CyberCheatsheets

Wfuzz Cheat Sheet

Python web fuzzer for brute-forcing parameters, directories, and headers with flexible filters.

Scanning & EnumerationfuzzingparameterswebUpdated 2026-06-02

Overview

Wfuzz replaces parts of HTTP requests with payloads from wordlists (directories, parameters, cookies, headers). It supports multiple fuzz points, encoders, and hide/show filters—useful for legacy workflows and complex multi-slot fuzzing.

Authorized testing only. Recursive and high-thread scans can overwhelm applications. Scope targets and cap concurrency.

Install

sudo apt install -y wfuzz
pip install wfuzz
wfuzz --version

Essential commands

Directory discovery

wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 https://target.example.com/FUZZ

Hide by lines/words/chars

wfuzz -c -z file,wordlist.txt --hl 0 --hw 0 https://target.example.com/FUZZ

POST parameter fuzz

wfuzz -c -z file,users.txt -d "user=FUZZ&pass=test" https://target.example.com/login

Common workflows

Multiple fuzz positions —

wfuzz -c -z file,users.txt -z file,passwords.txt -d "user=FUZZ&pass=FUZ2Z"
--hc 401 https://target.example.com/login

Cookie / header fuzz —

wfuzz -c -z file,sessions.txt -b "session=FUZZ" --hc 404 https://target.example.com/admin
wfuzz -c -z file,hosts.txt -H "Host: FUZZ" --filter "r.headers.response~'200'" https://target.example.com/

Proxy and output —

wfuzz -c -z file,wordlist.txt -p 127.0.0.1:8080:HTTP https://target.example.com/FUZZ -f ip.txt,raw

Baseline calibration (hide 404 signature) —

wfuzz -c -z file,wordlist.txt --hh 1234 https://target.example.com/FUZZ

Flags reference

-z

Payload generator (file,path, list,a-b, etc.)

-c

Colorized output

--hc

Hide status code

--sc

Show only status code

--hl / --hw / --hh

Hide lines/words/chars

--sl / --sw / --sh

Show lines/words/chars

-d

POST data

-H

Header

-b

Cookie

-p

Proxy host:port:TYPE

-t

Threads

-f

Output file format

--filter / --hfiler

Advanced filter expressions

Tips

  • Run a baseline request first to tune --hh/--hw on custom 404 pages.
  • Prefer ffuf for speed on large lists; wfuzz shines with complex filters and encoders (-e urlencode).
  • Scripting hooks (--script) can automate checks—verify scripts before running.
  • Python 3 / dependency issues are common; use venv or distro package on Kali.

References

Aide-mémoires similaires