🖥️
Offensive security concepts
  • Introduction
  • 💿Virtualbox network setup
    • What is VirtualBox?
    • NAT
    • NAT network
    • Bridged adapter
    • Internal network
    • pfSense
    • vboxmanage
    • Overview
  • 🕵️OSINT
    • What is OSINT?
    • Google dorks
    • Metadata
    • Social media
      • osintagram
  • Tools
    • waybackurls
    • recon-ng
    • sherlock
    • maltego
    • theHarvester
    • photon
  • 😨Social Engineering
    • What is social engineering?
    • 7 tricks of social engineering
    • Email phishing
    • Typosquatting
    • Compiled resources
  • 😈MitM attack
    • What is MitM attack?
    • ARP spoof/poison
    • DNS spoof/poison
    • HTTP MitM attack
    • ICMP redirect attack
    • DHCP spoofing
    • Evil twin attack
    • Experiment (guest network)
    • Compiled resources
  • 🔌UPnP exploitation
    • What is UPnP?
    • What is SSDP?
    • IGD functions
    • LAN devices
    • Compiled resources
  • Network Reconnaissance & Attacks
    • What is network recon & attacks?
  • 1️⃣Network live host discovery
    • What is network live host discovery?
    • nmap
    • arp-scan
    • masscan
  • 2️⃣Network port scan/services enumeration
    • What is network port scan/services enumeration?
    • nmap
    • netcat
  • 3️⃣Network services vulnerability scanning & exploitation
    • What is network vulnerability scanning/exploitation?
    • 20/21 ~ FTP
    • 22 ~ SSH
    • 25 ~ SMTP
    • 53 ~ DNS
    • 80/443 ~ HTTP/HTTPS
    • 110 ~ POP3
    • 111/2049 ~ RPC/NFS
    • 139/445 ~ SMB
    • 143 ~ IMAP
    • 3389 ~ RDP
  • Vulnerability & exploitation
    • Database
    • Metasploit
    • Msfvenom
  • Misconfigurations
    • .DS_Store
  • Web Application Penetration Testing
    • Introduction
    • Web Content Discovery
      • Directories/URLs gathering
      • Subdomain enumeration
    • File inclusion & Path traversal
    • Insecure Direct Object Reference (IDOR)
    • Upload vulnerabilities
      • File extension cheat-sheet
    • SSRF
    • CSRF
    • XSS
    • SSTI
    • SQL injection
      • Filter evasion techniques
      • Practical challenge examples
        • TryHackMe
          • TryHackMe Burp suite: Repeater room
          • TryHackMe Advanced SQL Injection
  • Authentication/session management
    • OWASP WSTG-SESS-10 ~ JSON Web Token (JWT)
    • OWASP WSTG-ATHZ-05 ~ OAuth weaknesses
  • Webshell
  • Web API pentesting
    • Resources
    • Methodology
    • jq
    • httpx
    • ParamSpider
  • Web app pentesting methodology
  • OWASP
    • OWASP top 10
    • OWASP API top 10
    • Web Security Testing Guide (WSTG)
      • WSTG-ATHZ
        • WSTG-ATHZ-05 ~ OAuth weaknesses
      • WSTG-SESS
        • WSTG-SESS-10 ~ JWT
  • General web knowledge
    • URI standard (RFC 3986)
    • HTTP headers
  • 🛣️Attacks on routing protocols
    • What are attacks on routing protocols?
    • BGP hijacking
  • 🏕️To explore
    • MQTT
    • Routersploit
