Skip to content

Latest commit

 

History

History
87 lines (73 loc) · 3.5 KB

README.md

File metadata and controls

87 lines (73 loc) · 3.5 KB

Web-Fuzzer

General info

simple Web Fuzzer

  1. crawling : colect all internal url ( Crawler.py )
  2. use selenium and BeautifulSoup to detect form & input params for fuzzing
  3. inject payload
  4. Check responses to detect vulnerabilities

Requirements

  • python3
  • use virtual environments & install requirements packages (gist)
  • Chrome web driver : Download it from the address below and put it in the Wuzzer folder
    Chrome:    https://sites.google.com/a/chromium.org/chromedriver/downloads
    

Usage

for test on DVWA :

cd Wuzzer
python Wuzzer.py --test --XSSi --SQLi --BSQLi --CMDi --BCMDi 

for more options :

python Wuzzer.py -h

Test on DVWA Docker

  • Run image
    docker run --rm -it -p 80:80 vulnerables/web-dvwa
  • Database Setup

    http://127.0.0.1/setup.php

  • Login with default credentials
    • Username: admin
    • Password: password

Task-Lists

  • Xss Injecyion attack
  • SQL Injecyion attack
  • Blind SQL Injecyion attack
  • Cmd Injecyion attack
  • Blind Cmd Injecyion attack
  • complete Document
  • threading support
  • use proxy

Related Link

Vulnerable Web Applications

  • OWASP Vulnerable Web Applications Directory (github) (owasp)
  • Web vulnerability collection (github)

Payloads

XSS

Related work

  • Most advanced XSS scanner (XSStrike)
  • Automatic SQL injection and database takeover tool (sqlmap)
  • Web fuzzers review (pentestbook)

security game