Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter III - Web / Fuzzing

Cheatsheet

Use this as a quick reference while doing web discovery.


Baseline

curl -i http://127.0.0.1:5000/
curl -i http://127.0.0.1:5000/ootw-random-missing-path
curl -i "http://127.0.0.1:5000/search?ootw_missing=1"

Record status, size, words, lines, title, redirects, and content type.


Directory

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt
ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -mc 200,204,301,302,307,401,403 \
  -fs 1234
gobuster dir -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -s 200,204,301,302,307,401,403

Extensions

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.txt,.bak,.old,.zip,.json,.conf
gobuster dir -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -x php,txt,bak,old,zip,json,conf

Recursive

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt \
  -recursion -recursion-depth 2 \
  -e .php,.txt,.bak,.json
feroxbuster -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -x php,txt,bak,old,zip,json

Virtual Hosts

ffuf -u http://10.10.10.10/ \
  -H "Host: FUZZ.example.local" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs 116
gobuster vhost -u http://example.local \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain

API

printf "api\napi/v1\napi/v2\ngraphql\nswagger\nswagger.json\nopenapi.json\ndocs\nredoc\nactuator\n" > api-roots.txt

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w api-roots.txt \
  -mc 200,204,301,302,307,401,403
ffuf -u http://127.0.0.1:5000/api/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt \
  -mc 200,204,301,302,307,401,403 \
  -fs 1234
for m in GET POST PUT PATCH DELETE OPTIONS; do
  echo "== $m =="
  curl -i -X "$m" http://127.0.0.1:5000/api/users
done

Parameters

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
  -u "http://127.0.0.1:5000/search?FUZZ=ootw" \
  -mc all \
  -fs 1234
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
  -u http://127.0.0.1:5000/api/profile \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"FUZZ":"ootw"}' \
  -mc all \
  -fs 1234
arjun -u http://127.0.0.1:5000/search

Filters

ffuf match:  -mc -ml -mr -ms -mw
ffuf filter: -fc -fl -fr -fs -fw
wfuzz hide:  --hc --hl --hw --hh --hs
wfuzz show:  --sc --sl --sw --sh --ss
gobuster show status: -s
gobuster hide status: -b

Wordlists

/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/seclists/Discovery/Web-Content/api/objects.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

Verification

curl -i http://127.0.0.1:5000/HIT
curl -i -X OPTIONS http://127.0.0.1:5000/api/HIT

Confirm:

The route exists.
The response differs from the fake baseline.
The hit is reachable with the expected method.
The route requires authentication or not.
The route maps to a later vulnerability test.