Wfuzz Full Tutorial | Updated 2024


In this post, Let’s see about wfuzz. The wfuzz stands for web fuzzing. Fuzzing is a user can send a similar request multiple times to the server with a certain section of the request changed. When that certain section is replaced by a variable from a list or directory, it is called fuzzing.


What is Wfuzz ❓

Wfuzz is an open-source tool for checking the security of web applications and is used to launch brute-force attacks against web applications.

By enabling them to fuzz input parameters of the web application, it is intended to assist penetration testers of web applications in identifying vulnerabilities.

The programme can identify various vulnerabilities, including XSS (cross-site scripting) flaws and file inclusion, command execution, and SQL injection flaws.

Wfuzz Installation

The wfuzz comes pre-installed in Kali Linux and in Parrot So, You no need to worry about the installation process.

Anyways install wfuzz. You can enter the below command.

sudo apt-get update
sudo apt-get install wfuzz

Who Developed Wfuzz

The wfuzz tool was developed by xavi mendez. Though he has created many repos only this wfuzz repo was very useful. Below are some of the important links.

How the Wfuzz works

Wfuzz is based on a simple concept: it replaces any reference to the FUZZ keyword with the value of a given payload.

A payload in Wfuzz is a source of data. This simple concept allows any input to be injected in any field of an HTTP request, allowing it to perform complex web security attacks in different web application components such as parameters, authentication, forms, directories/files, headers, etc.

Wfuzz Features

  • Subdomain Fuzzing
  • Directory Fuzzing
  • Cookie fuzzing
  • Header fuzzing
  • HTTP OPTIONS fuzzing

How to use Wfuzz

If you have any doubts about this tool, comment below or watch the youtube video. Join our discord server and ask doubts and stay in touch with us.


Subdomain Fuzzing

The subdomain fuzzing is pretty easy but to know the vulnerable subdomains used by the client we should use a proper wordlists.

Most of the subdomains will be using common words, So you can go with the rockyou.txt

wfuzz -c -Z -w rockyou.txt
  • -c: colour output
  • -Z: Ignores connection error
  • -w: wordlists
  • FUZZ: It’s parameter for fuzzing

Directory Fuzzing

To do directory fuzzing, We have to add the FUZZ parameter at the end of the domain after a slash.

wfuzz -w rockyou.txt

Status Code

We can also specify the header code to filter the success response and the error response.

wfuzz -w rockyou.txt --sc 400,200,301

Saving the Output

To save the FUZZing output we can use the -f command or go with the old school method using the arrow.

wfuzz -w rockyou.txt --sc 400,200,301 -f /home/rick/him.txt

Double Fuzzing

Precisely like a parameter in a cargo can be overcast utilizing the keyword “FUZZ” multitudinous fuzzing is also practicable by defining keywords.

FUZ2Z – 2nd parameter
FUZ3Z – 3rd parameter
FUZ4Z – 4th parameter

And each parameter can be distributed its own wordlist. The first “- w ” stands for first FUZZ. Alternate “- w ” holds for the alternate FUZ2Z and consequently on.

wfuzz -w rockyou.txt -w rockyou.txt

Login Bruteforce

To do a login bruteforce using wfuzz we need to know the login parameters, Here it’s log and pwd.

-d: Use post data

wfuzz -z file,rockyou.txt -d "log=FUZZ&pwd=FUZZ"


In my opinion wfuzz is a great tool for fuzzing and its very stealthy. If its used with burpsuite we may be amazed with the results.

An alternative for wfuzz is going to be fuff, Hope you like the post. See you in the next post ❤️

Also Read: Sqlmap Full Tutorial

Also Read: Dirb Full Tutorial

Share your love
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site