Fuzzing

Fuzz everywhere - directories, files, parameters, payloads

ko-fi

Web Enumeration
LogoURL Fuzzer - ML-powered scanner for web recon & fuzz testingPentest-Tools.com

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first

Need to fuzz with user agent becaus they block ffuf UA ffuf -u https://test/.com/FUZZ -w wordlist .txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

When running content discovery scans, try to also change your request method (for example, from GET to POST or PUT)! Some API endpoints or app routes are only programmed to return a valid response when a specific HTTP method is sent in the request!

Wordlists

LogoAssetnote Wordlistswordlists.assetnote.io
https://raw.githubusercontent.com/six2dez/OneListForAll/refs/heads/main/onelistforallshort.txtraw.githubusercontent.com

Ffuf

LogoFFUF Mastery: The Ultimate Web Fuzzing GuideMedium

Burp - Copy as FFUF Command

LogoCopy as FFUF Commandportswigger.net

  • Modify the request - place the "FUZZ" keyword in the request

  • Right-click and choose the "Copy as FFUF Command" from Context Menu

  • The command is copied to your clipboard to be used in other tools

Directory Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Page Fuzzing

Extension Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ

Pages

If a path with .git/ = 403, then /.git/config might be 200!

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Fuzz for specific exetensions

For example, php files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.235.70/dev/ -x php -k

Recursive Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Sub-domain Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/

Virtual Host

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'
 # -fs : Filter by size
 
 ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing

GET

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://admin.academy.htb:50855/admin/admin.php?FUZZ=key' -fs xxx

POST

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

<div class='center'><p>Invalid id!</p></div>
<...SNIP...>

Value Fuzzing

for i in $(seq 1 1000); do echo $i >> ids.txt; done
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Black Box Fuzzer

LogoGitHub - Brum3ns/firefly: Black box fuzzer for web applicationsGitHub
firefly -u 'http://target.com/?query=FUZZ' --timeout 7000

XSS, LFI, SQLi URL Fuzzing

LogoGitHub - freelancermijan/urlfuzzer: URL FuzzerGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousWeb EnumerationNextBypass 403 / 401

Last updated