Wfuzz 3.1.0 - The Web fuzzer

Version 1.4d to 3.1.0 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 3.1.0:

• Added tox and change test in Makefile
• Improved plugin field filter language capabilities, ie. data and severity can be specified
• Plugin's information is shown depending on severity when using -v
• Filter language and fuzzresult's description handle lists of results
• Added some basic queue profiling for debugging
• diff operator
• Refactored discarded results
• Dotdict str
• Removed future library
• Added operator tests

Plugins:

• Refactored headers plugin
• Links plugins looks in link and redirect headers
• Improved links plugin regex based on nahamsec/JSParser
• New field printer to output filter expressions only
• burplog unittest
• raw printer shows plugin data

wfpayload:

• Added --prev and --AA, ---AAA to wfpayload

wfencode:

• -i reads from stdin
• general handle exception in wfencode

Breaking changes:

• Changed -A, --AA, ---AAA plugin's categories
• Changed plugins filter language field.
• Changed links filter parameters and kbase keys.
• Changed headers kbase key and server result.
• When slicing a payload FUZZ refers to the previous result.

Bugs:

• Fixed --prev in wfpayload
• Fixed -c and -v values within printers plugins
• Don't print empty values in wfpayload
• Use lower() in ~ operator
• Remove httpreceiver queue limit
• Fixed --interactive actions
• Stripped CRLF from burplog parsed responses
• Fixed --slice when using FuzzResult payloads
• Only add recursive and routing queues when transport is Http
• Bug in reqresp when parsing nested http responses due to textparser

Wfuzz 3.0.3 - The Web fuzzer

Version 1.4d to 3.0.3 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 3.0.3:

• Added sha256 and sha512 encoders. Thanks @dustinaevans
• Docker image available at github registry (closes #122). Thanks @oscarbc96

Bugs:

• Removed pytest from dev requirements (closes #215)
• Fixed pypi long description formatting. Thanks @oscarbc96

Wfuzz 3.0.2 - The Web fuzzer

Version 1.4d to 3.0.2 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 3.0.2:

• Added dependabot configuration
• Updated requirements
• Updated screenshot plugin. Details at #226. Thanks to @1mm0rt41PC

Bugs:

• Fixed double urlencode name (see #235). thanks to @tititototutu

Wfuzz 3.0.1 - The Web fuzzer

Version 1.4d to 3.0.1 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 3.0.1:

• Store wfuzz configuration according to XDG Base Directory Specification. Thanks to @nemoload
• Changed pyparsing version requirement. Thanks to @blshkv
• Pinned black and flake versions in tox.ini

Wfuzz 3.0.0 - The Web fuzzer

Version 1.4d to 3.0.0 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 3.0.0:

• Following semantic versioning from this release on-wards. See https://semver.org/
• Refactor of options, queues, dictionaries, filters, printers and factories.
• Refactored some tests to pytest.
• Added black formatter to CI.
• Updated documentation.
• Improved filter language performance.
• Added Python 3.8 support to CI (closes #190)
• Stopped python 2 support.

New features

• Various --prefilter command line options are accepted.
• Various --efield or --field command line options are accepted. (Closes #152 )
• Wfpayload uses same motor as wfuzz and therefore provides almost the same options. (closes #154)
• Slice can re-write payloads (closes #140)
• Links plugins accepts a regex parameter to crawl other subdomains
• New npm_deps plugin.
• Added raw_post to filter language.
• Complex and simple filters can be combined.
• Added BBB to language as keyword, not only in conjunction with c,l,w.
• Fields and headers are case insensitive in filter language.

Bugs

• Fixed baseline in headers (Closes #188)
• Fixed output when printing long lines or non-printable characters.
• Fixed pyparsing depency requirements (Closes #206)
• Removed deprecation and import warnings.
• Using package data for filter documentation file (Closes #135)
• Warnings to stdout instead of stderr (closes #163)
• Null fields do not raise an exception in filter language.

Breaking changes

• In wfuzz library:
  • prefilter is a list of filters not a string.
  • dry-run is specified with transport variable not with mode as before.
• When using --recipe, command line options that are a list are appended. Previously, the last one took precedence.
• When writing plugins:
  • iterators must override width and payloads functions
  • payloads must override get_next and get_type functions
• Saved Wfuzz sessions are not compatible with previous versions

Wfuzz 2.4.7 - The Web fuzzer

Version 1.4d to 2.4.7 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.4.7:

• Pinned dev dependencies in setup.py to make code linting repeatable

Bugs

• Fixed proxy SOCKS. Thanks to @lprat. See #210

Wfuzz 2.4.6 - The Web fuzzer

Version 1.4d to 2.4.6 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.4.6:

• Removed python 2 Travis stalled tests.

Bugs

• New requests are added in the pycurl multi thread after perform (Fixes #180 )
• Added py3.8 test job in travis and setup.py (fixes #190 )

Wfuzz 2.4.5 - The Web fuzzer

Version 1.4d to 2.4.5 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.4.5

Bugs

• Temporarily pin pycurl version to <= 7.43.0.3 (thanks to @mitjans). Fixes #180

Wfuzz 2.4.4 - The Web fuzzer

Version 1.4d to 2.4.4 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.4.4

Bugs

• Fixed parsing HTML requests and responses when using raw strings

Wfuzz 2.4.2 - The Web fuzzer

Version 1.4d to 2.4.2 developed by:

Xavi Mendez ([email protected])

Version up to 1.4c developed by:

Christian Martorella ([email protected])
Carlos del ojo ([email protected])

Changelog 2.4.2:

New features

• burpitem payload thanks to @PaperTsar

Bugs

• Terminal width (fixes #155). Thanks to @IgorSasovets and @laozhoubuluo
• burplog payloads. Thanks to @PaperTsar