WFuzz — Web Application Fuzzer

Web fuzzer for brute-forcing parameters, directories, and authentication tokens.

What is WFuzz?

WFuzz is a powerful web application fuzzer designed to help security professionals brute-force parameters, discover hidden directories, test authentication mechanisms, and identify injection points. By replacing parts of an HTTP request with payloads from a wordlist, it automates the discovery of vulnerabilities that manual testing would miss. It's widely used in penetration testing, bug bounty hunting, and CTF competitions.

⚠ Legal Notice

Only use this tool on systems you own or have explicit written authorization to test. Unauthorized use is a criminal offense under Pakistan's PECA 2016 and similar laws worldwide.

Installation

# Update package list first
sudo apt update

# Install WFuzz
sudo apt install wfuzz -y

# OR install via pip (latest version)
pip3 install wfuzz

# Verify installation
wfuzz --version

Basic Usage

WFuzz uses the keyword FUZZ as a placeholder in the URL or request — it replaces it with each entry from your wordlist.

# Directory/path brute-forcing
wfuzz -w /usr/share/wordlists/dirb/common.txt http://target.com/FUZZ

# Filter out 404 responses (hide them)
wfuzz -w wordlist.txt --hc 404 http://target.com/FUZZ

# Fuzz GET parameters
wfuzz -w wordlist.txt http://target.com/page.php?id=FUZZ

# Fuzz POST body parameters
wfuzz -w wordlist.txt -d "username=FUZZ&password=test" http://target.com/login

# Use multiple wordlists (FUZ2Z for second)
wfuzz -w users.txt -w passwords.txt http://target.com/login?user=FUZZ&pass=FUZ2Z

# Fuzz with a custom header (e.g. token brute-force)
wfuzz -w tokens.txt -H "Authorization: Bearer FUZZ" http://target.com/api/data

Common Filters & Options

--hc 404 — Hide responses with HTTP status code 404
--hc 403,404 — Hide multiple status codes
--hw 0 — Hide responses with 0 words (empty responses)
--hl 0 — Hide responses with 0 lines
--sc 200 — Show only responses with status 200
-t 50 — Set number of concurrent threads (default: 10)
-o output.txt — Save results to a file
-p proxy:port — Route through a proxy (e.g. Burp Suite)

Common Use Cases

Authorized penetration testing engagements
CTF (Capture The Flag) challenges
Internal security audits
Bug bounty reconnaissance and testing

Tips & Best Practices

Always run WFuzz through Burp Suite proxy (-p 127.0.0.1:8080) during engagements so you can inspect and replay interesting responses. Use --hc filters aggressively to cut through noise. Keep your wordlists updated — SecLists on GitHub is the industry standard resource for fuzzing payloads.

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs before using in live engagements.