Fuzzing
Intro
Fuzzing is used to identify vulnerabilities such as validation errors, injections, or input handling flaws controlled by the user.
Workflow
- Fuzz virtual hosts
- Fuzz subdomains
- Enumerate directories
- Fuzz extensions across all subdomains/virtual hosts
- Perform recursive fuzzing
- Fuzz parameters (GET and POST)
- Test bypasses for restricted directories
- Repeat cycle: vhost -> subdomain -> dirs -> files -> params -> payloads
ffuf
| Command | Description |
|---|---|
ffuf -u https://target.hmv/FUZZ -w wordlist.txt |
Directory and file fuzzing |
ffuf -u https://target.hmv/FUZZ -w common.txt -mc 200,301,302,403 |
Show only selected status codes |
ffuf -u https://target.hmv/FUZZ -w common.txt -fc 404 |
Filter 404 responses |
ffuf -u https://target.hmv/FUZZ -w common.txt -fs 137 |
Filter by response size |
ffuf -u https://target.hmv/FUZZ -w common.txt -fw 20 |
Filter by word count |
ffuf -u https://target.hmv/FUZZ -w common.txt -e .php,.txt,.html,.bak,.zip |
Extension fuzzing |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -recursion |
Recursive fuzzing |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -recursion -recursion-depth 2 |
Recursive fuzzing with depth |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -t 50 |
Use 50 threads |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -rate 100 |
Limit requests per second |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -timeout 10 |
Request timeout |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -o results.json |
Save output to JSON |
ffuf -u "https://target.hmv/index.php?FUZZ=id" -w params.txt |
GET parameter fuzzing |
ffuf -u "https://target.hmv/page.php?id=FUZZ" -w ids.txt |
GET parameter fuzzing |
ffuf -u https://target.hmv/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt |
POST password fuzzing |
ffuf -u https://target.hmv -H "Content-Type: application/json" -d '{"FUZZ":"test"}' |
JSON parameter fuzzing |
ffuf -u https://target.hmv/FUZZ -b "PHPSESSID=abc" |
Cookie fuzzing |
ffuf -u https://target.hmv -H "User-Agent: FUZZ" -w useragents.txt |
User-Agent fuzzing |
ffuf -u https://target.hmv -H "X-Forwarded-For: FUZZ" -w ips.txt |
IP restriction bypass fuzzing |
ffuf -u https://target.hmv -H "Authorization: Bearer FUZZ" -w tokens.txt |
Auth token fuzzing |
ffuf -u https://target.hmv -H "Host: FUZZ.target.hmv" -w vhosts.txt |
Virtual host fuzzing |
ffuf -u http://FUZZ.target.hmv -w subdomains.txt |
Subdomain fuzzing |
ffuf -u https://target.hmv/FUZZ1/FUZZ2 -w dir.txt:FUZZ1 -w file.txt:FUZZ2 |
Dual wordlist fuzzing |
ffuf -u https://target.hmv/FUZZ -w wordlist.txt -x http://127.0.0.1:8080 |
Proxy forwarding |
dirsearch
| Command | Description |
|---|---|
dirsearch.py -u http://target.hmv |
Basic scan |
-e php,txt,html,js |
Search by extensions |
-w /path/wordlist.txt |
Use custom wordlist |
--status=200,301,302,403 |
Filter status codes |
-r |
Recursive scan |
-t 50 |
Use 50 threads |
--user-agent "Mozilla/5.0" |
Custom user-agent |
--cookie="PHPSESSID=abc" |
Use cookies |
-H "X-Forwarded-For: 127.0.0.1" |
Custom headers |
--proxy=http://127.0.0.1:8080 |
Send traffic through proxy |
--prefix=. |
Find hidden files like .git, .env |
--exclude-sizes=1234B |
Filter by size |
feroxbuster
| Command | Description |
|---|---|
feroxbuster -u http://target.hmv -w wordlist.txt |
Basic scan |
feroxbuster -u http://target.hmv -x php,txt,html,js |
Extension search |
feroxbuster -u http://target.hmv -t 50 |
Use 50 threads |
feroxbuster -u http://target.hmv -r -d 2 |
Recursive with depth |
feroxbuster -u http://target.hmv -s 200,301,302,403 |
Status filter |
feroxbuster -u http://target.hmv -A "Mozilla/5.0" |
Change User-Agent |
