Please describe your local environment:
Kali Linux, up to date and latest build as of 2/17/2023
Wfuzz version: Output of wfuzz --version
3.1.0
Python version: Output of python --version
3.11.1
OS: Kali Lunix
What is the current behavior?
When using WFUZZ with a query string that contains multiple query string parameters, but when fuzzing only one of those parameters, sometimes (not all requests) WFUZZ will drop the other parameters from the GET request.
What is the expected or desired behavior?
WFUZZ should not be altering the query string outside of the fuzzed parameter
Please provide steps to reproduce, including exact wfuzz command executed and output:
Configure a proxy to observe WFUZZ's behavior and each of the requests (BurpSuite for example). Send the following command:
Because WFUZZ is dropping the query strings in some instances and not others, the results are not accurate. If there are mandatory values in the query string that are not passed, such as session keys, etc. then the results would not be accurate and the web app would behave entirely differently.
The consequence of this is that the tool would seem to be unusable and untrustworthy in this specific use case.
Issue template
WFUZZ drops query string parameters sometimes when multiple parameters are used but only 1 is fuzzed. May depend on the payload (a guess?).
Please describe your local environment: Kali Linux, up to date and latest build as of 2/17/2023
Wfuzz version: Output of wfuzz --version 3.1.0
Python version: Output of python --version 3.11.1
OS: Kali Lunix
What is the current behavior?
When using WFUZZ with a query string that contains multiple query string parameters, but when fuzzing only one of those parameters, sometimes (not all requests) WFUZZ will drop the other parameters from the GET request.
What is the expected or desired behavior?
WFUZZ should not be altering the query string outside of the fuzzed parameter
Please provide steps to reproduce, including exact wfuzz command executed and output:
Configure a proxy to observe WFUZZ's behavior and each of the requests (BurpSuite for example). Send the following command:
wfuzz -c -w /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt --sc 200,500 -X GET -H "User-Agent: Googlebot-News" -u 'http://www.site.com/patha/pathb?PreviewKey=FUZZ&Theme=3fc3f82483d14ec485ef92e206116d49&ThemeContextId=00000000-0000-0000-0000-000000000000&ThemeTypeId=0c647246-6735-42f9-875d-c8b991fe739b' -p localhost:8080
Observe the HTTP history in BurpSuite. Observe that some of the requests have the complete query string, for example:
/patha/pathb?PreviewKey=hi%20or%201=1%20--"&Theme=3fc3f82483d14ec485ef92e206116d49&ThemeContextId=00000000-0000-0000-0000-000000000000&ThemeTypeId=0c647246-6735-42f9-875d-c8b991fe739b
...and others do not. Example:
/patha/pathb?PreviewKey=1%20or%20sleep(TIME)
Other relevant information:
Because WFUZZ is dropping the query strings in some instances and not others, the results are not accurate. If there are mandatory values in the query string that are not passed, such as session keys, etc. then the results would not be accurate and the web app would behave entirely differently.
The consequence of this is that the tool would seem to be unusable and untrustworthy in this specific use case.