A Tool for Brute forcing / Fuzzing Web Applications .
What is Wfuzz ?
It ́s a web application brute forcer, that allows you to perform complex brute force attacks in different web application parts as parameters, authentication, forms, directories / files, headers files, etc. It has complete set of features, payloads and encodings.
It can also be used for finding resources that are not publically linked such as directories & files, it can brute force HEADERS, GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), it can also brute force forms parameters (User/Password) and carry out general Fuzzing,etc.
• Recursion (When doing directory bruteforce)
• Post, headers and authentication data bruteforcing
• Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
• Colored output on all systems
• Hide results by return code, word numbers, line numbers, etc.
• Many Encodings (random_upper, urlencode, sHA1, bin_ascii, base64, double_nibble_hex, uri_hex, md5, double_urlencode etc)
• Cookies fuzzing
• Proxy support
• Multiple FUZZ capability with multiple dictionaries
• Authentication support (NTLM, Digest, Basic)
• All parameter bruteforcing (POST and GET)
• Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more).