Web fuzzing

Compilation of all the tools I have worked and experimented with for web fuzzing.

ffuf

Basic command with common flags:

$ ffuf -w <path_to_wordlist> -u <http_url_with_fuzz_keyword> -X <http_method>

# eg.
$ ffuf -w ~/wordlists/wordlist.txt -u http://domain.com/FUZZ -X POST

Flags

-w: Path to word-list

  • Multiple word-list values:

# eg. with multiple -w flags
$ ffuf -w <path_to_wordlist_1>:FUZZ1 -w <path_to_wordlist_2>:FUZZ2 -d "key1=FUZZ1&key2=FUZZ2"

# eg. with a single -w flag
$ ffuf -w <path_to_wordlist_1>:FUZZ1,<path_to_wordlist_2>:FUZZ2 -d "key1=FUZZ1&key2=FUZZ2"

Note: The placeholder values for each line in the word-list must be capital letters.

-u: HTTP URL

-X: HTTP method, default value is GET

The FUZZ keyword will be inserted with values from the word-list during the fuzzing process (refer to basic command example above).

There are multiple other use cases where theFUZZkeyword can be utilized to fuzz different input values such as headers, request data, etc. Refer to the various sub-sections under the WEB EXPLOITATION section for more examples.

Other useful flags

  • -mr: Match regexp

  • -d: Specifies the data to send

  • -H: Specifies the headers to send

  • -fw,-fr, -fl, ... : Filter options

  • -r: To follow redirects

  • -recursion: Scan recursively

  • -recursion-depth: Recursion depth

gobuster

Gobuster provides a vast amount of available commands as follows:

  • completion Generate the autocompletion script for the specified shell

  • dir Uses directory/file enumeration mode

  • dns Uses DNS subdomain enumeration mode

  • fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body

  • gcs Uses gcs bucket enumeration mode

  • help Help about any command

  • s3 Uses aws bucket enumeration mode

  • tftp Uses TFTP enumeration mode

  • version shows the current version

  • s3 Uses aws bucket enumeration mode tftp Uses TFTP enumeration mode version shows the current version

Usage

To view the help menu for each of the command, simply enter the command name with the --help flag. Eg. fuzz command:

$ gobuster fuzz --help 

Flags:
  ...

wfuzz

wfuzz is a web fuzzer that works similarly to ffuf in that it uses theFUZZkeyword to replace with the payload.

Below shows an example of wfuzz looking for common directories:

$ wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

Useful wordlist

wfuzz comes with a bunch of useful wordlist for various types of testing. This can be found from the /usr/share/wfuzz/wordlist directory on Kali Linux.

PreviousWeb hackingNextBurp Suite (Community)

Last updated