********************************************************
* Wfuzz - The Web Bruteforcer                          *
********************************************************

Bit of history
--------------

This project was started by Carlos del Ojo and Christian Martorella back in 2006, and it was in actively development until version 1.4c.
In 2011 after the code being unchanged for various years, Xavier Mendez took over the project and became the maintainer and main 
developer of the tool, releasing versions 1.4d to 2.1. Christian Martorella has remained in the project as a collaborator, actively supporting new
versions with suggestions, beta testing and minor code changes.

What is this?
-------------

Wfuzz is a tool designed to  brutefore web applications, it's very flexible, it supports:
	
	- Recursion (When doing directory discovery)
	- Post data bruteforcing
	- Header bruteforcing
	- Output to HTML (easy for just clicking the links and checking the page, even with postdata!)
	- Colored output 
	- Hide results by return code, word numbers, line numbers, etc.
	- Url encoding
	- Cookies
	- Multithreading
	- Proxy support 
	- All parameter fuzzing
        - etc.

It was created to facilitate the task in web applications assessments, it's a tool by pentesters for pentesters ;)

How does it works?
------------------

The tool is based on dictionaries or ranges, then you choose where you want to bruteforce just by replacing the value by the word FUZZ.

Examples:

	- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -o html http://www.mysite.com/FUZZ > results.html

	  This will bruteforce the site http://www.mysyte.com/FUZZ in search of resources 
	  (directories, scripts, files,etc), it will hide from the output the return code 404 
	  (for easy reading results), it will use the dictionary common.txt for the bruteforce
	  , and also will output the results to the results.html file (with a cool format to work).

	- wfuzz.py -c -z range,1-100 --hc 404 http://www.mysite.com/list.asp?id=FUZZ

	  In this example instead of using a file as dictionary, it will use a range from 1-100,
	  and will bruteforce the parameter "id".

	- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -d "id=1&catalogue=FUZZ" http://www.mysite.com/check.asp

	  Here you can see the use of POST data, with the option "-d".

	- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -R 2 http://www.mysite.com/FUZZ

	  Example of path discovery, using 2 levels deep of recursivity.

	- wfuzz.py -z file,wordlist/general/http_methods.txt -X http://testphp.vulnweb.com/

	  HTTP method scanning example (find supported methods)

	- wfuzz.py -z file,wordlists/http_methods.txt -z file,wordlist/general/common.txt -X http://testphp.vulnweb.com/FUZ2Z/

	  HTTP method scanning example in different paths

	- wfuzz.py -z list,TRACE -z file,urls.txt -X http://FUZZ

	  Scanning for TRACE method using a list payload in different hosts

	- wfuzz.py -c -z file,wordlists/methods.txt --hc 404 -v --follow http://www.mysite.com/FUZZ

	  Bruteforce following HTTP redirects

	- wfuzz.py -c -z file,wordlists/wordlist/general/common.txt-I http://www.mysite.com/FUZZ

	  Bruteforce using HEAD HTTP method 

	- wfuzz.py -z list,http://mysite.com -z list,dir-dir2-dir3  FUZZ/FUZ2Z

	  Bruteforce using URL as payload and a list of directories.

	- Combining/chaining multiples encodings per payload

	    - wfuzz.py -z list,uno,uri_hexadecimal-md5 http://localhost/FUZZ

		00001: C=XXX    0 L            0 W       Error in  - %75%6e%6f
		00002: C=XXX    0 L            0 W       Error in  - 1eaa8bb195869a23f081acbb5bf08527

	    - wfuzz.py -z list,uno,uri_hexadecimal@md5 http://localhost/FUZZ

		00001: C=XXX    0 L            0 W       Error in 33%66%30%38%31%61%63%62%62%35%62%66%30%38%35%32%37
	    
	- Encoders can be selected by category

	    $ python wfuzz.py -e encoders | grep url
	    url           | utf8_binary       | Replaces ALL characters in string using the \uxx escape                           
	    url           | first_nibble_hex  | Replaces ALL characters in string using the %%dd? escape                          
	    ...
	    url           | utf8              | Replaces ALL characters in string using the \u00xx escape                         
	    url           | uri_triple_hex    | Encodes ALL charachers using the %25%xx%xx escape.                                
	    url           | uri_hex           | Encodes ALL charachers using the %xx escape.   

