Use this as a quick reference while doing web discovery.
Baseline
curl -i http://127.0.0.1:5000/
curl -i http://127.0.0.1:5000/ootw-random-missing-path
curl -i "http://127.0.0.1:5000/search?ootw_missing=1"
Record status, size, words, lines, title, redirects, and content type.
Directory
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-mc 200,204,301,302,307,401,403 \
-fs 1234
gobuster dir -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-s 200,204,301,302,307,401,403
Extensions
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.txt,.bak,.old,.zip,.json,.conf
gobuster dir -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-x php,txt,bak,old,zip,json,conf
Recursive
ffuf -u http://127.0.0.1:5000/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt \
-recursion -recursion-depth 2 \
-e .php,.txt,.bak,.json
feroxbuster -u http://127.0.0.1:5000/ \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-x php,txt,bak,old,zip,json
Virtual Hosts
ffuf -u http://10.10.10.10/ \
-H "Host: FUZZ.example.local" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs 116
gobuster vhost -u http://example.local \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
--append-domain
API
printf "api\napi/v1\napi/v2\ngraphql\nswagger\nswagger.json\nopenapi.json\ndocs\nredoc\nactuator\n" > api-roots.txt
ffuf -u http://127.0.0.1:5000/FUZZ \
-w api-roots.txt \
-mc 200,204,301,302,307,401,403
ffuf -u http://127.0.0.1:5000/api/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/objects.txt \
-mc 200,204,301,302,307,401,403 \
-fs 1234
for m in GET POST PUT PATCH DELETE OPTIONS; do
echo "== $m =="
curl -i -X "$m" http://127.0.0.1:5000/api/users
done
Parameters
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
-u "http://127.0.0.1:5000/search?FUZZ=ootw" \
-mc all \
-fs 1234
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
-u http://127.0.0.1:5000/api/profile \
-X POST \
-H "Content-Type: application/json" \
-d '{"FUZZ":"ootw"}' \
-mc all \
-fs 1234
arjun -u http://127.0.0.1:5000/search
Filters
ffuf match: -mc -ml -mr -ms -mw
ffuf filter: -fc -fl -fr -fs -fw
wfuzz hide: --hc --hl --hw --hh --hs
wfuzz show: --sc --sl --sw --sh --ss
gobuster show status: -s
gobuster hide status: -b
Wordlists
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/seclists/Discovery/Web-Content/api/objects.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
Verification
curl -i http://127.0.0.1:5000/HIT
curl -i -X OPTIONS http://127.0.0.1:5000/api/HIT
Confirm:
The route exists.
The response differs from the fake baseline.
The hit is reachable with the expected method.
The route requires authentication or not.
The route maps to a later vulnerability test.