Web-Fuzzer

General info

simple Web Fuzzer

1. crawling : colect all internal url ( Crawler.py )
2. use selenium and BeautifulSoup to detect form & input params for fuzzing
3. inject payload
4. Check responses to detect vulnerabilities

---

Requirements

• python3
• use virtual environments & install requirements packages (gist)
• Chrome web driver : Download it from the address below and put it in the Wuzzer folder

  Chrome:    https://sites.google.com/a/chromium.org/chromedriver/downloads
  

---

Usage

for test on DVWA :

cd Wuzzer
python Wuzzer.py --test --XSSi --SQLi --BSQLi --CMDi --BCMDi 

for more options :

python Wuzzer.py -h

---

Test on DVWA Docker

• Run image

  docker run --rm -it -p 80:80 vulnerables/web-dvwa

• Database Setup

  http://127.0.0.1/setup.php

• Login with default credentials
  • Username: admin
  • Password: password

---

Task-Lists

• Xss Injecyion attack
• SQL Injecyion attack
• Blind SQL Injecyion attack
• Cmd Injecyion attack
• Blind Cmd Injecyion attack
• complete Document
• threading support
• use proxy

---

Related Link

Vulnerable Web Applications

• OWASP Vulnerable Web Applications Directory (github) (owasp)
• Web vulnerability collection (github)

Payloads

• Cheatsheet_XSS_Vectors.txt (Cheatsheet-God github)
• xss_alert.txt (PayloadsAllTheThings github)
• SQL.txt (wfuzz github)
• BlindSqli.txt (sql-injection-payload-list github)
• xss-payload-list.txt (xss-payload-list github)

XSS

• Cross-site scripting (XSS) cheat sheet (portswigger)
• XSS Injection (PayloadsAllTheThings github)
• Cross-Site Scripting (XSS) (Resources-for-Beginner-Bug-Bounty-Hunters github)

Related work

• Most advanced XSS scanner (XSStrike)
• Automatic SQL injection and database takeover tool (sqlmap)
• Web fuzzers review (pentestbook)

security game

• XSS Game By Google (xss-game)
• xssgame
• alert(1) to win (alf.nu)
• prompt(1) to win (prompt.ml)
• prompt("sibears") to win (xss school)
• xssgame by pwnfunction