Fuzzing

Web Enumeration

URL Fuzzer - online hidden file & directory finderPentest-Tools.com

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first

Need to fuzz with user agent becaus they block ffuf UA ffuf -u https://test/.com/FUZZ -w wordlist .txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

When running content discovery scans, try to also change your request method (for example, from GET to POST or PUT)! Some API endpoints or app routes are only programmed to return a valid response when a specific HTTP method is sent in the request!

Directory Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Page Fuzzing

Extension Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ

Pages

If a path with .git/ = 403, then /.git/config might be 200!

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Fuzz for specific exetensions

For example, php files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.235.70/dev/ -x php -k

Recursive Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Sub-domain Fuzzing

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/

Virtual Host

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

 # -fs : Filter by size
 
 ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing

GET

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://admin.academy.htb:50855/admin/admin.php?FUZZ=key' -fs xxx

POST

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

<div class='center'><p>Invalid id!</p></div>
<...SNIP...>

Value Fuzzing

for i in $(seq 1 1000); do echo $i >> ids.txt; done

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

XSS, LFI, SQLi URL Fuzzing

GitHub - freelancermijan/urlfuzzerGitHub