Wfuzz

- Removed unused import (thanks daimondd33)
- Fixed FUZZ words count when using authentication

- New headers and cookiers are build by the cumulative use of the -H and -b option (thanks to epinna)

- Added setup.py for creating a windows executable using py2exe.
- Show the fuzz word plus the exception when showing an error using scan mode (-Z).
- Fixed bug when fuzzing a SSL site through a proxy (thanks to sinnur).

- Massive code rewriting, reorganisation and bug fixing
- Selection of encoders by categories
- Chaining encoders
- Improved reqresp library performance (pycurl multi)
- Enhanced exception handling and error management
- Interactive keyboard (pause, stats).
This feature has some known issues as wfuzz not responding to the first keystroke, ie. you need to press ctrl+c twice to cancel.
The need to press a key to leave the app after finishing.
- Advanced filter expression
- Filter responses by regex
- Combine regex and simple filters
- Show responses filter switches
- Alias -w for "-z file,xx". Thanks to Daniel García daniestotengoqueprobarlo.es
- Fixed reqresp bug. thanks to nicolas.gereonengco.fr
- Extended help/description for plugins (printers, scripts, payloads, iterators)
- Improved multiple proxy specification (ip:port:type)
- Scan mode ignoring connection errors.
- Configuration ini file for common settings
- Plugin support:
- Plugin: Directory listing identification
- Plugin: Response link parser
- Plugin: Robots parser
- Plugin: New cookies
- Plugin: Grep
- Plugin: SVN Extractor
- Plugin: wc.db extractor
- New payloads:
- Payload: Overflow string
- Payload: Stdin
- Payload: Bing API search

Notes:

27 Oct: A Windows executable has been added to this release, created using py2exe. It should be noted that, I don't use Windows and therefore I haven't tested Wfuzz in this environment thoroughly, so you might experience unknown issues.

Coded by:

Christian Martorella (cmartorellaedge-security.com)
Carlos del ojo (deepbitgmail.com)

- Dynamic output printers
- Dynamic payloads
- Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
- Combine payloads using dynamic iterators (zip, chain, product)
- Added list payload
- Added encoder_uri_double_hex
- Added encoder_first_nibble_hex
- Added encoder_second_nibble_hex
- Added encoder_none
- Multiple encodings per payload
- Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
- Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
- Added baseline request functionality
- Added fuzzdb (Attack and Discovery Pattern Database for Application Fuzz Testing)


v1.4d
Coded by:

Christian Martorella (cmartorellaedge-security.com)
Carlos del ojo (deepbitgmail.com)

Version 1.4d coded by:

Xavier Mendez (xmendezedge-security.com)

Changelog 1.4d

-Using _ in encoders names
-Added HEAD method scanning
-Added magictree support
-Fuzzing in HTTP methods
-Hide responses by regex
-Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d)
-Verbose output including server header and redirect location
-Added follow HTTP redirects option (this functionality was already provided by reqresp)
-Fixed HTML output, thanks to Christophe De La Fuente
-Fixed terminal colour, thanks to opensourcetill.name