☠️ ζHUB

Web Fuzzing

Created: Mar 18, 2025
Updated: Mar 19, 2025

Fuzzing is a testing technique that sends different types of input to an interface to observe its behavior. In web fuzzing, predefined wordlists are used to discover hidden directories or pages on a web server.

Gobuster

Gobuster is a directory/file, dns and vhost busting tool written in Go.

# Directory/File enumeration mode
gobuster dir -u http://$IP -w /wordlists/wordlists.txt
 
# File extension(s) to search for
gobuster dir -u http://$IP -w /wordlists/wordlists.txt -x php,txt
 
# Skip TLS certificate verification
gobuster dir -u http://$IP -w /wordlists/wordlists.txt -k
 
# Search for backup files
gobuster dir -u http://$IP -w /wordlists/wordlists.txt -d

Ffuf

Ffuf is a fast web fuzzer written in Go.

# Directory/File fuzzing
ffuf -u http://$IP/FUZZ -w /wordlists/wordlists.txt
 
# Extension fuzzing
ffuf -u http://$IP/index.FUZZ -w /wordlists/extensions.txt
 
# Page fuzzing with pre-defined extension
ffuf -u http://$IP/FUZZ.php -w /wordlists/wordlists.txt
 
# Multiple parameter fuzzing
ffuf -u http://$IP/file?PARAM=KEY -w /wordlists/parameters.txt:PARAM -w /wordlists/keys.txt:KEY
 
# GET - parameter fuzzing
ffuf -u http://$IP/file?FUZZ=key -w /wordlists/parameters.txt
 
# POST - parameter fuzzing
ffuf -X POST -u http://$IP/file -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -w /wordlists/parameters.txt
 
# POST - parameter fuzzing (JSON)
ffuf -X POST -u http://$IP/file -d '{"FUZZ":"key"}' -H 'Content-Type: application/json' -w /wordlists/parameters.txt
 
# Recursion fuzzing
ffuf -u http://$IP/FUZZ -w /wordlists/wordlists.txt -recursion -recursion-depth 3

Ffuf remove comments in wordlist

Sometimes, the wordlist we use contains copyright comments at the beginning. We can use the -ic flag to remove these lines without manually editing the wordlist ourselves.

Feroxbuster

Feroxbuster is a simple, fast, recursive content discovery tool written in Rust.

# Directory/File fuzzing (wordlist=default,recursive=default)
feroxbuster -u http://$IP
 
# Extension fuzzing
feroxbuster -u http://$IP -x php,txt
 
# Do not scan recursively
feroxbuster -u http://$IP -n
 
# Path of the wordlist
feroxbuster -u http://$IP -w /wordlists/wordlists.txt

Feroxbuster config file

By default, Feroxbuster already defines the wordlist to be used, but you can change it as needed in the config file. The global config file is located at /etc/feroxbuster/ferox-config.toml.

Backlinks

  • No backlinks found