    • DNS rebinding attack
    • LLMNR/mDNS poisoning
  • 👤Anonymity
    • VPN
    • Proxychains
    • TOR
    • Obfuscation
  • Credentials brute-force/cracking
    • Introduction
    • Windows SAM database
    • Dictionary attack
    • Rainbow attack
      • Hash database
    • Tools
      • Hydra
      • John the ripper
      • Hashcat
      • hash-identifier
  • Post-exploitation
    • Gaining shell
      • netcat
      • socat
      • powershell
      • bash
      • PHP
    • Repository
  • Privilege escalation
    • Linux
      • Repositories
      • Enumeration
      • Vulnerabilities exploit
        • General
        • Kernel exploit
        • Sudo
        • SUID
        • Capabilities
        • Cronjobs
        • $PATH
        • NFS (target-machine)
        • Filesystem sharing
          • NFS (attacker-machine)
    • Windows
      • Password harvesting
      • Vulnerabilities exploit
        • Scheduled tasks
        • AlwaysInstallElevated
        • Service misconfigurations
          • Insecure permissions on service executable
          • Unquoted service path
          • Insecure service permission
        • Abusing privileges
  • Ⓜ️MITRE ATT&CK
    • Introduction
  • 🧰Tools/services
    • Introduction
    • Web application pentesting
      • Web discovery/fuzzing
        • paramspider
        • arjun
        • katana
      • uro
      • Password brute-forcing
      • Burp Suite (Community)
      • scanners
        • ZAP (Zed Attack Proxy)
        • nikto
        • nuclei
    • Information gathering/reconnaissance
    • Network recon & attacks
      • nmap (general overview)
      • scapy
      • bettercap
    • General
      • impacket
    • Wordlists
      • cewl
  • Professional report writing
    • Report template
      • Web applicaton pentesting
        • OWASP report layout
  • Tasks on-the-go
    • Note taking on-the-go
    • Other tips
  • Practice
    • Web Application Pentesting
      • OWASP
        • OWASP Juice Shop
        • OWASP Mutillidae II
        • OWASP Hackademic
      • Vulnhub
        • ...
      • Damn Vulnerable Web Application (DVWA)
    • Metasploitable 2
  • Operational Security (OpSec)
    • Hardening
      • General
      • Oracle VirtualBox
      • Web Browser
      • VPN/Proxy
  • Safe document viewer
    • PDF
    • .docx
  • Write-ups
    • TryHackMe
      • Silver Platter
      • Light
      • Pickle Rick
      • Hammer
        • Enumeration (active recon)
          • /hmr
          • Further directory discovery
          • /phpmyadmin
          • burp suite sitemap
        • Brute forcing 4-digit code
        • Retrieving the flag
      • OWASP Top 10 - 2021 (task 22)
      • sqlmap
    • OverTheWire
      • Untitled
    • OWASP
      • OWASP Juice Shop
      • OWASP WebGoat
  • AI prompt
    • ChatGPT
Powered by GitBook
On this page
  • ffuf
  • gobuster
  • Usage
  • wfuzz
  • Useful wordlist
  1. Tools/services
  2. Web application pentesting

