Wuzzer

General info

Simple Web Fuzzer

1. Crawling : Collects All Internal URL ( Crawler.py )
2. Uses Selenium And BeautifulSoup to Detect Form & Input Params For Fuzzing
3. Injects Payloads
4. Checks Responses to Detect Vulnerabilities

---

Requirements

• Python3
• Use Virtual Environments & Install Requirements Packages (gist)
• Chrome Web Driver : Download It From The Address Below And Put It in The Wuzzer Folder

  Chrome:    https://sites.google.com/a/chromium.org/chromedriver/downloads
  

---

Usage

For Test on DVWA :

cd Wuzzer
python Wuzzer.py --test --XSSi --SQLi --BSQLi --CMDi --BCMDi 

For More Options :

python Wuzzer.py -h

---

Test on DVWA Docker

• Run Image

  docker run --rm -it -p 80:80 vulnerables/web-dvwa

• Database Setup

  http://127.0.0.1/setup.php

• Login with Default Credentials
  • Username: admin
  • Password: password

---

Task-Lists

• Xss Injection Attack
• SQL Injection Attack
• Blind SQL Injection Attack
• Command Injection Attack
• Blind Command Injection Attack
• Complete Document
• Threading Support
• Use Proxy

---

Related Link

Vulnerable Web Applications

• OWASP Vulnerable Web Applications Directory (github) (owasp)
• Web Vulnerability Collection (github)

Payloads

• Cheatsheet_XSS_Vectors.txt (Cheatsheet-God github)
• XSS_Alert.txt (PayloadsAllTheThings github)
• SQL.txt (wfuzz github)
• Blind_Sqli.txt (sql-injection-payload-list github)

XSS

• Cross-Site Scripting (XSS) Cheat Sheet (portswigger)
• XSS Injection (PayloadsAllTheThings github)
• Cross-Site Scripting (XSS) (Resources-for-Beginner-Bug-Bounty-Hunters github)

Related Work

• Most Advanced XSS Scanner (XSStrike)
• Automatic SQL Injection and database takeover tool (sqlmap)
• Web Fuzzers Review (pentestbook)

Security Game

• XSS Game By Google (xss-game)
• xssgame
• Alert(1) to Win (alf.nu)
• Prompt(1) to Win (prompt.ml)
• Prompt("sibears") to Win (xss school)