FUZZING

• Fuzzing for directories

• Fuzzing for files and extensions

• Identifying hidden vhosts

• Fuzzing for PHP parameters

• Fuzzing for parameter values

Some of the most commonly used wordlists can be found under the GitHub SecLists repository, which categorizes wordlists under various types of fuzzing.

The specific wordlist we will be utilizing for pages and directory fuzzing is another commonly used wordlist called directory-list-2.3

l1nuxkid@oscp[/home]$ locate directory-list-2.3-small.txt
/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.tx

Directory Fuzzing

Next, as we want to be fuzzing for web directories, we can place the FUZZ keyword where the directory would be within our URL, with:

L1nuxKid@htb[/home]$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

1nuxKid@htb[/home]$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://workaholic.offsec -x php,txt -t 60 --exclude-length 0

Extension Fuzzing

• Utilize web fuzzing to see if the directory contains any hidden pages

• We must find out what types of pages the website uses, like .html, .aspx, .php, or something else.

For example, if the server is apache, then it may be .php, or if it was IIS, then it could be .asp or .aspx, and so on.

Note: The wordlist we chose already contains a dot (.), so we will not have to add the dot after "index" in our fuzzing.

• Below is chatgpt one

Page Fuzzing

• place our FUZZ keyword where the filename should be

Recursive Fuzzing

So far, we have been fuzzing for directories, then going under these directories, and then fuzzing for files. However, if we had dozens of directories, each with their own subdirectories and files, this would take a very long time to complete. To be able to automate this, we will utilize what is known as recursive fuzzing.

Subdomain Fuzzing