# Fuzzing Deep with WFuzz

To perform this attack with Wfuzz, you will need to build out the request. I suggest using the Burp Suite save to file so that you can easily copy and paste to the terminal. Using Repeater, you can right-click on the request that you would like to target and select "copy to file".

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FzXjU4c6Lw5jxJQP0x0wi%2F7ac1c3-40ac-61d-7ea0-3c56a5601df5_injection20.webp?alt=media&#x26;token=bcb8df2a-e650-47b9-8a06-b3eae6dfa3e2" alt=""><figcaption></figcaption></figure>

Next, you can open a second window and use cat on the file that you saved from Burp Suite.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2Fh5ar5owNNbw2F7SthSpd%2F530baff-fcb2-efe2-066a-01642d68c2d5_injection21.webp?alt=media&#x26;token=2120d33d-60b5-4532-adcd-125ad622c60e" alt=""><figcaption></figcaption></figure>

You can start building out the WFuzz attack. For additional information about WFuzz, use: `$wfuzz --help`

Start by specifying the payload that you will use with **-z**. Use **-H** to add necessary headers like "Content-Type:application/json" and the authorization token. Then use **-d** to specify the post body. When you are using quotes in a post body, you will need to use backslashes (\\) for those to show up in the request. Finally, add the URL that you are targeting.

```
$ wfuzz -z file,usr/share/wordlists/nosqli  -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"coupon_code\":FUZZ} http://crapi.apisec.ai/community/api/v2/coupon/validate-coupon
```

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2F6G2uJX1rGwBXnRQNAShG%2Fd5f1c6-8c48-8755-1a3b-f1aee8bd443_injection22.webp?alt=media&#x26;token=1068fb6c-3cd6-476f-bf62-61dc6968929c" alt=""><figcaption></figcaption></figure>

Once you have a successful attack, you can add filtering options to your requests. This will help make the response very clear when there is a successful attack. In the case of this request, we know that we are looking for responses that come back with a 200 status code. Use the show code option **--sc 200** to filter out the results.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FERaoOfaiwHWuxSAglz6U%2Fdfa0bbb-0d34-addd-d7c-4001e162fd0_injection23.webp?alt=media&#x26;token=a2934489-da03-4e97-adf5-edc5b3b5ff06" alt=""><figcaption></figcaption></figure>

Success! Congratulations on performing an injection attack!

Before you go, check out the following advice if you need to troubleshoot you WFuzz attacks. Since WFuzz attacks can get large and complicated, I recommend getting comfortable with proxying traffic to Burp Suite. Use the -p localhost:8080 option with Burp Suite set to Intercept Requests.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FdXRya1yDWl6IcxZ6WNgr%2F36a887-6ddf-2c-a507-742417c37c0_injection24.webp?alt=media&#x26;token=b33bb5a7-1c09-42bb-8113-f15904b8f704" alt=""><figcaption></figcaption></figure>

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2Fwu58w8obOtkrUoVl0MTA%2Fe817b5-ced6-ab-8e70-63815edfca1_injection25.webp?alt=media&#x26;token=9adc210b-547c-4cdd-bfef-24d057fab076" alt=""><figcaption></figcaption></figure>

With the request in Burp Suite, you can see exactly what is being sent by WFuzz and troubleshoot from there. For example, see what happens if you do not add backslashes to the quotes around coupon\_code.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/online-courses/api-penetration-testing-course/injection-vulnerabilities/fuzzing-deep-with-wfuzz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.