Using “wfuzz”

author: Nathan Acks
date: 2022-01-25

wfuzz is a URL fuzzer – basically the command-line version of the Burp Suite Intruder (but it’s much faster, which is what one would generally expect from a command-line tool).

Basically, the word “FUZZ” in the URL will be replaced by elements of the wordlist specified by -z. Multiple slots can be specified using “FUZ2Z”, “FUZ3Z”, etc.

wfuzz -z file,rockyou.txt \
         https://example.com/FUZZ/img/secret.webp

Use wfuzz --help for a full list of options. The --hc 404 option is particularly useful for hiding pages that return a 404.