Ubuntu Manpage: wfuzz - a web application bruteforcer

name
synopsis
options
examples

NAME

       wfuzz - a web application bruteforcer

SYNOPSIS

       wfuzz [options] -z payload,params <url>

OPTIONS

       -h     Print information about available arguments.

       --help Advanced help.

       --version
              Wfuzz version details

       -e <type>
              List of available encoders/payloads/iterators/printers/scripts

       --recipe <filename>
              Reads options from a recipe

       --dump-recipe <filename>
              Prints current options as a recipe

       --oF <filename>
              Saves fuzz results to a file. These can be consumed later using the wfuzz payload.

       -c     Output with colors

       -v     Verbose information.

       -f filename,printer
              Store results in the output file using the specified printer (raw printer if omitted).

       -o printer
              Format output using the specified printer.

       --interact
              (beta) If selected, all key presses are captured. This allows you to interact with the program.

       --dry-run
              Print the results of applying the requests without actually making any HTTP request.

       --prev Print the previous HTTP requests (only when using payloads generating fuzzresults)

       -p addr
              Use  Proxy  in  format ip:port:type. Repeat option for using various proxies.  Where type could be
              SOCKS4, SOCKS5 or HTTP if omitted.

       -t N   Specify the number of concurrent connections (10 default)

       -s N   Specify time delay between requests (0 default)

       -R depth
              Recursive path discovery being depth the maximum recursion level.

       -L, --follow
              Follow HTTP redirections

       -Z     Scan mode (Connection errors will be ignored).

       --req-delay N
              Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.

       --conn-delay N
              Sets  the  maximum  time   in   seconds   the   connection   phase   to   the   server   to   take
              (CURLOPT_CONNECTTIMEOUT). Default 90.

       -A     Alias for --script=default -v -c

       --script=
              Equivalent to --script=default

       --script=<plugins>
              Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories

       --script-help=<plugins>
              Show help about scripts.

       --script-args n1=v1,...
              Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"

       -u url Specify a URL for the request.

       -m iterator
              Specify an iterator for combining payloads (product by default)

       -z payload
              Specify  a  payload  for each FUZZ keyword used in the form of type,parameters,encoder.  A list of
              encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.  Encoders category  can
              be  used.  ie.  url.  Use help as a payload to show payload plugin's details (you can filter using
              --slice)

       --zP <params>
              Arguments for the specified payload (it must be preceded by -z or -w).

       --slice <filter>
              Filter payload's elements using the specified expression. It must be preceded by -z.

       -w wordlist
              Specify a wordlist file (alias for -z file,wordlist).

       -V alltype
              All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.

       -X method
              Specify an HTTP method for the request, ie. HEAD or FUZZ

       -b cookie
              Specify a cookie for the requests. Repeat option for various cookies.

       -d postdata
              Use post data (ex: "id=FUZZ&catalogue=1")

       -H headers
              Use headers  (ex:"Host:www.mysite.com,Cookie:id=1312321&user=FUZZ").  Repeat  option  for  various
              headers.

       --basic/ntlm/digest auth
              in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

       --hc/hl/hw/hh N[,N]+
              Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)

       --sc/sl/sw/sh N[,N]+
              Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)

       --ss/hs regex
              Show/Hide responses with the specified regex within the content

       --filter <filter>
              Filter  responses  using  the  specified  expression  (Use BBB for taking values from baseline) It
              should be composed of: c,l,w,h/and,or/=,<,>,!=,<=,>= Keyword: FUZZ, ..., FUZnZ  wherever  you  put
              these  keywords  wfuzz  will  replace  them  with  the values of the specified payload.  Baseline:
              FUZZ{baseline_value} FUZZ will be replaced  by  baseline_value.  It  will  be  the  first  request
              performed and could be used as a base for filtering.

       --prefilter <filter>
              Filter items before fuzzing using the specified expression.

EXAMPLES

              wfuzz -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z

              wfuzz -c -z range,1-10 --hc=BBB http://www.site.com/FUZZ{something not there}

              wfuzz --script=robots -z list,robots.txt http://www.webscantest.com/FUZZ

       More examples are available in the README..