arrow_back Back to Learn
Web Security

Web Fuzzing
Find What's Hidden

person 0x74shelby category Web Security · Intermediate
screenshot_monitor

01

Directory and Endpoint Discovery

Fuzzing is how you find what a web application doesn't want you to find. The site's sitemap and linked pages reveal what the developer intended you to see. Fuzzing reveals everything else — admin panels, API endpoints, backup files, configuration exports, debug interfaces, and forgotten functionality.

Directory fuzzing works by requesting a list of candidate paths and observing the response. Status 200 means found. Status 301/302 means found and redirected. Status 403 means the path exists but access is forbidden (still interesting). Status 404 means not found. The logic is simple. The value is entirely in the quality of your wordlist and your ability to filter out noise.

directory fuzzing
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET/FUZZ

ffuf -w wordlist.txt -u http://TARGET/FUZZ -fc 404,403 -ac

ffuf -w ext.txt:EXT -w paths.txt:PATH \
     -u http://TARGET/PATH.EXT \
     -fc 404

Recursive Discovery

Once you find a directory, fuzz inside it. /admin/ might lead to /admin/panel/, /admin/config/, /admin/users/. Recursive fuzzing with a reduced wordlist on discovered directories often reveals more than the initial flat scan.

02

Parameter Fuzzing

An endpoint you've found might accept parameters you don't know about. GET parameters can often be discovered by fuzzing parameter names and watching for behavioural differences in the response. A parameter that changes the response length, status code, or content is a parameter worth investigating for injection vulnerabilities.

parameter discovery
ffuf -w params.txt -u "http://TARGET/page.php?FUZZ=value" \
     -fs 1234

ffuf -w params.txt -u "http://TARGET/api/v1" \
     -X POST -d "FUZZ=test" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -fs 1234
03

Virtual Host Enumeration

A single IP address can serve multiple websites through virtual hosting. The server reads the HTTP Host header to decide which site to serve. Fuzzing the Host header lets you discover internal or hidden subdomains that resolve to the same IP but serve different content.

This is particularly valuable in CTF environments where the box IP serves a public site on one vhost and an internal admin application on another. Vhost brute-forcing often reveals those internal applications that never appear in DNS.

vhost fuzzing
ffuf -w vhosts.txt \
     -u http://TARGET_IP \
     -H "Host: FUZZ.target.htb" \
     -fs 0

ffuf -w vhosts.txt \
     -u http://TARGET_IP \
     -H "Host: FUZZ.target.htb" \
     -fw 18
04

Wordlist Selection

Your wordlist determines your coverage. Generic wordlists miss technology-specific paths. If you know the target is running a specific CMS or framework, use a technology-specific wordlist. Backup file extensions (.bak, .old, .orig, ~, .swp) are worth a separate pass. Files like .git, .env, web.config, robots.txt, sitemap.xml should be tried explicitly. The best wordlists are built from real-world data — patterns found across thousands of actual applications.