feroxbuster -u http://target.hmv -C "PHPSESSID=abc" |
Use session |
feroxbuster -u http://target.hmv -p http://127.0.0.1:8080 |
Send traffic through proxy |
feroxbuster -u http://target.hmv --hidden |
Find hidden files |
feroxbuster -u http://target.hmv --filter-size 1234 |
Filter by size |
feroxbuster -u http://target.hmv -k |
Ignore SSL errors |
wenum
| Command | Description |
|---|---|
wenum -u http://target.hmv/FUZZ -w wordlist.txt |
Enumerate directories and files |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -t 50 |
Use 50 threads |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -e .php,.txt,.bak |
Extension search |
wenum -u http://target.hmv/page.php?id=FUZZ -w wordlist.txt |
GET fuzzing |
wenum -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt |
POST fuzzing |
wenum -u http://target.hmv/FUZZ -w wordlist.txt --hc 404 |
Hide 404 responses |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -H "User-Agent: Mozilla/5.0" |
Add header |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -b "PHPSESSID=abcd1234" |
Send cookies |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -p http://127.0.0.1:8080 |
Send traffic through proxy |
wenum -u http://target.hmv/FUZZ -w wordlist.txt -o result.html -f html |
Save as HTML |
gobuster
| Command | Description |
|---|---|
gobuster dir -u http://target.hmv -w wordlist.txt |
Basic directory enumeration |
gobuster dir -u http://target.hmv -w wordlist.txt -t 100 |
Use 100 threads |
gobuster dir -u http://target.hmv -w wordlist.txt -x php,txt,bak,zip |
Extensions |
gobuster dir -u http://target.hmv -w wordlist.txt -s 200,204,301,302,307,401,403 |
Status filter |
gobuster dir -u http://target.hmv -w wordlist.txt -b 404 |
Exclude 404 |
gobuster dir -u http://target.hmv -w wordlist.txt --wildcard |
Force scan |
gobuster dir -u http://target.hmv -w wordlist.txt -k |
Ignore SSL errors |
gobuster dir -u http://target.hmv -w wordlist.txt -r |
Follow redirects |
gobuster dir -u http://target.hmv -w wordlist.txt -o results.txt |
Save output |
gobuster dir -u http://target.hmv -w wordlist.txt -q |
Quiet mode |
gobuster dir -u http://target.hmv/FUZZ -w wordlist.txt |
Fuzzing GET |
gobuster dir -u http://target.hmv -w wordlist.txt -H "Authorization: Bearer TOKEN" |
Add header |
gobuster dir -u http://target.hmv -w wordlist.txt -c "PHPSESSID=abc123" |
Set Cookies |
gobuster dir -u http://target.hmv -w wordlist.txt --proxy http://127.0.0.1:8080 |
Send traffic through proxy |
gobuster dir -u http://target.hmv -w wordlist.txt --delay 200ms |
Set Delay |
gobuster dir -u http://target.hmv -w wordlist.txt --timeout 10s |
Set Timeout |
gobuster dir -u http://target.hmv -w wordlist.txt -e |
Show full URL |
gobuster dir -u http://target.hmv -w wordlist.txt --exclude-length 1234 |
Filter by size |
gobuster dir -u http://target.hmv -w wordlist.txt -a "Mozilla/5.0" |
Set User-Agent |
Subdomains
| Command | Description |
|---|---|
gobuster dns -d target.hmv -w subdomains.txt |
Enumerate subdomains |
gobuster dns -d target.hmv -w subdomains.txt -t 50 |
Use 50 threads |
gobuster dns -d target.hmv -w subdomains.txt -i |
Show IP |
gobuster dns -d target.hmv -w subdomains.txt -r 8.8.8.8 |
Custom DNS |
Virtualhosts
| Command | Description |
|---|---|
gobuster vhost -u http://target.hmv -w vhosts.txt |
Discover virtual hosts |
gobuster vhost -u http://target.hmv -w vhosts.txt -t 50 |
Use 50 threads |
gobuster vhost -u http://target.hmv -w vhosts.txt -H "Host: FUZZ.target.hmv" |
Set Host header |
Note
Each discovered vhost must be added to /etc/hosts to be accessible.
Webfuzz API
To fuzz APIs you can use Webfuzz API
| Command | Description |
|---|---|
| python3 api_fuzzer.py http://target.hmv/login | API fuzzing |