because it returns "Error" at failure.

Brute forcing header data :

 wfuzz -c -z file,/home/ajay/pentest/wordlist/general/common.txt --sc 200  -H "Header_Field_Name: FUZZ" http://192.168.56.101/wordpress/wp-login.php

Encoders :

Encoders are used to encode the payload before sending it to target server. There are several encoding options are available for example url encode, base64, utf8 and also hash functions like md5,sha1. To see the list of available encoders :

 wfuzz -e encoders

For example :

 wfuzz -c -z file,/home/ajay/pentest/wordlist/general/common.txt,md5 --hs Error -d "log=user&pwd=FUZZ"  http://192.168.56.101/wordpress/wp-login.php

Conclusion :

wfuzz is a very powerful Web application fuzzer. These are some very basic use cases of wfuzz. Now you can start playing and experimenting with it.

For documentation visit : http://wfuzz.readthedocs.io/en/latest/