wfuzz
Web application fuzzer
GPL-2.0 License
Bot releases are hidden (Show)
Version 1.4d to 3.1.0 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 3.1.0:
- Added tox and change test in Makefile
- Improved plugin field filter language capabilities, ie. data and severity can be specified
- Plugin's information is shown depending on severity when using -v
- Filter language and fuzzresult's description handle lists of results
- Added some basic queue profiling for debugging
- diff operator
- Refactored discarded results
- Dotdict str
- Removed future library
- Added operator tests
Plugins:
- Refactored headers plugin
- Links plugins looks in link and redirect headers
- Improved links plugin regex based on nahamsec/JSParser
- New field printer to output filter expressions only
- burplog unittest
- raw printer shows plugin data
wfpayload:
- Added --prev and --AA, ---AAA to wfpayload
wfencode:
- -i reads from stdin
- general handle exception in wfencode
Breaking changes:
- Changed -A, --AA, ---AAA plugin's categories
- Changed plugins filter language field.
- Changed links filter parameters and kbase keys.
- Changed headers kbase key and server result.
- When slicing a payload FUZZ refers to the previous result.
Bugs:
- Fixed --prev in wfpayload
- Fixed -c and -v values within printers plugins
- Don't print empty values in wfpayload
- Use lower() in ~ operator
- Remove httpreceiver queue limit
- Fixed --interactive actions
- Stripped CRLF from burplog parsed responses
- Fixed --slice when using FuzzResult payloads
- Only add recursive and routing queues when transport is Http
- Bug in reqresp when parsing nested http responses due to textparser
Published by xmendez almost 4 years ago
Version 1.4d to 3.0.3 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 3.0.3:
- Added sha256 and sha512 encoders. Thanks @dustinaevans
- Docker image available at github registry (closes #122). Thanks @oscarbc96
Bugs:
- Removed pytest from dev requirements (closes #215)
- Fixed pypi long description formatting. Thanks @oscarbc96
Published by xmendez almost 4 years ago
Version 1.4d to 3.0.2 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 3.0.2:
- Added dependabot configuration
- Updated requirements
- Updated screenshot plugin. Details at https://github.com/xmendez/wfuzz/pull/226. Thanks to @1mm0rt41PC
Bugs:
- Fixed double urlencode name (see #235). thanks to @tititototutu
Published by xmendez about 4 years ago
Version 1.4d to 3.0.1 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 3.0.1:
- Store wfuzz configuration according to XDG Base Directory Specification. Thanks to @nemoload
- Changed pyparsing version requirement. Thanks to @blshkv
- Pinned black and flake versions in tox.ini
Published by xmendez about 4 years ago
Version 1.4d to 3.0.0 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 3.0.0:
- Following semantic versioning from this release on-wards. See https://semver.org/
- Refactor of options, queues, dictionaries, filters, printers and factories.
- Refactored some tests to pytest.
- Added black formatter to CI.
- Updated documentation.
- Improved filter language performance.
- Added Python 3.8 support to CI (closes #190)
- Stopped python 2 support.
New features
- Various --prefilter command line options are accepted.
- Various --efield or --field command line options are accepted. (Closes #152 )
- Wfpayload uses same motor as wfuzz and therefore provides almost the same options. (closes #154)
- Slice can re-write payloads (closes #140)
- Links plugins accepts a regex parameter to crawl other subdomains
- New npm_deps plugin.
- Added raw_post to filter language.
- Complex and simple filters can be combined.
- Added BBB to language as keyword, not only in conjunction with c,l,w.
- Fields and headers are case insensitive in filter language.
Bugs
- Fixed baseline in headers (Closes #188)
- Fixed output when printing long lines or non-printable characters.
- Fixed pyparsing depency requirements (Closes #206)
- Removed deprecation and import warnings.
- Using package data for filter documentation file (Closes #135)
- Warnings to stdout instead of stderr (closes #163)
- Null fields do not raise an exception in filter language.
Breaking changes
- In wfuzz library:
- prefilter is a list of filters not a string.
- dry-run is specified with transport variable not with mode as before.
- When using --recipe, command line options that are a list are appended. Previously, the last one took precedence.
- When writing plugins:
- iterators must override width and payloads functions
- payloads must override get_next and get_type functions
- Saved Wfuzz sessions are not compatible with previous versions
Published by xmendez about 4 years ago
Version 1.4d to 2.4.7 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.7:
- Pinned dev dependencies in setup.py to make code linting repeatable
Bugs
- Fixed proxy SOCKS. Thanks to @lprat. See https://github.com/xmendez/wfuzz/pull/210
Published by xmendez over 4 years ago
Version 1.4d to 2.4.6 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.6:
- Removed python 2 Travis stalled tests.
Bugs
- New requests are added in the pycurl multi thread after perform (Fixes #180 )
- Added py3.8 test job in travis and setup.py (fixes #190 )
Published by xmendez over 4 years ago
Version 1.4d to 2.4.5 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.5
Bugs
- Temporarily pin pycurl version to <= 7.43.0.3 (thanks to @mitjans). Fixes #180
Published by xmendez almost 5 years ago
Version 1.4d to 2.4.4 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.4
Bugs
- Fixed parsing HTML requests and responses when using raw strings
Published by xmendez almost 5 years ago
Version 1.4d to 2.4.2 developed by:
Xavi Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.2:
New features
- burpitem payload thanks to @PaperTsar
Bugs
- Terminal width (fixes #155). Thanks to @IgorSasovets and @laozhoubuluo
- burplog payloads. Thanks to @PaperTsar
Published by xmendez almost 5 years ago
Version 1.4d to 2.4.1 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4.1:
New features
- Python 3.7 support
Bugs
- JSON parsing errors (#151, #148 )
Published by xmendez over 5 years ago
Version 1.4d to 2.4 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.4:
New features
- JSON post data parsing
- Shodanp payload
- --filter-help: Filter language specification help usage.
