Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
It's very flexible, here are some functionalities:
- Multiple injection points (no limits)
- Post, headers and authentication data bruteforcing
- Output to HTML
- Colored output
- Hide results by return code, word numbers, line numbers, etc.
- Encodings: sha1,md5,urlencode,uri_hex,utf8,double_urlencode,binary_ascii, and many more.
- Cookies fuzzing
- Multithreading
- Proxy and SOCKS support
- Multiple FUZZ capability with multiple dictionaries
- Authentication support (Ntlm, Digest,Basic)
- Time delays between requests
- Verbose output
- Flexible payloads (permutation,range,files,usernames,etc)
- Recursion (When doing directory bruteforce)
- Payload combinations with iterators
- Baseline request (to filter results against)
- Brute force HTTP methods
- Multiple proxy support (each request through a different proxy)
- HEAD scan (faster for resource discovery)
- Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more. (Many dictionaries are from Darkraver's Dirb, www.open-labs.org)