Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter III - Web / Fuzzing / Techniques

Directory

Directory and file fuzzing discovers hidden paths, backups, admin panels, upload directories, debug routes, static files, and server-specific endpoints. We use it early because most web vulnerabilities require a real route before we can test the vulnerability class.

Start with a nonsense baseline:

curl -i http://127.0.0.1:5000/ootw-this-should-not-exist

Record the fake response. If missing paths return 200 OK, filter by size, words, lines, or body pattern instead of status alone.

Basic ffuf path fuzzing:

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt

Filter a fake response by size:

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -fs 1234

Match common useful status codes:

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -mc 200,204,301,302,307,401,403

Extension fuzzing:

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.txt,.bak,.old,.zip,.json,.conf

Recursive fuzzing:

ffuf -u http://127.0.0.1:5000/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt \
  -recursion -recursion-depth 2 \
  -e .php,.txt,.bak,.json

gobuster directory mode:

gobuster dir -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -s 200,204,301,302,307,401,403

gobuster with extensions:

gobuster dir -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -x php,txt,bak,old,zip,json,conf \
  -s 200,204,301,302,307,401,403

feroxbuster recursive discovery:

feroxbuster -u http://127.0.0.1:5000/ \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -x php,txt,bak,old,zip,json \
  -k

Virtual host fuzzing with ffuf:

ffuf -u http://10.10.10.10/ \
  -H "Host: FUZZ.example.local" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs 116

Virtual host fuzzing with gobuster:

gobuster vhost -u http://example.local \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain

Interesting directory findings:

/admin
/debug
/api
/uploads
/backup
/backups
/old
/dev
/staging
/.git
/.env
/server-status
/actuator
/swagger
/openapi.json

Verification:

curl -i http://127.0.0.1:5000/admin
curl -i http://127.0.0.1:5000/api
curl -i http://127.0.0.1:5000/openapi.json

Notes

Do not trust status code alone. A 403 can be more interesting than a 200 because it proves the path exists.

Run small lists first, then expand. Recursive fuzzing with large lists can bury the signal.