Web Fuzzing
#discovery
#web
#red
ffuf (Fuzz Faster U Fool)
Basic fuzzing
ffuf -u http://example.com/FUZZ -w wordlist.txt
Subdomain fuzzing
ffuf -u https://FUZZ.example.com/ -w wordlist.txt
VHost fuzzing
ffuf -u http://academy.htb:PORT/ -w wordlist.txt -H 'Host: FUZZ.example.com'
Parameter fuzzing
ffuf -u http://admin.academy.htb:PORT/admin/admin.php -w wordlist.txt -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
Value fuzzing
ffuf -u http://admin.academy.htb:PORT/admin/admin.php -w ids.txt -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
Useful flags
-ic - automatically ignore comments in the wordlist
-e - define extensions
-c - colorize the output
-mc - filter results by status code
-mr - filter results by matching a regex pattern
-e - add extensions to each wordlist entry
-t - set the number of threads for faster fuzzing
-x - use a proxy for requests
-recursion -recursion-depth 1 - recursion
gobuster
Basic fuzzing
gobuster dir -u http://example.com -w wordlist.txt
Useful flags
-x .php,.html Fuzz with specific extensions.
-s 200 Filter results by status code (e.g., 200).
-t 50 Set the number of concurrent threads (e.g., 50).
-o results.txt Output results to a file.
Subdomain fuzzing
gobuster dns -d example.com -w subdomains.txt
Useful flags
-i Show IP addresses of discovered subdomains.
-z Silent mode; suppress output except for results.