Releases: xmendez/wfuzz
Wfuzz 2.2.2 -The Web Fuzzer
Version 1.4d to 2.2.2 developed by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c developed by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.2.2:
Bug fixes:
- bug with queues sync
- bug in title plugin
- bug in backups plugin
- bug in full request fuzzing
- headers contain an extra space
- when saving a baseline result
- when setting host header
Other changes:
- Corrected typo in doc
- Additional acceptance tests
- Removed backups plugin from default category
- Removing legacy/old information in messages and help
Wfuzz 2.2 - The Web Fuzzer
Version 1.4d to 2.2 developed by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c developed by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.2.0:
Main enhancements:
- Improved documentation
- Wfuzz scriptable API
- wfpayload and wfencoder utils
- wfuzz.ini for general and plugin options
- Improved filter language (introspection, operators, functions, FUZZ keyword).
- Introspection using FUZZ[field]
- Allow to run wfuzz from any folder
- Wfuzz could be installed using pip
- Dictionaries are automatically looked for at the specified directories
- Test cases
- Ability to store and reuse previous results
New features:
- req-delay and conn-delay switches
- dry-run switch
- X switch allows to specify method (removed -I switch).
- o switch writes printer output to a file
- p switch for proxy specification supports repetition
- L switch is equivalent to --follow
- zP swtich to specify further parameters to payloads
- u switch for specifying an URL
- Simple/advanced help switches
- prefilter/slice for filtering payloads.
- Improved help for payloads and plugins
Other enhancements:
- Code reorganization (using a queue pipeline for processing results).
- Bugs fixing
- Improved error handling
- Personal plugins could be stored in user's home folder.
- Plugins are stored in directories in separated files
- Improved FuzzRequest object for easier access to cookies, params...
- Plugin runtime/loading errors do not block wfuzz execution.
- A request is repeated a number of times if fails.
- Validate CLI options.
- BeautifulSoup integration
- Plugins can perform their own requests outside the execution pipeline.
- Option to encode space in the URL
- FUZZ keyword for ss/hs switches
- Improved scripts and payloads structure for creating new plugins
Plugins:
- Check for errors (WIP)
- json printer
- burplog and burpstate payloads
- wfuzzp payload
- net ipaddress payload
- dirwalk payload
- title plugin
- Backup plugin
- CVS entries plugin
Wfuzz 2.1.5 - The Web Fuzzer
Version 1.4d to 2.1.5 developed by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c developed by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.1.5:
Wfuzz 2.1.4 - The Web Fuzzer
Version 1.4d to 2.1.4 developed by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c developed by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.1.4:
- Added json printer (thanks to Federico)
- Raw printer
- Corrected folder spellings (thanks to l0stkn0wledge)
- Allow wfuzz to run from any path
- Using env python
- IPnet payload
- Fixed bug counting the number of FUZZ words when using the baseline
Wfuzz 2.1.3 - The Web Fuzzer
Version 1.4d to 2.1.3 coded by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.1.3:
- Removed unused import (thanks daimondd33)
- Fixed FUZZ words count when using authentication
Wfuzz 2.1.2 - The Web Fuzzer
Version 1.4d to 2.1.2 coded by:
Xavier Mendez (xmendez@edge-security.com)
Version up to 1.4c coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Changelog 2.1.2:
- New headers and cookiers are build by the cumulative use of the -H and -b option (thanks to epinna)
Wfuzz 2.1.1 - The Web Fuzzer
Version up to 1.4c coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Version 1.4d to 2.1.1 coded by:
Xavier Mendez (xmendez@edge-security.com)
Changelog 2.1.1:
- Added setup.py for creating a windows executable using py2exe.
- Show the fuzz word plus the exception when showing an error using scan mode (-Z).
- Fixed bug when fuzzing a SSL site through a proxy (thanks to sinnur).
Wfuzz 2.1 (Beta) - The Web Fuzzer
Coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Version 2.1 coded by:
Xavier Mendez (xmendez@edge-security.com)
Changelog 2.1:
- Massive code rewriting, reorganisation and bug fixing
- Selection of encoders by categories
- Chaining encoders
- Improved reqresp library performance (pycurl multi)
- Enhanced exception handling and error management
- Interactive keyboard (pause, stats).
This feature has some known issues as wfuzz not responding to the first keystroke, ie. you need to press ctrl+c twice to cancel.
The need to press a key to leave the app after finishing. - Advanced filter expression
- Filter responses by regex
- Combine regex and simple filters
- Show responses filter switches
- Alias -w for "-z file,xx". Thanks to Daniel García dani@estotengoqueprobarlo.es
- Fixed reqresp bug. thanks to nicolas.gereone@ngco.fr
- Extended help/description for plugins (printers, scripts, payloads, iterators)
- Improved multiple proxy specification (ip:port:type)
- Scan mode ignoring connection errors.
- Configuration ini file for common settings
- Plugin support:
- Plugin: Directory listing identification
- Plugin: Response link parser
- Plugin: Robots parser
- Plugin: New cookies
- Plugin: Grep
- Plugin: SVN Extractor
- Plugin: wc.db extractor
- New payloads:
- Payload: Overflow string
- Payload: Stdin
- Payload: Bing API search
Notes:
27 Oct: A Windows executable has been added to this release, created using py2exe. It should be noted that, I don't use Windows and therefore I haven't tested Wfuzz in this environment thoroughly, so you might experience unknown issues.
Wfuzz 2.0 - The Web Fuzzer
Coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Version 2.0 coded by:
Xavier Mendez (xmendez@edge-security.com)
Changelog 2.0:
- Dynamic output printers
- Dynamic payloads
- Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
- Combine payloads using dynamic iterators (zip, chain, product)
- Added list payload
- Added encoder_uri_double_hex
- Added encoder_first_nibble_hex
- Added encoder_second_nibble_hex
- Added encoder_none
- Multiple encodings per payload
- Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
- Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
- Added baseline request functionality
- Added fuzzdb (Attack and Discovery Pattern Database for Application Fuzz Testing)
Wfuzz 1.4d - The Web Fuzzer
Coded by:
Christian Martorella (cmartorella@edge-security.com)
Carlos del ojo (deepbit@gmail.com)
Version 1.4d coded by:
Xavier Mendez (xmendez@edge-security.com)
Changelog 1.4d
-Using _ in encoders names
-Added HEAD method scanning
-Added magictree support
-Fuzzing in HTTP methods
-Hide responses by regex
-Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d)
-Verbose output including server header and redirect location
-Added follow HTTP redirects option (this functionality was already provided by reqresp)
-Fixed HTML output, thanks to Christophe De La Fuente
-Fixed terminal colour, thanks to opensource@till.name