# Fuzzing [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% content-ref url="web-enumeration" %} [web-enumeration](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/web-enumeration) {% endcontent-ref %} {% embed url="" %} {% hint style="success" %} *Try `/usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt` first* {% endhint %} {% hint style="info" %} *Need to fuzz with user agent becaus they block ffuf UA `ffuf -u https://test/.com/FUZZ -w wordlist .txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"`* {% endhint %} {% hint style="warning" %} *When running content discovery scans, try to also change your request method (for example, from `GET` to `POST` or `PUT`)! Some API endpoints or app routes are only programmed to return a valid response when a specific HTTP method is sent in the request!* {% endhint %} ## Wordlists {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Ffuf {% embed url="" %} ## Burp - Copy as FFUF Command {% embed url="" %} * Modify the request - place the "FUZZ" keyword in the request * Right-click and choose the "Copy as FFUF Command" from Context Menu * The command is copied to your clipboard to be used in other tools ## Directory Fuzzing ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ ``` ## Page Fuzzing ### Extension Fuzzing ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ ``` ### Pages {% hint style="success" %} If a path with .git/ = 403, then /.git/config might be 200! {% endhint %} ```shell-session ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php ``` ### Fuzz for specific exetensions For example, php files ``` gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.235.70/dev/ -x php -k ``` ## Recursive Fuzzing ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v ``` ## Sub-domain Fuzzing ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/ ``` ## Virtual Host ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' ``` ``` # -fs : Filter by size ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900 ``` ## Parameter Fuzzing GET ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://admin.academy.htb:50855/admin/admin.php?FUZZ=key' -fs xxx ``` POST ```shell-session ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx ``` ```shell-session curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

Invalid id!

<...SNIP...> ``` ## Value Fuzzing ```shell-session for i in $(seq 1 1000); do echo $i >> ids.txt; done ``` ```shell-session ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx ``` ## Black Box Fuzzer {% embed url="" %} ``` firefly -u 'http://target.com/?query=FUZZ' --timeout 7000 ``` ## XSS, LFI, SQLi URL Fuzzing {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)