Wfuzz is a web application fuzzer that replaces any part of an HTTP request with wordlist entries — URLs, headers, POST bodies, cookies, and more. While FFuf is faster, Wfuzz’s deep filtering capabilities and support for multiple simultaneous injection points make it a strong complement in your toolkit.
Installation
# Kali Linux
sudo apt install wfuzz
# pip
pip3 install wfuzz
# Verify
wfuzz --help
Basic Syntax
Wfuzz uses FUZZ as the injection keyword:
wfuzz -w wordlist.txt https://target.com/FUZZ
Filtering Output
Raw output is noisy. Filter by response characteristics:
# Hide 404 responses
wfuzz -w wordlist.txt --hc 404 https://target.com/FUZZ
# Only show 200 responses
wfuzz -w wordlist.txt --sc 200 https://target.com/FUZZ
# Hide responses with specific word count
wfuzz -w wordlist.txt --hw 50 https://target.com/FUZZ
# Hide specific response size (chars)
wfuzz -w wordlist.txt --hh 1234 https://target.com/FUZZ
Filters:
--hc/--sc: hide/show by status code
--hw/--sw: hide/show by word count
--hh/--sh: hide/show by character count
--hl/--sl: hide/show by line count
Multiple Injection Points
Wfuzz handles multiple FUZZ keywords with multiple -w flags:
# Two wordlists, two injection points
wfuzz -w users.txt -w passwords.txt \
-d "username=FUZZ&password=FUZ2Z" \
https://target.com/login
FUZ2Z refers to the second wordlist. FUZ3Z for third, etc.
POST Request Fuzzing
wfuzz -w passwords.txt \
-X POST \
-d "user=admin&pass=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
--hc 200 \
https://target.com/login
Note: hiding 200 responses and showing 302 (redirect) catches successful logins.
Fuzz specific headers:
# Fuzz User-Agent
wfuzz -w useragents.txt \
-H "User-Agent: FUZZ" \
https://target.com/
# Fuzz Authorization header (Bearer token brute-force)
wfuzz -w tokens.txt \
-H "Authorization: Bearer FUZZ" \
--hc 401 \
https://target.com/api/secret
Cookie Fuzzing
wfuzz -w sessions.txt \
-b "session=FUZZ" \
--hc 403 \
https://target.com/admin
Encoding Payloads
Wfuzz can URL-encode, base64-encode, or apply other transforms:
# URL-encode the payload
wfuzz -w lfi-list.txt \
-z file,lfi-list.txt,urlencode \
"https://target.com/page?file=FUZZ"
# Base64 encode
wfuzz -w payloads.txt \
-z file,payloads.txt,base64 \
"https://target.com/api?data=FUZZ"
LFI (Local File Inclusion) Testing
wfuzz -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt \
--hc 404 --hh 0 \
"https://target.com/page?file=FUZZ"
Virtual Host Discovery
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-H "Host: FUZZ.target.com" \
--hc 400 \
https://target.com/
Filter out responses matching the default vhost size:
# First get default response size
curl -s https://target.com/ | wc -c
# Then filter that size
wfuzz -w subdomains.txt -H "Host: FUZZ.target.com" --hh DEFAULT_SIZE https://target.com/
Authentication Bypass Fuzzing
Test for IDOR (Insecure Direct Object Reference):
wfuzz -w ids.txt \
-H "Cookie: session=validcookie" \
--hc 403,404 \
"https://target.com/api/user/FUZZ/profile"
Generate a number range wordlist:
# Numbers 1–1000
wfuzz -z range,1-1000 \
-H "Cookie: session=validcookie" \
"https://target.com/api/document/FUZZ"
Recursive Scanning
wfuzz -w wordlist.txt --hc 404 -R 2 https://target.com/FUZZ
-R 2 enables two levels of recursion — discovered directories are automatically fuzzed again.
Rate Limiting
# Slow down to avoid WAF triggering or rate limits
wfuzz -w wordlist.txt --hc 404 -t 5 -s 0.5 https://target.com/FUZZ
# -t 5: 5 concurrent threads
# -s 0.5: 500ms delay between requests
Saving Results
# Save to file
wfuzz -w wordlist.txt --hc 404 -f output.txt,raw https://target.com/FUZZ
# JSON format
wfuzz -w wordlist.txt --hc 404 -f output.json,json https://target.com/FUZZ
Wfuzz’s combination of flexible injection points and granular filtering makes it especially useful for API fuzzing and situations where you need to inject into multiple simultaneous locations — a scenario where FFuf requires more setup.