Fuzzing

URL Fuzzer - online hidden file & directory finderPentest-Tools.com

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first

Need to fuzz with user agent becaus they block ffuf UA ffuf -u https://test/.com/FUZZ -w wordlist .txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

When running content discovery scans, try to also change your request method (for example, from GET to POST or PUT)! Some API endpoints or app routes are only programmed to return a valid response when a specific HTTP method is sent in the request!

Wordlists

Assetnote Wordlists

https://raw.githubusercontent.com/six2dez/OneListForAll/refs/heads/main/onelistforallshort.txt

Ffuf

FFUF Mastery: The Ultimate Web Fuzzing GuideOSINT Team

Directory Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Page Fuzzing

Extension Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ

Pages

If a path with .git/ = 403, then /.git/config might be 200!

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Fuzz for specific exetensions

For example, php files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.235.70/dev/ -x php -k

Recursive Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Sub-domain Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/

Virtual Host

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

 # -fs : Filter by size
 
 ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing

GET

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://admin.academy.htb:50855/admin/admin.php?FUZZ=key' -fs xxx

POST

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

<div class='center'><p>Invalid id!</p></div>
<...SNIP...>

Value Fuzzing

for i in $(seq 1 1000); do echo $i >> ids.txt; done

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

XSS, LFI, SQLi URL Fuzzing

GitHub - freelancermijan/urlfuzzerGitHub

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

PreviousWeb Enumeration NextBypass 403 / 401

Last updated 1 month ago