How to use Wfuzz to Fuzz Web Applications

Interested in learning more about bug bounties and ethical hacking? Check out my course at: https://www.udemy.com/course/the-complete-guide-to-bug-bounty-hunting/

What is WFuzz?

WFuzz is a command line utility included in Kali Linux. It is used to discover common vulnerabilities in web applications through the method of fuzzing. Fuzzing is the concept of trying many known vulnerable inputs with a web application to determine if any of the inputs compromise the web application. It is a great tool to be able to quickly check common vulnerabilities against an application. It is also valuable for testing previously reported vulnerabilities to ensure that regressions don’t occur in an application.

There are several different types of vulnerabilities WFuzz is typically used to test. These vulnerabilities include:

1. Discovery of important web pages that don’t provide proper access control (think admin panels or configuration files)

2. Injection based vulnerabilities, such as directory traversals, SQL injections, XSS injections, and XXE injections

3. Brute forcing common credentials

4. Known open source vulnerabilities, such as apache and sharepoint based attacks

How do you use WFuzz?

WFuzz can be found in the Web Application Analysis section of the Kali Linux menu.

To use WFuzz, you need to provide the following arguments:

1. A payload to test against the target application

2. The parameter to inject the payload into

3. The target application URL

In addition to this, we often need to provide a cookie to wfuzz for it to properly reach the vulnerable component. This is done by adding the -b <cookie> argument. This is required if you need to authenticate to get to the section of the application you wish to attack.

To understand how wfuzz can be used, suppose that we have a login page that uses SQL to query if the user provides a valid username or password. When we submit the login form, the form will post the username and password as parameters. If the username and password is valid, the user is sent to a welcome page. In all other cases, they will get an error saying invalid username or password.

With login forms like this, we often want to check for the possibility of SQL injection. This is a task that wfuzz would be perfect for. To start, we need to determine how the data is sent to the backend when it is submitted by the user. To do this, we can use a tool like Burp Suite to intercept the packet sent when the submit button is pressed. Doing this will show us how the post data is formatted.

From this intercept, we can see that data is passed to the server in the format “username=input&password=input”. We can tell wfuzz to send data in this format, and it will successfully be able to send post requests to the login page. To do this, we can use the command:

Wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d “username=admin&password=FUZZ” -u <TARGET_URL>

To break down this command, we can take a look at what each argument provides to wfuzz. To start, the flag -c makes the output of the terminal color, which just makes the results easier to read. The flag -z­ specifies the payload to use to fuzz the webpage. The argument provided is a file, which is located at /usr/share/wordlists/wfuzz/Injections/SQL.txt. Kali Linux keeps all the wordlists for each program in /usr/share/wordlists. Inside of the wfuzz folder, you will find all the common wordlists that wfuzz is setup to use. In this case, I’ve used the SQL injection wordlist to look at common SQL injections. You can just as easily add to these lists or create your own if you have specific test cases you want to apply.

After this, we use the -d flag to specify what data to post to the server. As we discussed, the format is “username=INPUT&password=INPUT”. In this case, I set the username to admin, and set the password to FUZZ. Wfuzz is setup to replace the keyword FUZZ with the words within the provided payload file, so in this example, we are injecting SQL injection keywords into the password parameter. Finally, we supply the target URL, and run the application. Once this is done, we will get an output, similar to what is shown below.

This shows you the response code of each query that was inputted, which in turn tells you if the query was successful or not. A 200 response means the query completed ok, which suggests that no error or redirect occurred. This output would in this case be a failed attempt. The attempts that show a response code 302 mean that a redirect has occurred. With our login form, a redirect means that we successfully authenticated, so this shows that SQL injection was successful for the provided inputs.

This demonstrates a simple example of how wfuzz can be used to fuzz web applications. Through using different wordlists and post requests, you can easily catch and fix vulnerabilities before they are found by malicious users.