Skip to content
/ wayfuzz Public

Generate concise and targeted wordlists from Wayback Machine URLs

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Vulnpire/wayfuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
README.md
README.md
 
 
go.mod
go.mod
 
 
wayfuzz.go
wayfuzz.go
 
 

Repository files navigation

wayfuzz

is a fast and efficient tool for creating wordlists from historical URLs fetched via the Wayback Machine. You can use it with tools like ffuf for web fuzzing and other security testing tasks.

Features

Concurrency: Make multiple requests simultaneously for faster processing.
URL Filtering: Exclude specific URL patterns using regex.
Path Separation: Optionally split URL paths into distinct components.
Status Code: specify a comma-separated list of status codes (e.g., -mc 200,403).

Installation

go install -v github.com/Vulnpire/wayfuzz@latest

Or build from the source

Clone the repo

git clone https://github.com/Vulnpire/wayfuzz

And build

go build -o wayfuzz wayfuzz.go

This will create an executable named wayfuzz.

Usage

You can use wayfuzz by piping in a list of domains via stdin:

cat domains.txt | wayfuzz [options]

Options

-c <int>: Set the number of concurrent requests (default: 10).
-x <regex>: Exclude URLs matching the regex pattern (e.g., .jpg|.png).
-sed: Split the URL paths by / and output each component separately.
-mc <codes>: Filter URLs by status codes (comma-separated list, e.g., 200,403).

Example Commands

Basic Usage

Exclude URLs that end in .jpg or .png:

cat domains.txt | wayfuzz -c 50

Exclude Specific URL Patterns:

cat domains.txt | wayfuzz -c 50 -x ".jpg|.png"

Separate URL Paths by /

cat domains.txt | wayfuzz -c 50 -sed

Filter by Status Codes

cat domains.txt | wayfuzz -c 50 -mc 200,403

Using with ffuf

ffuf is a web fuzzing tool that can be combined with wayfuzz for discovering hidden files, directories, and parameters on a web server.

cat domains.txt | wayfuzz -c 50 | ffuf -u https://target.com/FUZZ -w -

If you want to fuzz URL parameters, you can generate a wordlist of all unique URL components:

cat domains.txt | wayfuzz -c 50 -sed | ffuf -u https://target.com/path?FUZZ=value -w -

IP fuzzing

Creating the wordlist:

echo "hackerone.com" | wayfuzz -c 300 -mc 200 -sed -x ".jpg|.png|.jpeg|..." | anew wordlist.txt

Getting the IP addresses from Shodan:

echo "hackerone.com" | sXtract | anew ips.txt

Fuzzing the IPs:

cat ips.txt | xargs -I@ sh -c 'ffuf -w ./wordlist.txt -u @/FUZZ -mc 200 -c -recursion -recursion-depth 5 -ac -t 300' Or just use Axiom to fuzz quickly.

About

Generate concise and targeted wordlists from Wayback Machine URLs

Topics

fuzzing wordlist-generation waybackurls

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages