Skip to content

Releases: xmendez/wfuzz

Wfuzz 2.2.2 -The Web Fuzzer

22 Sep 19:31
Compare
Choose a tag to compare

Version 1.4d to 2.2.2 developed by:

Xavier Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.2.2:

Bug fixes:

  • bug with queues sync
  • bug in title plugin
  • bug in backups plugin
  • bug in full request fuzzing
  • headers contain an extra space
  • when saving a baseline result
  • when setting host header

Other changes:

  • Corrected typo in doc
  • Additional acceptance tests
  • Removed backups plugin from default category
  • Removing legacy/old information in messages and help

Wfuzz 2.2 - The Web Fuzzer

20 Sep 20:42
Compare
Choose a tag to compare
Pre-release

Version 1.4d to 2.2 developed by:

Xavier Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.2.0:

Main enhancements:

  • Improved documentation
  • Wfuzz scriptable API
  • wfpayload and wfencoder utils
  • wfuzz.ini for general and plugin options
  • Improved filter language (introspection, operators, functions, FUZZ keyword).
  • Introspection using FUZZ[field]
  • Allow to run wfuzz from any folder
  • Wfuzz could be installed using pip
  • Dictionaries are automatically looked for at the specified directories
  • Test cases
  • Ability to store and reuse previous results

New features:

  • req-delay and conn-delay switches
  • dry-run switch
  • X switch allows to specify method (removed -I switch).
  • o switch writes printer output to a file
  • p switch for proxy specification supports repetition
  • L switch is equivalent to --follow
  • zP swtich to specify further parameters to payloads
  • u switch for specifying an URL
  • Simple/advanced help switches
  • prefilter/slice for filtering payloads.
  • Improved help for payloads and plugins

Other enhancements:

  • Code reorganization (using a queue pipeline for processing results).
  • Bugs fixing
  • Improved error handling
  • Personal plugins could be stored in user's home folder.
  • Plugins are stored in directories in separated files
  • Improved FuzzRequest object for easier access to cookies, params...
  • Plugin runtime/loading errors do not block wfuzz execution.
  • A request is repeated a number of times if fails.
  • Validate CLI options.
  • BeautifulSoup integration
  • Plugins can perform their own requests outside the execution pipeline.
  • Option to encode space in the URL
  • FUZZ keyword for ss/hs switches
  • Improved scripts and payloads structure for creating new plugins

Plugins:

  • Check for errors (WIP)
  • json printer
  • burplog and burpstate payloads
  • wfuzzp payload
  • net ipaddress payload
  • dirwalk payload
  • title plugin
  • Backup plugin
  • CVS entries plugin

Wfuzz 2.1.5 - The Web Fuzzer

05 Mar 14:44
Compare
Choose a tag to compare

Version 1.4d to 2.1.5 developed by:

Xavier Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.1.5:

  • Fixed bug on screenshot plugin
  • Added CSV printer, thanks @Yoginski
  • Fixed bug on raw printer, thanks @maaaaz

Wfuzz 2.1.4 - The Web Fuzzer

10 Sep 22:24
Compare
Choose a tag to compare

Version 1.4d to 2.1.4 developed by:

Xavier Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.1.4:

  • Added json printer (thanks to Federico)
  • Raw printer
  • Corrected folder spellings (thanks to l0stkn0wledge)
  • Allow wfuzz to run from any path
  • Using env python
  • IPnet payload
  • Fixed bug counting the number of FUZZ words when using the baseline

Wfuzz 2.1.3 - The Web Fuzzer

06 Mar 00:38
Compare
Choose a tag to compare

Version 1.4d to 2.1.3 coded by:

Xavier Mendez ([email protected])

Version up to 1.4c coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.1.3:

  • Removed unused import (thanks daimondd33)
  • Fixed FUZZ words count when using authentication

Wfuzz 2.1.2 - The Web Fuzzer

14 Feb 20:21
Compare
Choose a tag to compare

Version 1.4d to 2.1.2 coded by:

Xavier Mendez ([email protected])

Version up to 1.4c coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.1.2:

  • New headers and cookiers are build by the cumulative use of the -H and -b option (thanks to epinna)

Wfuzz 2.1.1 - The Web Fuzzer

20 Jan 22:44
Compare
Choose a tag to compare

Version up to 1.4c coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Version 1.4d to 2.1.1 coded by:

Xavier Mendez ([email protected])

Changelog 2.1.1:

  • Added setup.py for creating a windows executable using py2exe.
  • Show the fuzz word plus the exception when showing an error using scan mode (-Z).
  • Fixed bug when fuzzing a SSL site through a proxy (thanks to sinnur).

Wfuzz 2.1 (Beta) - The Web Fuzzer

24 Oct 09:46
Compare
Choose a tag to compare
Pre-release

Coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Version 2.1 coded by:

Xavier Mendez ([email protected])

Changelog 2.1:

  • Massive code rewriting, reorganisation and bug fixing
  • Selection of encoders by categories
  • Chaining encoders
  • Improved reqresp library performance (pycurl multi)
  • Enhanced exception handling and error management
  • Interactive keyboard (pause, stats).
    This feature has some known issues as wfuzz not responding to the first keystroke, ie. you need to press ctrl+c twice to cancel.
    The need to press a key to leave the app after finishing.
  • Advanced filter expression
  • Filter responses by regex
  • Combine regex and simple filters
  • Show responses filter switches
  • Alias -w for "-z file,xx". Thanks to Daniel García [email protected]
  • Fixed reqresp bug. thanks to [email protected]
  • Extended help/description for plugins (printers, scripts, payloads, iterators)
  • Improved multiple proxy specification (ip:port:type)
  • Scan mode ignoring connection errors.
  • Configuration ini file for common settings
  • Plugin support:
  • Plugin: Directory listing identification
  • Plugin: Response link parser
  • Plugin: Robots parser
  • Plugin: New cookies
  • Plugin: Grep
  • Plugin: SVN Extractor
  • Plugin: wc.db extractor
  • New payloads:
  • Payload: Overflow string
  • Payload: Stdin
  • Payload: Bing API search

Notes:

27 Oct: A Windows executable has been added to this release, created using py2exe. It should be noted that, I don't use Windows and therefore I haven't tested Wfuzz in this environment thoroughly, so you might experience unknown issues.

Wfuzz 2.0 - The Web Fuzzer

22 Oct 22:45
Compare
Choose a tag to compare
Coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Version 2.0 coded by:

Xavier Mendez ([email protected])

Changelog 2.0:
  • Dynamic output printers
  • Dynamic payloads
  • Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
  • Combine payloads using dynamic iterators (zip, chain, product)
  • Added list payload
  • Added encoder_uri_double_hex
  • Added encoder_first_nibble_hex
  • Added encoder_second_nibble_hex
  • Added encoder_none
  • Multiple encodings per payload
  • Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
  • Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
  • Added baseline request functionality
  • Added fuzzdb (Attack and Discovery Pattern Database for Application Fuzz Testing)

Wfuzz 1.4d - The Web Fuzzer

22 Oct 22:36
Compare
Choose a tag to compare
Coded by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Version 1.4d coded by:

Xavier Mendez ([email protected])

Changelog 1.4d

-Using _ in encoders names
-Added HEAD method scanning
-Added magictree support
-Fuzzing in HTTP methods
-Hide responses by regex
-Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d)
-Verbose output including server header and redirect location
-Added follow HTTP redirects option (this functionality was already provided by reqresp)
-Fixed HTML output, thanks to Christophe De La Fuente
-Fixed terminal colour, thanks to [email protected]