- --no-cache: Disable plugins cache. Every request will be scanned by plugins.
- --zP, --zE and --zD: Payloads' parameters, encoders and default parameter arguments.
- --ip: Specify an IP to connect to instead of the URL's host in the format ip:port. (fixes #121 )
- --efield/field: Show the specified language expression together with the current payload.
- --recipe can be chained to combine different recipes.
- Bash auto-completion script (fixes #32 )
New filter operators
- plugins: Returns plugins result as a string.
- :=, =+ and =- assignment operators
- gre('exp'): Returns first regex group that matches in value
Bugs
- Trying various encodings when reading wordlists (fixes #128 #125 )
- Wrap line in output width (fixes #96 #76 #68 #56 #35 )
- Proxy type incorrectly specified HTML instead HTTP
- Incorrect URL parsing when specifying with port but without scheme.
- POST data is not correctly handled for all content types. (fixes #127 )
- Burplog payload Python 2 and 3 compatible
- HTTP Response was parsed two times when using proxy and SSL
- Fixed Python dependencies (thanks to @blshkv )
- Fixed typo in autorize plugin (thanks to @tkisason )
Published by xmendez almost 6 years ago
Version 1.4d to 2.3.4 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.3.4:
Changes:
- Documentation: Added pycurl installation details on Windows and MacOS
- Improved Windows support by replacing wconio dependency by colorama
- Changed default setting: Not to cancel on plugin exception
- Added more regexes to errors plugin
- Added --AA and --AAA alias
- Changed plugins' categories
Bugs:
- Exception when using --prev flag
- Exception when using --interact on Windows
Published by xmendez almost 6 years ago
Version 1.4d to 2.3.3 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.3.3:
Changes:
- Improve abstraction between FuzzRequest and the underneath HTTP library
- Tests cases for setting FuzzRequest GET/POST parameters
- Tests cases for FuzzRequest cache keys
- FuzzRequest internal Cache differentiates from GET and POST parameters
- Added issue template (thanks to @Prinzhorn)
- Deploy to pypi using Travis CI
Bugs fixed:
- Seting postdata to an empty string (thanks to @Prinzhorn)
- Seting postdata using a dictionary with an integer value
- Addressed documentation pyparsing link (thanks to @Prinzhorn)
- Addressed incorrect documentation XSS example
Published by xmendez almost 6 years ago
Version 1.4d to 2.3.1 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.3:
Changes:
- Unpinned libraries in setup.py to make more flexible installing the package. Added requirements file with latest dependencies versions that work.
Bugs fixed:
- Product iterator was opening file before counting words (fixes #101) (thanks @jyn514)
- Trying to detect file encoding before opening (fixes #100) (thanks @jyn514)
- File payload was mistakenly detecting EOF on blank lines
Published by xmendez almost 6 years ago
Version 1.4d to 2.3 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.3:
New features:
- Python 2 and 3 compatible
- Pep8 compliant
- Integrated travis CI and code coverage
- Unit and integration tests
- Updated docs
- Deflate encoding
Bugs fixed:
- Ability to send post data using any HTTP verb (thanks @navhaxs and @vingtsyl)
- Encode quote in html_escape encoder
- Fix minimum length in hexrange payload
- Avoid stale thread due to http_pool being created too early
- Changed order of imports in ipnet and iprange payloads
- _build_id using parent class variable in moduleman FileLoader and DirLoader
- Incorrect simple_filter return value in modulefilter
- PUT method hanged request
Published by xmendez over 6 years ago
Version 1.4d to 2.2.11 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.2.11:
Bugs fixed:
- Error in setup.py (Thanks to @gaurav8k)
- Warning instead of exiting when pycurl is missing the PATH_AS_IS attribute (Thanks to @javixeneize)
- Bug in httppool (Thanks to @Jumbo-WJB)
Published by xmendez almost 7 years ago
Version 1.4d to 2.2.9 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.2.9:
Bugs fixed:
- Avoid pycurl URL normalization when using dots (thanks to @fj7)
- Automatically add / when URL is specified without a path (thanks to @Bladefidz and @javixeneize)
- Filter not working when using output printer (thanks to @phackt)
- Response parse when pycurl returns various headers (thanks to @phackt)
Published by xmendez almost 7 years ago
Version 1.4d to 2.2.8 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.2.8:
- Fixed bug when repeating requests
- Fixed zip count (thanks @Bladefidz)
- Fixed --help in wfpayload
- CSV support (thanks @egilas)
- Added mysql error message to errors plugin
- Added raw_content filter language attribute
- --prev flag prints previous requests, useful for comparing results
- Moved source code to src directory and created bash cli executables
Published by xmendez about 7 years ago
Version 1.4d to 2.2.3 developed by:
Xavier Mendez ([email protected])
Version up to 1.4c developed by:
Christian Martorella ([email protected])
Carlos del ojo ([email protected])
Changelog 2.2.3:
New features:
- f switch for storing results in file
- o switch for changing output
- new get_session API method
- Updated JSON printer (thanks to @ilyaglow)
- Added requirements to setup.py
Bug fixes:
- bug in the default output not printing filtered results
