Web discovery/fuzzing

Compilation of all the tools I have worked and experimented with for web fuzzing.

ffuf

Basic command with common flags:

$ ffuf -w <path_to_wordlist> -u <http_url_with_fuzz_keyword> -X <http_method>

# eg.
$ ffuf -w ~/wordlists/wordlist.txt -u http://domain.com/FUZZ -X POST

Flags

-w: Path to word-list

• Multiple word-list values:

# eg. with multiple -w flags
$ ffuf -w <path_to_wordlist_1>:FUZZ1 -w <path_to_wordlist_2>:FUZZ2 -H "content-type:application/x-www-form-urlencoded" -d "key1=FUZZ1&key2=FUZZ2"

# eg. with a single -w flag
$ ffuf -w <path_to_wordlist_1>:FUZZ1,<path_to_wordlist_2>:FUZZ2 -H "content-type:application/x-www-form-urlencoded" -d "key1=FUZZ1&key2=FUZZ2"

Note: The placeholder values for the identifier for each of the word-list must be capital letters (eg. FUZZ1, FUZZ2).

-u: HTTP URL

-X: HTTP method, default value is GET

The FUZZ keyword will be inserted with values from the word-list during the fuzzing process (refer to basic command example above).

There are multiple other use cases where theFUZZ keyword can be utilized to fuzz different input values such as headers, request data, etc. Refer to the various sub-sections under the WEB APPLICATION PENETRATION TESTING section for more examples.

Other useful flags

• -mr: Match regexp

• -d: Specifies the data to send

• -H: Specifies the headers to send

• -fw,-fr, -fl, ... : Filter options

• -r: To follow redirects

• -recursion: Scan recursively

• -recursion-depth: Recursion depth

Example

Given a target http://<target>.com ,where we want to discover directories starting with a rand_ prefix. We can use the following command:

$ ffuf -u http://<target>.com/rand_FUZZ -w <wordlist>.txt
$ ffuf -u http://<target>.com/rand_FUZZ -w <wordlist>.txt

Note that by default ffuf matches the following status codes:

200-299,301,302,307,401,403,405,500

For a more streamlined output, we can use the -mc or -fc options to select the status code to output:

$ ffuf ... -mc 200,301,302 # only display the listed codes
$ ffuf .. -fc 403,404 # do not display the listed codes

GitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub

gobuster

Gobuster provides a vast amount of available commands as follows:

• completion Generate the autocompletion script for the specified shell

• dir Uses directory/file enumeration mode

• dns Uses DNS subdomain enumeration mode

• fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body

• gcs Uses gcs bucket enumeration mode

• help Help about any command

• s3 Uses aws bucket enumeration mode

• tftp Uses TFTP enumeration mode

• version shows the current version

• s3 Uses aws bucket enumeration mode tftp Uses TFTP enumeration mode version shows the current version

Usage

To view the help menu for each of the command, simply enter the command name with the --help flag. Eg. fuzz command:

$ gobuster fuzz --help 

Flags:
  ...

NOTE: Gobuster will prefix each item in the word list with a slash (/). Thus, it can't be used for certain kinds of fuzzing. Refer below for examples.

Example

Given that we have a target http://<target>.com that we wish to fuzz the directory for. We can run the following gobuster commands (using directory/file enumeration mode with dir):

# (1) Without trailing slash after the target URL
$ gobuster dir -u http://<target>.com -w <wordlist>.txt -v

# (2) With a trailing slash after the target URL
$ gobuster dir -u http://<target>.com/ -w <wordlist>.txt -v

Notice that the first command does not include the trailing slash after the URL. This works since gobuster automatically prefix a slash to each item. However, the command works to if we decide to insert a slash (command 2).

Now, imagine we wish to discover directories with the pattern /rand_xxxx, such as /rand_images, /rand_js, etc. We can try the following gobuster command:

$ gobuster dir -u http://<target>.com/rand_ -w <wordlist>.txt -v

However, it will not work since a leading slash will be inserted. For example, even if the path /rand_js exists, and the value js is present in the word list, gobuster will not catch it since the closest match will only be /rand_/js.

To perform this, we can use ffuf or wfuzz instead.

GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub

wfuzz

wfuzz is a web fuzzer that works similarly to ffuf in that it uses theFUZZ keyword to replace with the payload.

Below shows an example of wfuzz looking for common directories:

$ wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

Specifying range of values for the FUZZ keyword

# FUZZ keyword will be replaced with the values from 1 to 100
# -c for colored output
$ wfuzz ... -c -z range,1-100 

Useful flags

--filter : For various kinds of filter

Eg. Filter responses with content-length more than 100 (refer to the usage example: https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/write-ups/tryhackme/silver-platter)

$ wfuzz ... --filter "h>100"

--hc/hl/hw/hh : Hide responses with the specified code/lines/words/chars

--sc/sl/sw/sh :Show responses with the specified code/lines/words/chars

Basic Usage — Wfuzz 2.1.4 documentationwfuzz.readthedocs.io

wfuzz documentation

Useful wordlist

wfuzz comes with a bunch of useful wordlist for various types of testing. This can be found from the /usr/share/wfuzz/wordlist directory on Kali Linux.

GitHub - xmendez/wfuzz: Web application fuzzerGitHub