Fuzzing

ABOUT

Fuzzing is a technique involves inputting massive amounts of random data, called fuzz, to the test subject in an attempt to make it crash, hack or behave useful for us.

Ffuf

Command

Description

ffuf -h

ffuf help

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Directory Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ

Extension Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/page/FUZZ.php

Page Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Recursive Fuzzing

ffuf -w wordlist.txt:FUZZ -u https://FUZZ.amogus.com/

Sub-domain Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://amogus.com:PORT/ -H 'Host: FUZZ.amogus.com' -fs xxx

VHost Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php?FUZZ=key -fs xxx

Parameter Fuzzing - GET

ffuf -w wordlist.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Parameter Fuzzing - POST

ffuf -w ids.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Value Fuzzing

Wordlists

Command

Description

/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

Directory/Page Wordlist

/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt

Extensions Wordlist

/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Domain Wordlist

/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt

Parameters Wordlist

PreviousWeb Recon NextDNS

Last updated 24 days ago

Fuzzing

ABOUT

Fuzzing is a technique involves inputting massive amounts of random data, called fuzz, to the test subject in an attempt to make it crash, hack or behave useful for us.

Ffuf

Command

Description

ffuf -h

ffuf help

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Directory Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ

Extension Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/page/FUZZ.php

Page Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Recursive Fuzzing

ffuf -w wordlist.txt:FUZZ -u https://FUZZ.amogus.com/

Sub-domain Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://amogus.com:PORT/ -H 'Host: FUZZ.amogus.com' -fs xxx

VHost Fuzzing

ffuf -w wordlist.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php?FUZZ=key -fs xxx

Parameter Fuzzing - GET

ffuf -w wordlist.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Parameter Fuzzing - POST

ffuf -w ids.txt:FUZZ -u http://admin.amogus.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Value Fuzzing

Wordlists

Command

Description

/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

Directory/Page Wordlist

/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt

Extensions Wordlist

/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Domain Wordlist

/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt

Parameters Wordlist

PreviousWeb Recon NextDNS

Last updated 24 days ago