{"id":24702357,"url":"https://github.com/mheidari98/web-fuzzer","last_synced_at":"2025-07-31T08:37:24.784Z","repository":{"id":40955587,"uuid":"381476183","full_name":"mheidari98/Web-Fuzzer","owner":"mheidari98","description":"simple Web Fuzzer for detect XSSi, SQLi, Blind SQLi, OSi and Blind OSi","archived":false,"fork":false,"pushed_at":"2022-12-09T05:26:22.000Z","size":156,"stargazers_count":4,"open_issues_count":3,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-27T05:41:31.981Z","etag":null,"topics":["fuzzing","penetration-testing","python","sql-injection","vulnerability-scanner","xss"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mheidari98.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-06-29T19:30:47.000Z","updated_at":"2024-10-18T19:06:38.000Z","dependencies_parsed_at":"2023-01-25T18:01:49.042Z","dependency_job_id":null,"html_url":"https://github.com/mheidari98/Web-Fuzzer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheidari98%2FWeb-Fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheidari98%2FWeb-Fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheidari98%2FWeb-Fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheidari98%2FWeb-Fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mheidari98","download_url":"https://codeload.github.com/mheidari98/Web-Fuzzer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244904882,"owners_count":20529502,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzing","penetration-testing","python","sql-injection","vulnerability-scanner","xss"],"created_at":"2025-01-27T05:40:28.659Z","updated_at":"2025-03-22T04:24:02.723Z","avatar_url":"https://github.com/mheidari98.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Web-Fuzzer\n\n## General info\n\u003e simple Web Fuzzer\n  1. **crawling** : colect all internal url ( [Crawler.py](https://github.com/mheidari98/Web-Fuzzer/blob/main/Wuzzer/Crawler.py) )\n  2. use **selenium** and **BeautifulSoup** to detect form \u0026 input params for fuzzing\n  3. inject payload\n  4. Check responses to detect vulnerabilities\n---\n\n## Requirements\n- python3\n- use virtual environments \u0026 install requirements packages ([gist](https://gist.github.com/mheidari98/8ae29b88bd98f8f59828b0ec112811e7)) \n- Chrome web driver : Download it from the address below and put it in the **Wuzzer** folder\n  ```\n  Chrome:    https://sites.google.com/a/chromium.org/chromedriver/downloads\n  ```\n\n ---\n\n## Usage\n  for test on DVWA :\n  ```bash\n  cd Wuzzer\n  python Wuzzer.py --test --XSSi --SQLi --BSQLi --CMDi --BCMDi \n  ```\n  for more options :\n  ```bash\n  python Wuzzer.py -h\n  ```\n\n---\n\n## Test on [DVWA Docker](https://hub.docker.com/r/vulnerables/web-dvwa/)  \n  + Run image\n    ```bash\n    docker run --rm -it -p 80:80 vulnerables/web-dvwa\n    ```\n  + Database Setup\n    \u003e http://127.0.0.1/setup.php\n  + Login with default credentials\n    - Username: **admin**\n    - Password: **password**\n\n---\n\n## Task-Lists\n- [x] Xss Injecyion attack\n- [x] SQL Injecyion attack\n- [x] Blind SQL Injecyion attack\n- [x] Cmd Injecyion attack\n- [x] Blind Cmd Injecyion attack\n- [ ] complete Document\n- [ ] threading support\n- [ ] use proxy\n\n---\n\n## Related Link \n### Vulnerable Web Applications\n* OWASP Vulnerable Web Applications Directory ([github](https://github.com/OWASP/OWASP-VWAD)) ([owasp](https://owasp.org/www-project-vulnerable-web-applications-directory/))\n* Web vulnerability collection ([github](https://github.com/lotusirous/vulnwebcollection)) \n\n### Payloads\n* Cheatsheet_XSS_Vectors.txt ([Cheatsheet-God github](https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_XSS_Vectors.txt))\n* xss_alert.txt ([PayloadsAllTheThings github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Intruders/xss_alert.txt))\n* SQL.txt ([wfuzz github](https://github.com/xmendez/wfuzz/blob/master/wordlist/Injections/SQL.txt))\n* BlindSqli.txt ([sql-injection-payload-list github](https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/detect/Generic_TimeBased.txt))\n* xss-payload-list.txt ([xss-payload-list github](https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt))\n\n### XSS\n* Cross-site scripting (XSS) cheat sheet ([portswigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet))\n* XSS Injection ([PayloadsAllTheThings github](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection))\n* Cross-Site Scripting (XSS) ([Resources-for-Beginner-Bug-Bounty-Hunters github](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/blob/master/assets/vulns.md#cross-site-scripting-xss))\n\n### Related work\n* Most advanced XSS scanner ([XSStrike](https://github.com/s0md3v/XSStrike)) \n* Automatic SQL injection and database takeover tool ([sqlmap](https://github.com/sqlmapproject/sqlmap)) \n* Web fuzzers review ([pentestbook](https://pentestbook.six2dez.com/others/web-fuzzers-comparision))\n\n### security game\n* XSS Game By Google ([xss-game](https://xss-game.appspot.com))\n* [xssgame](https://www.xssgame.com/)\n* alert(1) to win ([alf.nu](https://alf.nu/alert1))\n* prompt(1) to win ([prompt.ml](http://prompt.ml/0))\n* prompt(\"sibears\") to win ([xss school](http://xss.school.sibears.ru/easy/0))\n* [xssgame by pwnfunction](https://xss.pwnfunction.com/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmheidari98%2Fweb-fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmheidari98%2Fweb-fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmheidari98%2Fweb-fuzzer/lists"}