Wfuzz has the built-in functionality to fuzz multiple payload locations by adding the FUZZ, FUZ2Z, FUZ3Z... keywords. Let's say we want to fuzz the GET parameter name and the value of the web application server. As we cannot use the same wordlist in both fuzz vectors, we will use the FUZZ and FUZ2Z keywords to perform fuzzing. Let's execute the following command in Wfuzz:
wfuzz -c -z list,<parameter_wordlist> -z <value_wordlist> http://<target>:<port>/?FUZZ=FUZ2Z
As we can see in the preceding command, we have fed Wfuzz two wordlists, parameter_wordlist and value_wordlist, using the -z option (yes, we can use the -z, -H, and -b options repeatedly) and the [parameter]=[value] is shown in /?FUZZ=FUZ2Z format. Upon executing this command, the fuzzer will use the first entry in parameter_wordlist, replace it with the FUZZ keyword, and then loop through all the value_wordlist entries via FUZ2Z. And like this, the fuzzer will fuzz through both wordlists. Let's now see how we can achieve the same thing using Intruder.