Giter VIP home page Giter VIP logo

wtfuzz's Introduction

wtfuzz - What The Fuzz

PyPI version

Wtfuzz is a pip-installable tool used for checking the existance of different types of web resources including webpages, files, api endpoints and more.

Installation

Requires Python 3.5+

pip install wtfuzz

Usage

wtfuzz http://your-url-here.com myList.txt

404 : http://your-url-here.com/.bash_history
404 : http://your-url-here.com/.bashrc
404 : http://your-url-here.com/.cache
404 : http://your-url-here.com/.config
404 : http://your-url-here.com/.cvs
200 : http://your-url-here.com/.git/HEAD
200 : http://your-url-here.com/index.php
200 : http://your-url-here.com/wp-admin.php

With query parameters

contents of query_params.csv:
a,b,c
1,2,3
4,5,6

wtfuzz http://your-url-here.com?a&b&c myList.txt -q query_params.csv

404 : http://your-url-here.com/.bash_history?a=1b=2c=3
404 : http://your-url-here.com/.bashrc?a=1b=2c=3
404 : http://your-url-here.com/.cache?a=1b=2c=3
404 : http://your-url-here.com/.config?a=1b=2c=3
404 : http://your-url-here.com/.cvs?a=1b=2c=3
200 : http://your-url-here.com/.git/HEAD?a=1b=2c=3
200 : http://your-url-here.com/index.php?a=1b=2c=3
200 : http://your-url-here.com/wp-admin.php?a=1b=2c=3
...

Options

usage: wtfuzz [-h] [-w wait_time] [-n num_requests] [-t num_threads]
              [-o output_file] [--only http_status]
              root_url list_file

A CLI tool for finding web resources

positional arguments:
  root_url            the url you want to start the search from
  list_file           an optional list of resources to check

optional arguments:
  -h, --help          show this help message and exit
  -w wait_time        an optional time to wait between the number of requests
                      given by the -n flag. Note: this is per thread.
  -n num_requests     an optional number of requests to make before waiting
                      for the time specified by the -w flag. Note: this is per
                      thread.
  -t num_threads      an optional number of threads to use to send requests.
  -o output_file      an optional file to log output to.
  -m http_method      http method to use for requests
  -c http_status color  customize what color a given http status code will
                        display as. Note: this parameter can be specified
                        multiple times. Available Colors:
                        [red,green,yellow,blue,black,magenta,cyan,white]
  -b http_body        http body to use for requests
  --only http_status  only show requests that return http_status

Contributing

Anyone is welcome to contribute, just head over to the issues page and find an issue you'd like to work on. Check out the discussion and if it seems cool for you to begin working on something, fork the repository, make your changes, and then make a pull request back into this master branch. When making your changes, make sure to add yourself to the AUTHORS file.

Setup

  1. Fork the repository
  2. Clone your fork: git clone https://github.com/<your-user>/wtfuzz
  3. Go to the project directory: cd wtfuzz
  4. Install the required packages: pip3 install -r requirements.txt
  5. Run the code: python3 wtfuzz/wtfuzz.py http://your-url-here.com myList.txt

wtfuzz's People

Contributors

dbradf avatar prabodh1194 avatar shepherdjay avatar

Stargazers

arun tvs avatar Josh avatar Hayley Tom avatar avatar Chris Adams avatar Ashley Prosser avatar

Watchers

James Cloos avatar Matt Egan avatar avatar

Forkers

dbradf shepherdjay apoullet

wtfuzz's Issues

Auto-detect whether we need to prepend protocol

At the moment, wtfuzz requires the inclusion of http:// or https:// before a url so that requests doesn't error. This should be detected and added/prompted so that we don't crash.

Either:

wtfuzz myurlhere.com words.txt
Did you mean [1] http or [2] https? 
>> 1

or

wtfuzz myurlhere.com words.txt
Prepending protocol: http://myurlhere.com

Flag for mapping codes to colours

Feature: -c pairs where pairs is zero or more of the following [http_statuscode, color] and colour is one of red|green|yellow|blue|black|magenta|cyan|white as used by crayons

A user might want to customize the status codes they see most often.

Add flag for http method

Feature: -m http_method where http_method=GET|POST|PUT|PATCH
Relates to #4

A user would use this flag to force the requests to be a different http method other than GET

Add flag for request body

Feature: -b http_body where http_body is the body of the requests being sent.
Relates to #3

If -m POST|PATCH|PUT is set, then we need someway of specifying the http body.

Query parameter fuzzing

At the moment, we only fuzz immediately after the url, we need some way to fuzz other things. Something like wtfuzz http://my-url-here.com/somedata?i=$1&q=$2 where $1 and $2 indicates we should fuzz those locations in the url.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.