Web discovery/fuzzing
Compilation of all the tools I have worked and experimented with for web fuzzing.
ffuf
Basic command with common flags:
Flags
-w
: Path to word-list
Multiple word-list values:
Note: The placeholder values for the identifier for each of the word-list must be capital letters (eg. FUZZ1
, FUZZ2
).
-u
: HTTP URL
-X
: HTTP method, default value is GET
The FUZZ
keyword will be inserted with values from the word-list during the fuzzing process (refer to basic command example above).
Other useful flags
-mr
: Match regexp-d
: Specifies the data to send-H
: Specifies the headers to send-fw
,-fr
,-fl
, ... : Filter options-r
: To follow redirects-recursion
: Scan recursively-recursion-depth
: Recursion depth
Example
Given a target http://<target>.com where we can to discover directories starting with a rand_
prefix. We can use the following command:
Note that by default ffuf matches the following status codes:
For a more streamlined output, we can use the -mc
or -fc
options to select the status code to output:
gobuster
Gobuster provides a vast amount of available commands as follows:
completion
Generate the autocompletion script for the specified shelldir
Uses directory/file enumeration modedns
Uses DNS subdomain enumeration modefuzz
Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request bodygcs
Uses gcs bucket enumeration modehelp
Help about any commands3
Uses aws bucket enumeration modetftp
Uses TFTP enumeration modeversion
shows the current versions3
Uses aws bucket enumeration mode tftp Uses TFTP enumeration mode version shows the current version
Usage
To view the help menu for each of the command, simply enter the command name with the --help
flag. Eg. fuzz
command:
NOTE: Gobuster will prefix each item in the word list with a slash (
/
). Thus, it can't be used for certain kinds of fuzzing. Refer below for examples.
Example
Given that we have a target http://<target>.com that we wish to fuzz the directory for. We can run the following gobuster commands (using directory/file enumeration mode with dir
):
Notice that the first command does not include the trailing slash after the URL. This works since gobuster automatically prefix a slash to each item. However, the command works to if we decide to insert a slash (command 2).
Now, imagine we wish to discover directories with the pattern /rand_xxxx
, such as /rand_images
, /rand_js
, etc. We can try the following gobuster command:
However, it will not work since a leading slash will be inserted. For example, even if the path /rand_js
exists, and the value js
is present in the word list, gobuster will not catch it since the closest match will only be /rand_/js
.
To perform this, we can use ffuf or wfuzz instead.
wfuzz
wfuzz is a web fuzzer that works similarly to ffuf in that it uses theFUZZ
keyword to replace with the payload.
Below shows an example of wfuzz looking for common directories:
Specifying range of values for the FUZZ keyword
Useful flags
--filter
: For various kinds of filter
--hc/hl/hw/hh
: Hide responses with the specified code/lines/words/chars
--sc/sl/sw/sh
:Show responses with the specified code/lines/words/chars
Useful wordlist
wfuzz comes with a bunch of useful wordlist for various types of testing. This can be found from the /usr/share/wfuzz/wordlist
directory on Kali Linux.
Last updated