Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vulnpire/wayfuzz
Generate concise and targeted wordlists from Wayback Machine URLs
https://github.com/vulnpire/wayfuzz
fuzzing waybackurls wordlist-generation
Last synced: 1 day ago
JSON representation
Generate concise and targeted wordlists from Wayback Machine URLs
- Host: GitHub
- URL: https://github.com/vulnpire/wayfuzz
- Owner: Vulnpire
- Created: 2024-08-15T16:20:34.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2024-08-15T18:35:40.000Z (5 months ago)
- Last Synced: 2024-08-16T18:34:18.538Z (5 months ago)
- Topics: fuzzing, waybackurls, wordlist-generation
- Language: Go
- Homepage:
- Size: 13.7 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# wayfuzz
is a fast and efficient tool for creating wordlists from historical URLs fetched via the Wayback Machine. You can use it with tools like ffuf for web fuzzing and other security testing tasks.
## Features
Concurrency: Make multiple requests simultaneously for faster processing.
URL Filtering: Exclude specific URL patterns using regex.
Path Separation: Optionally split URL paths into distinct components.
Status Code: specify a comma-separated list of status codes (e.g., -mc 200,403).
## Installation
`go install -v github.com/Vulnpire/wayfuzz@latest`
## Or build from the source
Clone the repo
`git clone https://github.com/Vulnpire/wayfuzz`
And build
`go build -o wayfuzz wayfuzz.go`
This will create an executable named `wayfuzz`.
## Usage
You can use wayfuzz by piping in a list of domains via `stdin`:
`cat domains.txt | wayfuzz [options]`
## Options
-c : Set the number of concurrent requests (default: 10).
-x : Exclude URLs matching the regex pattern (e.g., .jpg|.png).
-sed: Split the URL paths by / and output each component separately.
-mc : Filter URLs by status codes (comma-separated list, e.g., 200,403).
## Example Commands
### Basic Usage
Exclude URLs that end in .jpg or .png:
`cat domains.txt | wayfuzz -c 50`
Exclude Specific URL Patterns:
`cat domains.txt | wayfuzz -c 50 -x ".jpg|.png"`
Separate URL Paths by `/`
`cat domains.txt | wayfuzz -c 50 -sed`
Filter by Status Codes
`cat domains.txt | wayfuzz -c 50 -mc 200,403`
## Using with `ffuf`
`ffuf` is a web fuzzing tool that can be combined with `wayfuzz` for discovering hidden files, directories, and parameters on a web server.
`cat domains.txt | wayfuzz -c 50 | ffuf -u https://target.com/FUZZ -w -`
If you want to fuzz URL parameters, you can generate a wordlist of all unique URL components:
`cat domains.txt | wayfuzz -c 50 -sed | ffuf -u https://target.com/path?FUZZ=value -w -`
## IP fuzzing
Creating the wordlist:
`echo "hackerone.com" | wayfuzz -c 300 -mc 200 -sed -x ".jpg|.png|.jpeg|..." | anew wordlist.txt`
Getting the IP addresses from Shodan:
`echo "hackerone.com" | `[sXtract](http://github.com:443/Vulnpire/sXtract)` | anew ips.txt`
Fuzzing the IPs:
`cat ips.txt | xargs -I@ sh -c 'ffuf -w ./wordlist.txt -u @/FUZZ -mc 200 -c -recursion -recursion-depth 5 -ac -t 300'` Or just use Axiom to fuzz quickly.