Wfuzz Cheat Sheet
wfuzz is a flexible web application fuzzer used for directory discovery, parameter fuzzing, and input validation testing.
Basic Directory Fuzzing
wfuzz -c -z file,wordlist.txt http://example.com/FUZZ
Filter by Response Code
wfuzz -c --hc 404 -z file,wordlist.txt http://example.com/FUZZ
Filter by Size
wfuzz -c --hh 4242 -z file,wordlist.txt http://example.com/FUZZ
Parameter Fuzzing (GET)
wfuzz -c -z file,params.txt "http://example.com/page.php?param=FUZZ"
Parameter Fuzzing (POST)
wfuzz -c -z file,words.txt -d "username=admin&password=FUZZ" http://example.com/login
Multiple Payloads
wfuzz -c -z file,users.txt -z file,passwords.txt http://example.com/FUZZ
Custom Headers
wfuzz -c -H "Authorization: Bearer TOKEN" -z file,wordlist.txt http://example.com/FUZZ
Rate Limiting
wfuzz -c --delay 0.2 -z file,wordlist.txt http://example.com/FUZZ
Proxy Support
wfuzz -c -p 127.0.0.1:8080 -z file,wordlist.txt http://example.com/FUZZ
Save Output
wfuzz -c -o results.txt -z file,wordlist.txt http://example.com/FUZZ
Typical Workflow
wfuzz → fuzz parameters
Analyze responses
Filter noise
Identify valid inputs
Common Issues
Too many results
- Use response size filters
- Compare baseline responses
Blocked by WAF
- Lower rate
- Use encoding options
Related Tools
ffufgobusterdirbusterburpsuite
Use Cases
- Web parameter discovery
- Input validation testing
- Directory brute forcing
- Bug bounty reconnaissance
Legal Notice
Danger
Use Wfuzz only on applications you own or have explicit permission to test.