// arsenal·Web AppSecIntermediateFOSS

Wfuzz

Python web app fuzzer — the OG before ffuf existed.

Web AppSec

$ wfuzz --help

Wfuzz

// what it is

Description

Old-school web fuzzer with deep payload generators, encoders, and filters. Slower than ffuf but more declarative for complex payloads. Still alive in Kali.

// use cases

What people use it for

Complex parameter fuzzing
Header fuzzing with chained encoders

// commands

The commands you'll type

Param fuzz

$ wfuzz -c -w wordlist.txt 'https://target/page?id=FUZZ' --hc 404

// facts

category: Web AppSec
platforms: LIN · WIN · MAC
license: FOSS
difficulty: Intermediate

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS

LIN·WIN·MAC

open entry →