Wfuzz is an alternative tools for Gobuster and Dirbuster where it will look on the hidden files such as directory and data within the server itself. Unlike Gobuster and Dirbuster, Wfuzz cannot save the result into .txt format.
For Linux and Unix user, the installation will be using the command something like below
git clone https://github.com/xmendez/wfuzz.git
Once the installation completed, the user can run the tool on the machine. Don’t worry if you are not familiar with the command execution of the tools.
One of the requirement that needed for wfuzz to run will be pycurl.
The Screenshot shown above is an example of Wfuzz documentation that can be found when you run the command “wfuzz” after installation completed.
Example of the command that can be used in wfuzz will look something like below:
wfuzz -w /usr/share/dirb/common.txt <website url/FUZZ>
The example above is normally used for searching directory within the server itself. The duration of this command will take a long time just to be completed.
wfuzz -w /usr/share/dirb/common.txt <website url/FUZZ.php>
The example above is normally used for searching certain files within the server itself. It will take the same amount of time as the first commands to be completed.
wfuzz –hc 302 -z file,usr/share/dirb/common.txt -d “uname=FUZZ&pass=Fuzz” <website url/file.php>
The example above is normally used for fuzzing username and password and the parameters ‘uname’ and ‘pass’ is not fixed the same depending on the server response.
To find the parameter of the username and password, the user can look it using burpusite response function