Search This Blog

Thursday, May 10, 2007

[TOOL] Wfuzz - The Web Bruteforcer

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Wfuzz - The Web Bruteforcer
------------------------------------------------------------------------


SUMMARY

DETAILS

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used
for finding resources not linked (directories, servlets, scripts, etc),
bruteforce GET and POST parameters for checking different kind of
injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters
(User/Password), Fuzzing,etc.

It's very flexible, here are some functionalities:
* Recursion (When doing directory bruteforce)
* Post data bruteforcing
* Output to HTML (easy for just clicking the links and checking the page,
even with postdata)
* Colored output on all systems ;)
* Hide results by return code, word numbers, line numbers, etc.
* URL encoding
* Cookies
* Multithreading
* Proxy support
* All parameters bruteforcing (POST and GET)
* Dictionaries tailored for known applications (Weblogic, Iplanet,
Tomcat, Domino, Oracle 9i,
* Vignette, Coldfusion and many more. (All dictionaries are from
Darkraver's Dirb, www.open-labs.org)

It was created to facilitate the task in Web Applications assessments,
it's a tool by pentesters for pentesters ;)
One of the strengths of wfuzz is the speed, just try it...

How does it works?
The tool is based on dictionaries and ranges, you choose where you want to
bruteforce just by replacing the part of the URL or the POST by the
keyword FUZZ.


ADDITIONAL INFORMATION

The information has been provided by
<mailto:cmartorella@edge-security.com> Christian Martorella.
To keep updated with the tool visit the project's homepage at:
<http://www.edge-security.com/wfuzz.php>

http://www.edge-security.com/wfuzz.php

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)