Best Free Fuzz Testing Tools

Awesome Fuzzing is a list of fuzzing resources including books, courses, both free and paid, videos, tools, tutorials, and vulnerable applications to practice in order to learn fuzzing and initial phases of exploit development like root cause analysis. Courses/training videos on fuzzing, videos talking about fuzzing techniques, tools, and best practices. Conference talks and tutorials, blogs, tools that help in fuzzing applications, and fuzzers that help in fuzzing applications that use network-based protocols like HTTP, SSH, SMTP, etc. Search and pick the exploits, that have respective apps available for download, and reproduce the exploit by using the fuzzer of your choice. Set of tests for fuzzing engines. Includes different well-known bugs. A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.

Ffuf is a fast web fuzzer written in Go. You can also practice your Ffuf scans against a live host with different lessons and use cases either locally by using the Docker container or against the live-hosted version. Provides virtual host discovery (without DNS records). In order to tell Ffuf about different inputs to test out, a wordlist is needed. You can supply one or more wordlists on the command line, and in case you wish (or are using multiple wordlists) you can choose a custom keyword for them. You can supply Ffuf with multiple wordlists (remember to configure a custom keyword for them though). The first word of the first wordlist is tested against all the words from the second wordlist before moving along to test the second word in the first wordlist against all the words in the second wordlist. In short, all of the different combinations are tried out. There are quite a few different ways to customize the request.

Wfuzz provides a framework to automate web application security assessments and could help you secure your web applications by finding and exploiting web application vulnerabilities. You can also run Wfuzz from the official Docker image. Wfuzz is based on the simple concept that it replaces any reference to the fuzz keyword with the value of a given payload. A payload in Wfuzz is a source of data. This simple concept allows any input to be injected in any field of an HTTP request, allowing it to perform complex web security attacks in different web application components such as parameters, authentication, forms, directories/files, headers, etc. Wfuzz’s web application vulnerability scanner is supported by plugins. Wfuzz is a completely modular framework and makes it easy for even the newest Python developers to contribute. Building plugins is simple and takes little more than a few minutes.

Wapiti is a web application vulnerability scanner. Wapiti allows you to audit the security of your websites or web applications. It performs "black-box" scans (it does not study the source code) of the web application by crawling the webpages of the deployed web app, looking for scripts and forms where it can inject data. Once it gets the list of URLs, forms, and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Search for potentially dangerous files on the server. Wapiti supports both GET and POST HTTP methods for attacks. It also supports multipart forms and can inject payloads in filenames (upload). Warnings are raised when an anomaly is found (for example 500 errors and timeouts). Wapiti is able to make the difference between permanent and reflected XSS vulnerabilities. Generates vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).