    
	    $ python wfuzz.py -c -z list,..,url --sc 200 http://www.webscantest.com/FUZZ/jmx-console/

	    00000:  C=200     30 L       120 W         1382 Ch        "\x2e\x2e"
	    00006:  C=200     30 L       120 W         1382 Ch        "%252e%252e"
	    00007:  C=200     30 L       120 W         1382 Ch        "%25%32%65%25%32%65"
	    00010:  C=200     30 L       120 W         1382 Ch        "\u002e\u002e"

	- wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt -z list,jsp-php-asp -z range,1-40  http://localhost/FUZZ/FUZ2Z.FUZ3Z?id=FUZ4Z

	  Fuzzing using 4 payloads

	- wfuzz.py -w ~/wordslist/plataformas/apache.txt -A --hh=BBB --hc 404 http://www.webscantest.com/FUZZ{notthere}
	  
	  Several filters flags could be used.

	- wfuzz.py -z -c -z range,1-10 --hh=BBB http://mysite.com/FUZZ{directory not there}

	  Baseline support, Bruteforcing and hiding the response codes that are equal to http://mysite.com/directory%20not%20there

	- crunch 2 2 | python wfuzz.py -z stdin, http://localhost/FUZZ

	  Reading wordlist from stdin.

	- Combining payloads using iterators:

            zip

                - wfuzz.py -z list,a-b-c -z list,1-2-3 -m zip http://mysite.com/FUZZ/FUZ2Z

                00001:  C=404      9 L        32 W          276 Ch        "a - 1"
                00002:  C=404      9 L        32 W          276 Ch        "c - 3"
                00003:  C=404      9 L        32 W          276 Ch        "b - 2"

            chain

                - wfuzz.py -z list,a-b-c -z list,1-2-3 -m chain http://mysite.com/FUZZ/FUZ2Z

                00001:  C=404      9 L        32 W          280 Ch        "b"
                00002:  C=404      9 L        32 W          280 Ch        "a"
                00003:  C=404      9 L        32 W          280 Ch        "c"
                00004:  C=404      9 L        32 W          280 Ch        "1"
                00006:  C=404      9 L        32 W          280 Ch        "3"
                00005:  C=404      9 L        32 W          280 Ch        "2"


            product

                - wfuzz.py -z list,a-b-c -z list,1-2-3 http://mysite.com/FUZZ/FUZ2Z

                00001:  C=404      9 L        32 W          276 Ch        "a - 2"
                00002:  C=404      9 L        32 W          276 Ch        "a - 1"
                00005:  C=404      9 L        32 W          276 Ch        "b - 2"
                00004:  C=404      9 L        32 W          276 Ch        "a - 3"
                00008:  C=404      9 L        32 W          276 Ch        "c - 2"
                00003:  C=404      9 L        32 W          276 Ch        "b - 1"
                00007:  C=404      9 L        32 W          276 Ch        "c - 1"
                00006:  C=404      9 L        32 W          276 Ch        "b - 3"
                00009:  C=404      9 L        32 W          276 Ch        "c - 3"


	- Script scanning

            - wfuzz.py -z list,robots.txt --script=robots http://www.webscantest.com/FUZZ

            00000:  C=200      6 L        10 W          101 Ch        "robots.txt"
            |_ Plugin robots enqueued 4 more requests (rlevel=1)
            00001:  C=200     32 L       116 W         1424 Ch        "/osrun/"
            00002:  C=200     47 L       131 W         1745 Ch        "/cal_endar/"
            00003:  C=200     32 L       122 W         1507 Ch        "/crawlsnags/"
            00004:  C=200     77 L       196 W         3382 Ch        "/static/"

        - Advanced filter

            - wfuzz.py -z list,robots.txt --filter "(c=200 and h!=3382)" --script=robots http://www.webscantest.com/FUZZ

            00000:  C=200      6 L        10 W          101 Ch        "robots.txt"
            |_ Plugin robots enqueued 4 more requests (rlevel=1)
            00001:  C=200     32 L       116 W         1424 Ch        "/osrun/"
            00002:  C=200     47 L       131 W         1745 Ch        "/cal_endar/"
            00003:  C=200     32 L       122 W         1507 Ch        "/crawlsnags/"

	- Scan mode

	    Ignore connection exceptions, ie. scanning through proxies, range sweeping, port scanning

	    $ python wfuzz.py -z range,0-9 -Z http://localhost:800FUZZ/

	    00003:  0.000s   C=XXX      0 L        0 W            0 Ch     "Pycurl error 7: Failed connect to localhost:8009; Connection refused..."
	    ...
	    00006:  0.000s   C=XXX      0 L        0 W            0 Ch     "Pycurl error 7: Failed connect to localhost:8004; Connection refused..."
	    00007:  0.003s   C=200      4 L       25 W          177 Ch     "0"

	- Passing parameters to scripts

	    $ python wfuzz.py -c --script-args grep.regex="<A href=\"(.*?)\">" -z list, --script=grep http://lists.gnupg.org/pipermail/gnupg-users/FUZZ                            

	    00000:  C=200   2207 L      5205 W        77159 Ch        ""
	    |_ Pattern match 2014-March/thread.html
	    ....
	    |_ Pattern match 2014-February/thread.html

Platforms:
----------

wfuzz was tested on Linux, Os X and Windows.
On windows the colored output doesn't work, we are working towards fixing this problem.

Dependencies:
------------

On *nix systems, need pycurl to work.
On Windows just run the wfuzz.exe


Thanks:
-------

Shouts goes to: Trompeti an all the S21sec Team. (www.s21sec.com)
Special thanks to DarkRaver for the tool Dirb, part of wfuzz is based on the functionallity of dirb. (www.open-labs.org) and most of the wordlist are from his tool.
Andres Andreu, all Injection payloads are taken from wsFuzzer (www.neurofuzz.com)

Changelog 2.1:
==============

- Massive code rewriting, reorganisation and bug fixing
- Selection of encoders by categories
- Chaining encoders
- Improved reqresp library performance (pycurl multi)
- Enhanced exception handling and error management
- Interactive keyboard (pause, stats).
  This feature has some known issues as wfuzz "eating" first keystroke, ie. you need to press ctrl+c twice to cancel.
  The need to press a key to leave the app after finishing.
- Advanced filter expression
- Filter responses by regex 
- Combine regex and simple filters
- Show responses filter switches
- Alias -w for "-z file,xx". Thanks to Daniel García <dani@estotengoqueprobarlo.es>
- Fixed reqresp bug. thanks to nicolas.gereone@ngco.fr
- Extended help/description for plugins (printers, scripts, payloads, iterators)
- Improved multiple proxy specification (ip:port:type)
- Scan mode ignoring connection errors.
- Configuration ini file for common settings
- Plugin support:
- Plugin: Directory listing identification
- Plugin: Response link parser
- Plugin: Robots parser
- Plugin: New cookies
- Plugin: Grep
- Plugin: SVN Extractor
- Plugin: wc.db extractor
- New payloads:
- Payload: Overflow string
- Payload: Stdin
- Payload: Bing API search

Changelog 2.0:
==============

- Dynamic output printers
- Dynamic payloads
- Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
- Combine payloads using dynamic iterators (zip, chain, product)
- Multiple encodings per payload
- Added baseline request
- Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
- Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
- Payload: Word list
- Encoder: encoder_uri_double_hex
- Encoder: encoder_first_nibble_hex
- Encoder: encoder_second_nibble_hex
- Encoder: encoder_none

Changelog 1.4d:
==============
-Using _ in encoders names
-Added HEAD method scanning
-Added magictree support
-Fuzzing in HTTP methods
-Hide responses by regex
-Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d)
-Verbose output including server header and redirect location
-Added follow HTTP redirects option (this functionality was already provided by reqresp)
-Fixed HTML output, thanks to Christophe De La Fuente
-Fixed terminal colour, thanks to opensource@till.name

Changelog 1.4c:
==============
-Fixed Headers parsing, thanks to Osama
-Fixed encoding naming problems, thanks to Osama
-Added support to Hexa-Random payload (hexa-rand), thanks to Kaerast

Changelog 1.4:
==============
-More encodings:
-Performance improving
-Some bugs fixed

Changelog 1.3:
=========
-Creada funcion select_encoding
-Multiple encoding, it's possible to encode both dictionries with different encodings.
-Hidecode XXX (cuando da muchos errores, pero puede servir)
-Word count fixed
-More encoders (binascii,md5,sha1)
