Web Fuzzing
Web fuzzing is an essential technique for finding web vulnerabilities by sending unexpected or large sets of inputs and observing behavior.
info
Use fuzzing only on targets you are explicitly authorized to test.
Web fuzzing
- Helps detect hidden attack surface (paths, files, params, vhosts, subdomains)
- Uses automated requests with varied payloads/wordlists
- Can expose misconfigurations, weak filtering, and logic issues
Fuzzing vs Brute-forcing
Key differences
- Fuzzing
- Broad and exploratory
- Sends malformed/unexpected/diverse input
- Focuses on app behavior and anomalies
- Brute-forcing
- Targeted and systematic
- Tries known candidate sets (passwords, IDs, tokens)
- Focuses on finding one valid value
Directory Fuzzing and Recursive Fuzzing
# ffuf
ffuf -u http://rezydev.xyz/FUZZ \
-w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
# recursive
ffuf -u http://rezydev.xyz/FUZZ \
-w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-recursion -recursion-depth 1
# if target is unstable/blocking
ffuf -u http://rezydev.xyz/FUZZ -w wordlist.txt -rate 50 -timeout 5
# dirsearch
dirsearch -u https://rezydev.xyz/
# feroxbuster (recursive by default)
feroxbuster -u https://rezydev.xyz/ \
-w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
Extension Fuzzing
# ffuf - extension on known filename pattern
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt \
-u http://rezydev.xyz/indexFUZZ
# ffuf - brute extensions on discovered paths
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt \
-u http://rezydev.xyz/FUZZ -e .xml,.html,.php,.aspx
# feroxbuster
feroxbuster -u https://rezydev.xyz \
-w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-x .php,.html
Parameter Fuzzing
GET Request
# find parameter name
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt \
-u 'http://rezydev.xyz/admin.php?FUZZ=value' -fs xxx
# find parameter value
ffuf -w ids.txt -u 'http://rezydev.xyz/admin.php?id=FUZZ' -fs xxx
# wenum - find parameter name
wenum -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt \
--hc 404 -u "http://rezydev.xyz/admin.php?FUZZ=value"
# wenum - find parameter value
wenum -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt \
--hc 404 -u "http://rezydev.xyz/admin.php?id=FUZZ"
POST Request
# find parameter name
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt \
-u http://rezydev.xyz/admin.php -X POST -d 'FUZZ=value' \
-H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
# find parameter value
ffuf -w ids.txt -u http://rezydev.xyz/admin.php -X POST -d 'id=FUZZ' \
-H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Virtual Host and Subdomain Fuzzing
Vhost fuzzing
# ffuf
ffuf -u http://rezydev.xyz/ \
-H 'Host: FUZZ.rezydev.xyz' \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-fs xxx
# gobuster
gobuster vhost -u http://10.10.10.10/ \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-t 100 --append-domain
Subdomain fuzzing
# ffuf
ffuf -u http://FUZZ.rezydev.xyz/ \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-fs xxx
# gobuster dns
gobuster dns -d rezydev.xyz \
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
For passive subdomain discovery, see External Web Reconnaissance.
Clean Output / Filtering Output
Large fuzzing runs produce noisy data. Filter aggressively.
Gobuster
-s 301,302,307
-b 404
--exclude-length 0,404
# example
gobuster dir -u http://rezydev.xyz/ -w wordlist.txt -s 200,301 --exclude-length 0,69
note
-s and -b are for the dir module.
ffuf
-mc 200,301
-fc 404,301
-ms 3456
-fs 0,69
-mw 5-10
-fw 219
-ml 20
-fl 10
-mt >500
wenum
--hc 400
--sc 200
--hl 50
--sl 20
--hw 100
--sw 5
--hs 500
--ss 2048
--hr "Internal Server Error"
--sr "admin"
--filter "Login"
--hard-filter "Login"
feroxbuster
--dont-scan /uploads
-S 1024
-X "Access Denied"
-W 0-10
-N 50-
-C 404,500
--filter-similar-to error.html
-s 200,204,301,302
Practical flow
- Directory fuzz (
ffuf/feroxbuster) - Extension fuzz on promising paths
- Parameter fuzz (GET/POST)
- Vhost/subdomain fuzz if DNS/app hints exist
- Filter output and retest high-signal findings manually