Web Fuzzing Techniques

Cloduflare & WAF

Cloudflare: This can get rather easy or right to bypass. The easy way is to find origin IPv4 behind the Cloudflare proxy. I personally prefer using Censys certificate matching method, although there are quite a different ways this might be possible to identify. For exmaple, a common method is to send an email to yourself, and identify origin MX (ie. SMTP) server infrastructure subnet, and match those to that of the webapp/service hosted/server behind the CloudFlare - simply use Burp Collaborator, set the email during the registration/login/2FA process, or sometimes even on the newsletter entry together as an email, lets say <some-rand-example-email>@burpcollaborator.server.com; note the use of email alias combined along the burpcollaborator.server.com host, which should result in SMTP delivery with in-between queries (ie. DNS, MX+NS, etc.) looking at the Collaborator’s traffic req/resp table and details. Trace the potential IPv4 and/or hostname surfacing in these protocol transactions.

It’s possible to test if the identified potential origin IPv4 behind the CloudFlare is hosting the tested webapp/service using this command:

$ curl [-k] "https://23.215.0.136:443" -H "Host: example.com"

Of course, the IPv4 must adhere and be replaced with correct potential oirigin ipv4 address, while passing of the Host: [example.com] header using the -H flag provides the hostname/subdomain that is sitting behind the Cloudflare WAF.

In this case, the tested domain URL https://example.com adhere to Cloudflare when queried:

$ host example.com
example.com has address 104.18.5.13

$ whois 104.18.5.13 | grep cloudflare
# Comment:        All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse

But when using ping and curl against the identified origin IPv4 address, ie. the one sitting behind the CF/WAF, the results of the HTML output corresponds to that of an unblocked request of the hostname via Cloudflare proxy.

$ ping 161.xx.xx.135        # potential origin ipv4 behind example.com domain
# PING 161.xx.xx.135 (161.xx.xx.135): 56 data bytes
# 64 bytes from 161.xx.xx.135: icmp_seq=0 ttl=250 time=77.719 ms
# 
# --- 161.xx.xx.135 ping statistics ---
# 3 packets transmitted, 3 packets received, 0.0% packet loss

# A 'curl' must consists of the URL/DNS corresponding to the origin IPv4 identified,
# alongisde the `-H "[hostname.com]" fixed header, forced to use virtual/host to the 
# corresponding URL/DNS, as shown in CLI example below:
# 
$ curl "https://161.xx.xx.135:443" \
        --silent --show-headers -k \
        -H "example.com" | \
        grep -A0 -B20 "Content-Length:"
        # <use [-k] to bypass ssl errors [if any]"> | 
        # <use [--silent] to silence http req progressbar>
        # <use [--show-headers] to show resp headers>
        # <<<<
        #
        # HTTP/1.1 200 OK
        # Content-Type: text/html
        # Date: Sun, xx Mon 2030 xx:55:58 GMT
        # Connection: close
        # Content-Length: <...>
        # 
        # [BODY]

If the http response body of above curl request matches that of the body returned by the URL when using Cloudflare proxy or WAF IPv4 identified initially, the origin IPv4 is correct and you may continue fuzzing process.

Cloudflare: (v2), in these cases, it might be required to bypass Cloudflare Web/Service WAF against the IPv4 of the Cloudflare subnet. Opt-in for rotating VPN and automated proxy rotion services, providing you “a new IPv4 address” with every 2nd~3rd ... [n(th)] request, eventually bypassing the bot detection or rate limiting by having unique access point whith each fuzz query.

Maximizing Results + WAF

Maximising Results: Once you are sure the identified origin IPv4 has been discovered or the fuzzing web-app has not other means of rate-limiting or WAF protections, use ffuf with additional flags, extending and maxing out the results of the fuzz process.

One such an example is shown below, fuzzing the targeted URL or hostname by providing numerous additional options and flags, which can be edited or changed depending on the scope and/or target being fuzzed:

$ ffuf  -w ~/SecLists/Discovery/Web-Content/raft-large-directories.txt \
        -u https://161.xx.xx.135/FUZZ \
        -fc 400,401,402,403,404,429,500,501,502,503 \
        -recursion -recursion-depth 2 \
        -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db \
        -ac -c -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" \
        -H "X-Forwarded-For: 127.0.0.1" 
        -H "X-Originating-IP: 127.0.0.1" 
        -H "X-Forwarded-Host: localhost" 
        -H "Host: example.com" 
        -t 100 \
        -r \
        -o ~/Projects/[NAME]/ffuf_[x].[example.com]_-results.json

Order of operation for the above ffuf snippet is explained below:

