🩸
Pentesting Checklist
  • 👀General Checklist
    • 👁️Recon & Scanning
      • Nmap Scan
    • 🌡️Services
      • SSH
      • FTP
      • Samba
      • Git
      • SNMP
    • ⚙️Reverse Engineering
      • General
      • Android apks
      • Windows Exe or .net binaries
  • 🐞Web Application Checklist
    • 🧠Web App Attack Techniques
      • Password Smuggling Attack
    • 😍Fuzzing with ffuf
    • 💄Directory Fuzzing
      • Using the tools
      • Wordlists to use
    • 👾Subdomain Fuzzing
      • Normal fuzzing
      • Finding through DNS
    • 🎯LFI/RCE
      • LFI
        • What to do once obtained
      • RCE
      • Misc
  • ☕Linux Checklist
    • Page 2
  • 🪟Windows Checklist
    • 💀Windows Connection Methods
  • 🖇️Tips & Tricks
    • Transferring Files
      • 🐧Linux
      • 📸Windows
    • Pivoting / Lateral Movement Techniques
      • proxychains
      • chisel
      • sshuttle
      • ligolo-ng
    • 🧩Fuzzing
    • 🙃Credential Brute-Forcing
  • 🍒Other useful resources:
    • Page 7
Powered by GitBook
On this page
  1. Web Application Checklist

Fuzzing with ffuf

ffuf is a cool tool

  • Directory Fuzzing

    • ffuf -w /path/to/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://server_ip:port/FUZZ -c -t 5000 -o ffuf_dirs.out

  • Extension Fuzzing

    • ffuf -w /path/to/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://server_ip:port/indexFUZZ -c

  • Page Fuzzing

    • ffuf -w /path/to/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://server_ip:port/blog/FUZZ.php -c

  • Recursive Fuzzing

    • ffuf -w /path/to/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://server_ip:port/FUZZ -recursion -recursion-depth 1 -e .php -v -c

  • Subdomain Fuzzing

    • ffuf -w /path/to/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.domain/ -t 5000 -c

  • VHOST Fuzzing

    • ffuf -w /path/to/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://domain:PORT/ -H 'Host: FUZZ.domain' -c -o ffuf_subdomains.out -t 5000 -mc all -ac

  • Parameter Fuzzing

    • GET: ffuf -w /path/to/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://domain:PORT/admin/admin.php?FUZZ=key -c -fs xxx

    • POST: ffuf -w /path/to/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://domain:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -c -fs xxx

  • Value Fuzzing

    • ffuf -w ids.txt:FUZZ -u http://domain:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -c -fs xxx

Other tips:

  • Might be able to fuzz new information when having some authentication in:

    • Ex: Having a access/login cookie

      • ffuf -w /path/to/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://server_ip:port/FUZZ -H "Cookie: access=blahblah" -c -t 5000 -o ffuf_dirs.out

    • Ex: Having a X-Token Header

      • ffuf -w /path/to/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://server_ip:port/FUZZ -H "X-Token: blahblah" -c -t 5000 -o ffuf_dirs.out

  • IDORs are dead

    • No need for burpsuite intruder, creating wordlists anymore when trying to FUZZ IDOR

    • ffuf -w <(seq start_num end_num) -u http://site:port/FUZZ

    • Ex: ffuf -w <(seq 0 100) -u http://bruh.com/path/to/idor/FUZZ

PreviousPassword Smuggling AttackNextDirectory Fuzzing

Last updated 1 year ago

🐞
😍