Parameter fuzzing discovers hidden input names and interesting values. This matters because many vulnerabilities are hidden behind parameters that the frontend does not expose directly: id, file, url, next, debug, role, admin, template, path, callback, sort, and filter.
Parameter fuzzing answers two separate questions:
Which parameter names does the backend read?
Which values change behavior or reach a dangerous sink?
GET parameter name discovery:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
-u "http://127.0.0.1:5000/search?FUZZ=ootw" \
-mc all \
-fs 1234
POST form parameter discovery:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
-u http://127.0.0.1:5000/profile \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "FUZZ=ootw" \
-mc all \
-fs 1234
JSON field discovery:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \
-u http://127.0.0.1:5000/api/profile \
-X POST \
-H "Content-Type: application/json" \
-d '{"FUZZ":"ootw"}' \
-mc all \
-fs 1234
Value fuzzing for IDs:
seq 1 1000 > ids.txt
ffuf -w ids.txt:FUZZ \
-u "http://127.0.0.1:5000/api/orders/FUZZ" \
-mc 200,403 \
-fs 1234
Value fuzzing for LFI:
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ \
-u "http://127.0.0.1:5000/view?file=FUZZ" \
-mc 200,500 \
-fs 1234
Value fuzzing for redirects:
cat > redirect-values.txt <<'EOF'
https://example.com
//example.com
/admin
http://127.0.0.1:8000
javascript:alert(1)
EOF
ffuf -w redirect-values.txt:FUZZ \
-u "http://127.0.0.1:5000/login?next=FUZZ" \
-mc all
Arjun parameter discovery:
arjun -u http://127.0.0.1:5000/search
arjun -u http://127.0.0.1:5000/api/profile -m POST -d '{"test":"value"}' -H "Content-Type: application/json"
ParamSpider from historical URLs:
paramspider -d example.com
Use wfuzz for parameter names:
wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
--hc 404 \
"http://127.0.0.1:5000/search?FUZZ=ootw"
Useful parameter names:
id
user
uid
account
order
file
path
page
template
view
url
uri
next
redirect
callback
debug
admin
role
is_admin
sort
filter
q
search
cmd
host
ip
Notes
Do not stop when a parameter name is found. Immediately fuzz its values with payloads relevant to the suspected sink.
Parameter fuzzing works best after spidering. Real application URLs give better targets than guessing every route from /.