Web Fuzzing

Definition

Systematically trying all possible combinations of input data to guess a specific value.

Injecting unexpected or random data into an application to find vulnerabilities and hidden resources.

Purpose

Crack passwords, keys, or other access credentials.

Discover application vulnerabilities, hidden files, directories, and input validation issues.

Methodology

Exhaustive search over all possible input combinations.

Dynamic input injection to provoke unexpected application responses.

Focus

Specific input or data, such as passwords or API keys.

General application behavior under various input conditions.

Efficiency

Time-consuming due to exhaustive nature; less efficient for large input spaces.

More efficient in identifying unexpected behaviors and vulnerabilities with varied input.

Tools Used

Password crackers, key recovery tools.

Web fuzzers, vulnerability scanners.

Output

Successful match of the correct input value.

Discovery of vulnerabilities, misconfigurations, and hidden resources.

sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'

Add a DNS entry for a specific IP address to the /etc/hosts file.

for i in $(seq 1 1000); do echo $i >> ids.txt; done

Create a sequence wordlist from 1 to 1000. Useful for brute-forcing numerical IDs.

curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

Send a POST request with specific data and headers using curl.

/usr/share/seclists/Discovery/Web-Content/common.txt

General-purpose wordlist for discovering directories and files.

/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Extensive directory-focused wordlist.

/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Large directory wordlist for comprehensive fuzzing.

/usr/share/seclists/Discovery/Web-Content/big.txt

Comprehensive wordlist containing both directories and files.

Choose the Right Wordlist

Select wordlists relevant to the target environment.

Combine Wordlists

Use multiple wordlists to expand coverage.

Customize Wordlists

Modify or create custom wordlists.

Monitor Performance

Large wordlists can impact performance; monitor usage.

Leverage Community Resources

Use up-to-date wordlists from the community.

ffuf -u http://example.com/FUZZ

Basic fuzzing of a URL path.

ffuf -u http://example.com/FUZZ -w wordlist.txt

Fuzz using a specific wordlist.

ffuf -u http://example.com/FUZZ -w wordlist.txt -ic

Ignore commented lines in the wordlist.

ffuf -u http://example.com/FUZZ -w wordlist.txt -mc 200

Show only results with status code 200.

ffuf -u http://example.com/FUZZ -w wordlist.txt -mr "Welcome"

Filter by regex pattern.

ffuf -u http://example.com/FUZZ -w wordlist.txt -t 50

Use 50 threads for faster fuzzing.

gobuster dir -u http://example.com -w wordlist.txt

Directory fuzzing with a wordlist.

gobuster dir -u http://example.com -w wordlist.txt -x .php,.html

Add extensions to entries.

gobuster dns -d example.com -w subdomains.txt

DNS subdomain fuzzing.

wenum -c -w wordlist.txt --hc 404 -u http://example.com/FUZZ

Exclude 404 responses during fuzzing.

wenum -c -w wordlist.txt -d 'username=FUZZ&password=secret' -u http://example.com/login

Fuzz POST parameters.

wenum -c -w wordlist.txt -t 50 -u http://example.com/FUZZ

Use 50 threads for faster fuzzing.

feroxbuster -u http://example.com -w wordlist.txt

Basic URL fuzzing.

feroxbuster -u http://example.com -w wordlist.txt -e

Include file extensions.

feroxbuster -u http://example.com -w wordlist.txt -t 50

Use 50 threads.

feroxbuster -u http://example.com -w wordlist.txt --depth 3

Set recursion depth to 3.

Use Comprehensive Wordlists

High-quality lists improve fuzzing effectiveness.

Filter Unwanted Responses

Focus on meaningful HTTP codes.

Adjust Thread Count

Avoid server overload when increasing threads.

Monitor Server Responses

Watch for anomalies or errors.

Fuzz with Various HTTP Methods

Test GET, POST, PUT, DELETE for hidden flaws.

Protocol

HTTP/HTTPS

Data Format

JSON (commonly), XML

Stateless

Each request is independent.

CRUD Operations

GET, POST, PUT, DELETE

Caching

Supported for better performance.

Advantages

Simple, scalable, flexible.

Disadvantages

Can over-fetch or under-fetch data.

Test All HTTP Methods

Ensure all operations are tested.

Validate Input Fields

Fuzz for malformed or invalid inputs.

Examine Error Messages

Identify information leaks.

Test Authentication

Look for weak or missing auth.

Explore Rate Limits

Check for throttling and proper handling.

Protocol

Usually HTTP/HTTPS

Data Format

XML

WS-Security

Built-in message security

Error Handling

Defined SOAP fault messages

Advantages

Secure, reliable, extensible

Disadvantages

Complex and verbose

Analyze WSDL Files

Understand structure and operations.

Validate XML Schema

Fuzz for schema validation issues.

Check for XML Injection

Test for injection vulnerabilities.

Test SOAP Headers

Identify misconfigurations.

Protocol

HTTP/HTTPS

Data Format

JSON

Query Flexibility

Clients define needed data

Single Endpoint

One endpoint for all queries

Advantages

Efficient and flexible

Disadvantages

Can cause performance issues if unoptimized