Wuff is a cool brute force tool, currently I integrate python Wuff into ZAPv2 library could do a lot of amazing job.

However, Wfuzz also contains some bugs that we should avoid

  • Couldn’t set Content-Type Header in Wfuzz when we post data

If use postdata to send HTTP Post, don’t change the http content-type. The origin source code in
src/wfuzz/externals/reqresp/Request.py

elif name == "postdata":
    if self.ContentType == "application/x-www-form-urlencoded":
            return self.__variablesPOST.urlEncoded()
    elif self.ContentType == "multipart/form-data":
            return self.__variablesPOST.multipartEncoded()
    else:
            return self.__uknPostData

If we change the ContentType to applicaton/json, then the post data will be corrupted to __uknPostData