Bug Bounty Hunting – Wfuzz – Web Content Discovery & Form Manipulation

Scanning & Reconnaissance

What is Wfuzz used for?

Used to discover web content and directories.

 

Main features

  • Content discovery
  • Form Manipulation

 

Form manipulation & Bruteforce

 

wfuzz -c -w /root/Desktop/wordlist.txt –hs Invalid -d “log=user&pwd=FUZZ” -u http://192.168.1.109/wp-login.php

 

For both parameters

wfuzz -c -w /root/Desktop/wordlist.txt –hs Invalid -d “log=FUZ2Z&pwd=FUZZ” -u http://192.168.1.109/wp-login.php

 

 

  • w- Output with colors
  • w- wordlist
  • z – payload
  • –hs Invalid – specify regex (show or hide responses)
  • –ss is to show responses
  • -d -post request
  • FUZZ  – FUZZ variable is wfuzz’s way of identifying where it should be inserting the word from the wordlist

 

Directory bruteforcing

 

wfuzz -w /usr/share/wordlists/SecLists/Discovery/Web-Content/SVNDigger/all.txt –hc 403,404 http://webscantest.com/FUZZ

 

–hc – Hide responses with the specified code/lines/words/chars

 

 

Sources: https://tools.kali.org/web-applications/wfuzz

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *