VAF: Very Advanced (Web) Fuzzer

In VAF there will also be a vaf_linux_amd64 binary for linux users already compiled by me, but that’s not going to be always updated

  • Clone and cd into the repo
  • Install nim

Linux: Install

nim using: curl https://nim-lang.org/choosenim/init.sh -sSf | sh and adding nim to path

Windows: Download

nim from https://nim-lang.org/install_windows.html and run finish.exe (you might need to reopen a cmd window for nim to load)

  • Run

nimble build

A vaf binary file will be created in your directory ready to be used

Using VAF

Using vaf is simple, here’s the current help text:

Usage:
vaf – very advanced fuzzer [options]

Options:
-h, –help
-u, –url=URL choose url, replace area to fuzz with []
-w, –wordlist=WORDLIST choose the wordlist to use
-sc, –status=STATUS set on which status to print, set this param to ‘any’ to print on any status (default: 200)
-pr, –prefix=PREFIX prefix, e.g. set this to / for content discovery if your url doesnt have a / at the end (default: )
-sf, –suffix=SUFFIX suffix, e.g. use this for extensions if you are doing content discovery (default: )
-pd, –postdata=POSTDATA only used if ‘-m post’ is set (default: {})
-m, –method=METHOD suffix, e.g. use this for extensions if you are doing content discovery (default: get)
-pif, –printifreflexive print only if the output reflected in the page, useful for finding xss
-ue, –urlencode url encode the payloads
-pu, –printurl prints the url that has been requested

Screenshots

  • (with every status code printed, suffixes .php,.html and no prefixes)
  • (with url printed, every status code printed, suffixes .php,.html and no prefixes)
  • (post data fuzzing)

Examples

  • Fuzz post data:

vaf.exe -w example_wordlists\short.txt -u https://jsonplaceholder.typicode.com/posts -m post -sc 201 -pd “{\”title\”: \”[]\”}”

  • Fuzz GET URLs

vaf.exe -w example_wordlists\short.txt -u https://example.org/[] -sf .html

Tips

  • Add a trailing , in the suffixes or prefixes argument to try the word without any suffix/prefix like this: -pf .php, or -sf .php,
  • Use -pif with a bunch of xss payloads as the wordlist to find XSS
  • Make an issue if you want to suggest a feature
Download
R K

Share
Published by
R K
Tags: Vaf
4 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

7 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

7 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

8 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

11 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

11 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 day ago