Fuzzing

Fuzz everywhere - directories, files, parameters, payloads

URL Fuzzer - ML-powered scanner for web recon & fuzz testingPentest-Tools.com

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first

Need to fuzz with user agent becaus they block ffuf UA ffuf -u https://test/.com/FUZZ -w wordlist .txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

When running content discovery scans, try to also change your request method (for example, from GET to POST or PUT)! Some API endpoints or app routes are only programmed to return a valid response when a specific HTTP method is sent in the request!

Wordlists

Assetnote Wordlistswordlists.assetnote.io

https://raw.githubusercontent.com/six2dez/OneListForAll/refs/heads/main/onelistforallshort.txtraw.githubusercontent.com

Ffuf

FFUF Mastery: The Ultimate Web Fuzzing GuideMedium

Burp - Copy as FFUF Command

Copy as FFUF Commandportswigger.net

Modify the request - place the "FUZZ" keyword in the request
Right-click and choose the "Copy as FFUF Command" from Context Menu
The command is copied to your clipboard to be used in other tools

Directory Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Page Fuzzing

Extension Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ

Pages

If a path with .git/ = 403, then /.git/config might be 200!

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Fuzz for specific exetensions

For example, php files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.235.70/dev/ -x php -k

Recursive Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Sub-domain Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/

Virtual Host

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

 # -fs : Filter by size
 
 ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing

GET

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://admin.academy.htb:50855/admin/admin.php?FUZZ=key' -fs xxx

POST

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

<div class='center'><p>Invalid id!</p></div>
<...SNIP...>

Value Fuzzing

for i in $(seq 1 1000); do echo $i >> ids.txt; done

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Black Box Fuzzer

GitHub - Brum3ns/firefly: Black box fuzzer for web applicationsGitHub

firefly -u 'http://target.com/?query=FUZZ' --timeout 7000

XSS, LFI, SQLi URL Fuzzing

GitHub - freelancermijan/urlfuzzer: URL FuzzerGitHub

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousWeb Enumeration NextBypass 403 / 401

Last updated 5 months ago