Web Directories Fuzzing

Sometimes, we don't see some directories or files of a website directly, in which case we use web directory fuzzing - a quick enumeration of directories using automated tools to identify useful endpoints and pages.

To begin with, most built-in WAFs block a large number of requests, so fuzzing will often yield very little benefit unless you strictly configure fuzzing, changing parameters such as the maximum number of requests per second, directory changes, and stop intervals.

But, we'll talk in general terms.

There are quite a few good tools available for fuzzing web directories:

Tool Name

Description

FFUF

The most versatile web fuzzer, can be considered the best of all.

GoBuster

One of the best web fuzzers, very fast.

Dirsearch

Very easy to use directory scanner.

FeroxBuster

A very fast and powerful web fuzzer.

Wfuzz

An alternative to FFUF, but slower.

It is worth noting that some web servers are configured differently, and accordingly, requests to a particular endpoint or directory may be different.

Let's say we have the same website but different web servers, or the same web server but with different configurations;

The following difference is often observed:

A request to https://example.com/secret will return a 302 to https://example.com/secret/
A request to https://example.com/secret will return a 404, while a request to https://example.com/secret/ will return a 200.

This is said in order to avoid fuzzing unnecessary things, and to set everything up in advance for clean fuzzing and less noise.

You should also always filter out files or directories that return 200 but weigh 0 bytes in advance; these are either empty files or access to them is restricted.

Although several tools were mentioned above, it would be best to use ffuf, since it is the most flexible, fairly fast and optimized (although you choose the tools according to your taste).

Basic directory fuzzing can be done with a simple command:

ffuf -u "https://example.com/FUZZ" -w /usr/share/dirb/wordlists/common.txt -t 50 -fs 0

Each line from the dictionary is inserted instead of FUZZ;

With -t 50 we specified the fuzzing speed (fairly fast), with -fs 0 we filter out everything that weighs 0 bytes;

If you encounter a situation where almost everything returns the same response size, it's probably some kind of stub; you can safely filter it out using -fs :

┌──(hacker@attack-machine)-[~]
└─$ ffuf -u "https://example.com/FUZZ" -w /usr/share/dirb/wordlists/common.txt -t 50 -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://example.com/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________
page                    [Status: 200, Size: 513, Words: 25, Lines: 2, Duration: 92ms]
error                   [Status: 200, Size: 513, Words: 25, Lines: 2, Duration: 92ms]
test                    [Status: 200, Size: 513, Words: 25, Lines: 2, Duration: 92ms]
                        [Status: 200, Size: 513, Words: 25, Lines: 2, Duration: 92ms]

┌──(hacker@attack-machine)-[~]
└─$ ffuf -u "https://example.com/FUZZ" -w /usr/share/dirb/wordlists/common.txt -t 50 -fs 0,513

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://example.com/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________
secret                   [Status: 200, Size: 678, Words: 54, Lines: 5, Duration: 95ms]
admin                    [Status: 200, Size: 136, Words: 15, Lines: 2, Duration: 91ms]

In fact, it all depends on the situation, and you can filter by different parameters.

The best dictionaries for directory fuzzing:

You can use cheatsheet if you forgot the commands.

PreviousFuzzing NextUsername Enumeration

Last updated 1 month ago