Bug Bounty Hunting – Wfuzz – Web Content Discovery & Form Manipulation

Scanning & Reconnaissance

What is Wfuzz used for?

Used to discover web content and directories.


Main features

  • Content discovery
  • Form Manipulation


Form manipulation & Bruteforce


wfuzz -c -w /root/Desktop/wordlist.txt –hs Invalid -d “log=user&pwd=FUZZ” -u


For both parameters

wfuzz -c -w /root/Desktop/wordlist.txt –hs Invalid -d “log=FUZ2Z&pwd=FUZZ” -u



  • w- Output with colors
  • w- wordlist
  • z – payload
  • –hs Invalid – specify regex (show or hide responses)
  • –ss is to show responses
  • -d -post request
  • FUZZ  – FUZZ variable is wfuzz’s way of identifying where it should be inserting the word from the wordlist


Directory bruteforcing


wfuzz -w /usr/share/wordlists/SecLists/Discovery/Web-Content/SVNDigger/all.txt –hc 403,404 http://webscantest.com/FUZZ


–hc – Hide responses with the specified code/lines/words/chars



Sources: https://tools.kali.org/web-applications/wfuzz

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *