Skip to content

Enumeration - Web - Fuzz

ffuf for post

ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2

wfuzz

# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$URL/FUZZ"

# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$URL/FUZZ"

# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"

# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$URL?user=FUZZ"

wfuzz Pycurl is not compiled against Openssl

sudo apt --purge remove python3-pycurl
sudo apt install libcurl4-openssl-dev libssl-dev
sudo pip3 install pycurl wfuzz