Ethical Hacking #wfuzz#web fuzzing#penetration testing

Wfuzz Web Fuzzing: Find Hidden Params and Paths

Use Wfuzz to discover hidden web paths, parameters, and authentication bypasses with flexible payload injection and filtering.

6 min read

Wfuzz is a web application fuzzer that replaces any part of an HTTP request with wordlist entries — URLs, headers, POST bodies, cookies, and more. While FFuf is faster, Wfuzz’s deep filtering capabilities and support for multiple simultaneous injection points make it a strong complement in your toolkit.

Installation

# Kali Linux
sudo apt install wfuzz

# pip
pip3 install wfuzz

# Verify
wfuzz --help

Basic Syntax

Wfuzz uses FUZZ as the injection keyword:

wfuzz -w wordlist.txt https://target.com/FUZZ

Filtering Output

Raw output is noisy. Filter by response characteristics:

# Hide 404 responses
wfuzz -w wordlist.txt --hc 404 https://target.com/FUZZ

# Only show 200 responses
wfuzz -w wordlist.txt --sc 200 https://target.com/FUZZ

# Hide responses with specific word count
wfuzz -w wordlist.txt --hw 50 https://target.com/FUZZ

# Hide specific response size (chars)
wfuzz -w wordlist.txt --hh 1234 https://target.com/FUZZ

Filters:

  • --hc/--sc: hide/show by status code
  • --hw/--sw: hide/show by word count
  • --hh/--sh: hide/show by character count
  • --hl/--sl: hide/show by line count

Multiple Injection Points

Wfuzz handles multiple FUZZ keywords with multiple -w flags:

# Two wordlists, two injection points
wfuzz -w users.txt -w passwords.txt \
  -d "username=FUZZ&password=FUZ2Z" \
  https://target.com/login

FUZ2Z refers to the second wordlist. FUZ3Z for third, etc.

POST Request Fuzzing

wfuzz -w passwords.txt \
  -X POST \
  -d "user=admin&pass=FUZZ" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --hc 200 \
  https://target.com/login

Note: hiding 200 responses and showing 302 (redirect) catches successful logins.

Header Fuzzing

Fuzz specific headers:

# Fuzz User-Agent
wfuzz -w useragents.txt \
  -H "User-Agent: FUZZ" \
  https://target.com/

# Fuzz Authorization header (Bearer token brute-force)
wfuzz -w tokens.txt \
  -H "Authorization: Bearer FUZZ" \
  --hc 401 \
  https://target.com/api/secret
wfuzz -w sessions.txt \
  -b "session=FUZZ" \
  --hc 403 \
  https://target.com/admin

Encoding Payloads

Wfuzz can URL-encode, base64-encode, or apply other transforms:

# URL-encode the payload
wfuzz -w lfi-list.txt \
  -z file,lfi-list.txt,urlencode \
  "https://target.com/page?file=FUZZ"

# Base64 encode
wfuzz -w payloads.txt \
  -z file,payloads.txt,base64 \
  "https://target.com/api?data=FUZZ"

LFI (Local File Inclusion) Testing

wfuzz -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt \
  --hc 404 --hh 0 \
  "https://target.com/page?file=FUZZ"

Virtual Host Discovery

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -H "Host: FUZZ.target.com" \
  --hc 400 \
  https://target.com/

Filter out responses matching the default vhost size:

# First get default response size
curl -s https://target.com/ | wc -c
# Then filter that size
wfuzz -w subdomains.txt -H "Host: FUZZ.target.com" --hh DEFAULT_SIZE https://target.com/

Authentication Bypass Fuzzing

Test for IDOR (Insecure Direct Object Reference):

wfuzz -w ids.txt \
  -H "Cookie: session=validcookie" \
  --hc 403,404 \
  "https://target.com/api/user/FUZZ/profile"

Generate a number range wordlist:

# Numbers 1–1000
wfuzz -z range,1-1000 \
  -H "Cookie: session=validcookie" \
  "https://target.com/api/document/FUZZ"

Recursive Scanning

wfuzz -w wordlist.txt --hc 404 -R 2 https://target.com/FUZZ

-R 2 enables two levels of recursion — discovered directories are automatically fuzzed again.

Rate Limiting

# Slow down to avoid WAF triggering or rate limits
wfuzz -w wordlist.txt --hc 404 -t 5 -s 0.5 https://target.com/FUZZ
# -t 5: 5 concurrent threads
# -s 0.5: 500ms delay between requests

Saving Results

# Save to file
wfuzz -w wordlist.txt --hc 404 -f output.txt,raw https://target.com/FUZZ

# JSON format
wfuzz -w wordlist.txt --hc 404 -f output.json,json https://target.com/FUZZ

Wfuzz’s combination of flexible injection points and granular filtering makes it especially useful for API fuzzing and situations where you need to inject into multiple simultaneous locations — a scenario where FFuf requires more setup.

#bug bounty #penetration testing #web fuzzing #wfuzz