Web discovery/fuzzing

Compilation of all the tools I have worked and experimented with for web fuzzing.

ffuf

Basic command with common flags:

$ ffuf -w <path_to_wordlist> -u <http_url_with_fuzz_keyword> -X <http_method>

# eg.
$ ffuf -w ~/wordlists/wordlist.txt -u http://domain.com/FUZZ -X POST

Flags

-w: Path to word-list

  • Multiple word-list values:

# eg. with multiple -w flags
$ ffuf -w <path_to_wordlist_1>:FUZZ1 -w <path_to_wordlist_2>:FUZZ2 -H "content-type:application/x-www-form-urlencoded" -d "key1=FUZZ1&key2=FUZZ2"

# eg. with a single -w flag
$ ffuf -w <path_to_wordlist_1>:FUZZ1,<path_to_wordlist_2>:FUZZ2 -H "content-type:application/x-www-form-urlencoded" -d "key1=FUZZ1&key2=FUZZ2"

Note: The placeholder values for the identifier for each of the word-list must be capital letters (eg. FUZZ1, FUZZ2).

-u: HTTP URL

-X: HTTP method, default value is GET

The FUZZ keyword will be inserted with values from the word-list during the fuzzing process (refer to basic command example above).

Other useful flags

  • -mr: Match regexp

  • -d: Specifies the data to send

  • -H: Specifies the headers to send

  • -fw,-fr, -fl, ... : Filter options

  • -r: To follow redirects

  • -recursion: Scan recursively

  • -recursion-depth: Recursion depth

Example

Given a target http://<target>.com where we can to discover directories starting with a rand_ prefix. We can use the following command:

$ ffuf -u http://<target>.com/rand_FUZZ -w <wordlist>.txt
$ ffuf -u http://<target>.com/rand_FUZZ -w <wordlist>.txt

Note that by default ffuf matches the following status codes:

200-299,301,302,307,401,403,405,500

For a more streamlined output, we can use the -mc or -fc options to select the status code to output:

$ ffuf ... -mc 200,301,302 # only display the listed codes
$ ffuf .. -fc 403,404 # do not display the listed codes

gobuster

Gobuster provides a vast amount of available commands as follows:

  • completion Generate the autocompletion script for the specified shell

  • dir Uses directory/file enumeration mode

  • dns Uses DNS subdomain enumeration mode

  • fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body

  • gcs Uses gcs bucket enumeration mode

  • help Help about any command

  • s3 Uses aws bucket enumeration mode

  • tftp Uses TFTP enumeration mode

  • version shows the current version

  • s3 Uses aws bucket enumeration mode tftp Uses TFTP enumeration mode version shows the current version

Usage

To view the help menu for each of the command, simply enter the command name with the --help flag. Eg. fuzz command:

$ gobuster fuzz --help 

Flags:
  ...

NOTE: Gobuster will prefix each item in the word list with a slash (/). Thus, it can't be used for certain kinds of fuzzing. Refer below for examples.

Example

Given that we have a target http://<target>.com that we wish to fuzz the directory for. We can run the following gobuster commands (using directory/file enumeration mode with dir):

# (1) Without trailing slash after the target URL
$ gobuster dir -u http://<target>.com -w <wordlist>.txt -v

# (2) With a trailing slash after the target URL
$ gobuster dir -u http://<target>.com/ -w <wordlist>.txt -v

Notice that the first command does not include the trailing slash after the URL. This works since gobuster automatically prefix a slash to each item. However, the command works to if we decide to insert a slash (command 2).

Now, imagine we wish to discover directories with the pattern /rand_xxxx, such as /rand_images, /rand_js, etc. We can try the following gobuster command:

$ gobuster dir -u http://<target>.com/rand_ -w <wordlist>.txt -v

However, it will not work since a leading slash will be inserted. For example, even if the path /rand_js exists, and the value js is present in the word list, gobuster will not catch it since the closest match will only be /rand_/js.

To perform this, we can use ffuf or wfuzz instead.

wfuzz

wfuzz is a web fuzzer that works similarly to ffuf in that it uses theFUZZ keyword to replace with the payload.

Below shows an example of wfuzz looking for common directories:

$ wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

Specifying range of values for the FUZZ keyword

# FUZZ keyword will be replaced with the values from 1 to 100
# -c for colored output
$ wfuzz ... -c -z range,1-100 

Useful flags

--filter : For various kinds of filter

$ wfuzz ... --filter "h>100"

--hc/hl/hw/hh : Hide responses with the specified code/lines/words/chars

--sc/sl/sw/sh :Show responses with the specified code/lines/words/chars

Useful wordlist

wfuzz comes with a bunch of useful wordlist for various types of testing. This can be found from the /usr/share/wfuzz/wordlist directory on Kali Linux.

PreviousWeb application pentestingNextparamspider

Last updated 5 days ago

There are multiple other use cases where theFUZZ keyword can be utilized to fuzz different input values such as headers, request data, etc. Refer to the various sub-sections under the section for more examples.

Eg. Filter responses with content-length more than 100 (refer to the usage example: )

🧰
WEB APPLICATION PENETRATION TESTING
https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/write-ups/tryhackme/silver-platter
GitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub
GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub
Basic Usage — Wfuzz 2.1.4 documentation
wfuzz documentation
Logo
GitHub - xmendez/wfuzz: Web application fuzzerGitHub
Logo
Logo
Logo