PRIMARY CATEGORY → WEB PENTESTING
Web Application Content
Ffuf
Only Directories
ffuf -t <THREADS> -w '<WORDLIST>' -u 'http[s]://<TARGET>/FUZZ'Directories and Files
ffuf -t <THREADS> -w '<WORDLIST>' -e '.<EXT1>,<EXT2>' 'http[s]://<TARGET>/FUZZ'Recursion
ffuf -t <THREADS> -w '<WORDLIST>' -v -e '.<EXT>' -recursion -recursion-depth <INTEGER> -u 'http[s]://<TARGET>/FUZZ'Gobuster
Only Directories
- Long Format
gobuster dir --add-slash --threads <INT> --output <OUTPUT_FILE> --wordlist <WORDLIST> --url <URL>INFO
The
add-slashargument option ensures that, for an existent directory, the Web Server does not respond with a 3XX Status Code followed by a 200As this option causes the URL to end with a slash, no redirection will be performed and the client will directly receive a 200 Status Code
As a summary:
Without
add-slash→ 3XX Status Code followed by a 200With
add-slash→ 200 Status Code directly
- Short Format
gobuster dir -ft <INT> -o <OUTPUT_FILE> -w <WORDLIST> -u <URL>Directories and Files
- Long Format
gobuster dir --threads <INT> --output <OUTPUT_FILE> --extensions <EXT1,EXT2,EXTN> --wordlist <WORDLIST> --url <URL>The
--extensionargument option adds the extensions specified for each resource in the wordlist
- Short Format
gobuster dir -t <INT> -o <OUTPUT_FILE> -x <EXT1,EXT2,EXTN> -w <WORDLIST> -u <URL>Feroxbuster
Only Directories
- Long Format
feroxbuster --add-slash --threads <INT> --output <OUTPUT_FILE> --wordlist <WORDLIST> --url <URL>- Short Format
feroxbuster -f -t <INT> -o <OUTPUT_FILE> -w <WORDLIST> -u <URL>Directories and Files
- Long Format
feroxbuster --threads <INT> --output <OUTPUT_FILE> --extensions <EXT1,EXT2,EXTN> --wordlist <WORDLIST> --url <URL>- Short Format
feroxbuster -t <int> -o <OUTPUT_FILE> -x <EXT1,EXT2,EXTN> -w <WORDLIST> -u <URL>Wfuzz
Only Directories
wfuzz -c --hc <STATUS_CODE> -t <INT> -f <OUTPUT_FILE>,<PRINTER> -w <WORDLIST> http[s]://<TARGET>[:<PORT>]/FUZZ/e.g.
wfuzz -c --hc 404 -t 200 -f fullWebScan.json,json -w /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt https://domain.com:8000/FUZZ/
To print the available output formats →
wfuzz -e printers # CSV - Field - HTML - JSON - RAWOnly Files
wfuzz -c --hc <STATUS_CODE> -t <INT> -f <OUTPUT_FILE>,<PRINTER> -z list,.<EXT1>,.<EXT2>,.<EXTN> -w <WORDLIST> http[s]://<TARGET>[:<PORT>]/FUZZe.g.
wfuzz -c --hc 404 -t 200 -f fullWebScan -z list,.php,.html,.js -w /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-big.txt https://example.com/FUZZ
To print the payloads used in the parameter -z →
wfuzz -e payloadsDirectories and Files
wfuzz -c --hc <STATUS_CODE> -t <INT> -f <OUTPUT_FILE>,<PRINTER> -z list,,.<EXT1>,.<EXT2>,.<EXTN> -w <WORDLIST> http[s]://<TARGET>:[<PORT>]/FUZZe.g.
wfuzz -c --hc 404 -t 200 -f fullWebScan.html,html -z list,,.asp,.aspx,.txt -w /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-small.txt https://domain.com:1234/FUZZ/
HTTP Parameters
GET
ffuf -t <THREADS> -v -w '<WORDLIST>' -u '<http[s]://<DOMAIN.TLD>/<PATH>?FUZZ=<VALUE>'e.g.
ffuf -t 200 -v -w /usr/share/seclist/Discovery/Web-Content/burp-parameter-names.txt -u 'https://domain.com/admin/admin.php?FUZZ=test'
POST
ffuf -t <THREADS> -v -w '<WORDLIST>' -X POST -d 'FUZZ=<VALUE>' -H 'Content-Type: application/x-www-form-urlencoded' -u 'http[s]://'e.g.
ffuf -t 200 -v -w /usr/share/seclists/Discovery/Weg-Content/burp-parameter-names.txt -X POST -d 'FUZZ=<VALUE>' -H 'Content-Type: application/x-www-form-urlencoded' -u 'https://domain.com/admin/admin.php'
Virtual Hosts
Ffuf
ffuf -t <THREADS> -v -w '<WORDLIST>' -H 'Host: FUZZ.<DOMAIN.TLD>' -u 'http[s]://<TARGET>:<PORT>'Gobuster
IP Address in URL
gobuster vhost --threads <INT> --append-domain --domain <DOMAIN> --output <OUTPUT_FILE> --wordlist <WORDLIST> --url http[s]://<IP_ADDRESS>[:<PORT>]e.g.
gobuster vhost --threads 200 --append-domain --domain domain.com --output vhostFullScan --wordlist /usr/share/seclist/Discovery/DNS/subdomains-top1million-110000.txt --url https://10.10.133.56:1234
Domain in URL
gobuster vhost --threads <INT> --append-domain --output <OUTPUT_FILE> --wordlist <WORDLIST> --url http[s]://<DOMAIN>[:<PORT>]e.g.
gobuster vhost --threads 200 --append-domain --output vhostFullScan --wordlist /usr/share/seclist/Discovery/DNS/subdomains-top1million-110000.txt --url https://domain.com
Wfuzz
IP Address in URL
If the domain does not resolve to the Server’s IP Address, e.g. CloudFlare’s Proxy Enabled ☁️
wfuzz -c --hc <STATUS_CODE> -t <INT> -f <OUTPUT_FILE> -H "Host:FUZZ.<DOMAIN>" -w <WORDLIST> http://<IP_ADDRESS>[:<PORT>]e.g.
wfuzz -c --hc 404 -t 200 -f outputFile -H "Host:FUZZ.domain.com" -w /usr/share/seclist/Discovery/DNS/subdomains-top1million-110000.txt http://10.129.26.48:5555
Domain in URL
Unlike the above situation, the following one applies if the domain resolves to the Server’s IP Address
wfuzz -c --hc <STATUS_CODE> -t <INT> -f <OUTPUT_FILE> -w <WORDLIST> http://FUZZ.<DOMAIN>[:<PORT>]e.g.
wfuzz -c --hc 404 -t 200 -f vhostFullScan -w /usr/share/seclist/Discovery/DNS/subdomains-top1million-110000.txt https://FUZZ.domain.com
IMPORTANT
In additions to the status code, to filter by other aspects of the HTTP Response, proceed as follows
The number of:
--hl→ Lines in the Response Body
--hw→ Words in the Response Body
--hh→ Characters in the Response Body
Subdomains
Ffuf
ffuf -v -w '<WORDLIST>' -u 'http[s]://FUZZ.<DOMAIN.TLD>'