-fc [status_code, ...] - Filter noise by common status codes (403, 404, 429, 500s) to reduce false positives
-e [file-ext, ...] - Forcing various file extension commonly found on WebApp services, perferct for catching leaks/configs/backups/dumps/logs etc.
-recursion -recursion-depth 2 - Digs deeper into discovered directories multiplying the fuzz coverage
-t 100 -r - Highly-aggresive threadings, speed and retry options against the target maxing it super fast
-H [header_name: header_value] - Force specific headers individually, or as a requirement; might help bypassing errorsas shown via X-[...] headers
Pro tips
-w - Use different wordlist as an input
-e - Modify extension based on target WebApp stack (ie. .py for Django et al.)
-H [Host: example.com] - Force use of Host header with given domain, if fuzzing origin IPv4 behind a WAF, being set via -u [origin-ipv4]/FUZZ flag
-H [X-Forwarded-For: 127.0.0.1] - Adjust headers based on potential bypass method when accessing the server
Also run this fuzz against common paths, ie. /admin/, /api/, /uploads/, /internal

Fuzzing subodmains on apex domain

If the target URL or directory isn’t found during typical dir/file scans, explore subdomains using ffuf, forcing the *.example.com to uncover hidden functionalities or pages otherwise not shown in passive scan results.

To fuzz subdomains, a target and a wordlist must be provided. Example fuzz command-line exec would look like this:

$ ffuf -w ~SecList/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.example.com/

Another way is to use ffuf for subdomain fuzzing, which only returns public sub-domains using vhost. The private subdomains are these subdomains that do not have a public DNS record, nor can be quried, therefore, this both checks if the subdomain is accessible, and also that known DNS can be identified from our HostOS /etc/hosts file, for that specific subdomain. This can help you speed up the process of identifying hard-to-reach subdomains during the recon phase. Obviously, we can’t fill our /etc/hosts file with all potnential targeting domain, and instead, we will opt-in using -H header:value option in ffuf, passing the subdomain hostname being queried for alive-checks.

$ ffuf -w ~/Seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.example.com/
        # Usually, the case is you won't have valid results
        # using this method. Instead, a 'vhost' fuzz must be 
        # utilized, passing the domain name as additional 
        # '-H [header_name:value]' flag in the ffuf starting 
        # flags, for example:

$ ffuf -w ~/Seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.example.com:443/ -H 'Host: FUZZ.example.com'

Therefore, a real example with filtering and collection of worldlists may be used like this:

$ cat ~/SecLists/Discovery/DNS/*.txt | ffuf -w -:FUZZ -u https://FUZZ.example.com:443/ -H 'Host: FUZZ.example.com
``

## Webfuzz Seed Lists

Combined wordlists to use:

* Use *SecList* seed fuzz
* Use *FuzzDB* seed fuzz

**Note:** You don't have to clone `SecList` in your `$HOME` directory. Just create a symlink from your preference directory. The below command should do the trick.

$ ln -s ~/util/SecLists ~/SecLists


**gofuzz** fuzzing (fuzz javascript files to extract URLs and secrets):

Installing [gofuzz](https://github.com/nullenc0de/gofuzz) is simple via Pyhton's `venv`:

$ git clone git@github.com:nullenc0de/gofuzz.git $ cd gofuzz $ python3 -m venv path/to/venv $ source path/to/venv/bin/activate $ python3 -m pip install aiohttp


To use `gofuzz` once you have `venv`  ready, simply do the following:

$ echo “https://example.com/script.js" | python gofuzz.py -m both # to fuzz single javascript file $ cat js_urls.txt | python gofuzz.py -m both # to fuzz multiple javascript files


**gobuster** fuzzing (fuzz directories & subdomains):

cat ~/SecLists/Discovery/Web-Content/Common-DB-Backups.txt
~/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt
~/SecLists/Discovery/Web-Content/PHP.fuzz.txt
~/SecLists/Discovery/Web-Content/common.txt | gobuster fuzz -u
https://www.utic.ba/FUZZ -b 404 -w - -k -t 30


You may *extend* **gobuster** *with POSIX compilant* commands. A trick to extend  `gobuster` is by using POSIX `seq` command. To exclude specific length from the output, `gobuster` requires param: `--exclude-length <len>,<len>` which would require a lot of typing in case you need various, small-byte difference between length. Use `seq` to generate such sequences, as presented in commands below:

$ seq -s “,” 1500 1510

1500,1501,1502,1503,1504,1505,1506,1507,1508,1509,1510

then:

gobuster -u –exclude-length <generated_sequence>


**ffuf** fuzzing (fuzz directories & files):

cat ~/SecLists/Discovery/Web-Content/apache.txt
~/SecLists/Discovery/Web-Content/ApacheTomcat.fuzz.txt
~/SecLists/Discovery/Web-Content/Common-DB-Backups.txt
~/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt
~/SecLists/Discovery/Web-Content/common.txt
~/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
~/SecLists/Discovery/Web-Content/dirsearch.txt
~/SecLists/Discovery/Web-Content/frontpage.txt
~/SecLists/Discovery/Web-Content/golang.txt
~/SecLists/Discovery/Web-Content/graphql.txt
~/SecLists/Discovery/Web-Content/IIS.fuzz.txt
~/SecLists/Discovery/Web-Content/Jenkins-Hudson.txt
~/SecLists/Discovery/Web-Content/Logins.fuzz.txt
~/SecLists/Discovery/Web-Content/nginx.txt
~/SecLists/Discovery/Web-Content/PHP.fuzz.txt
~/SecLists/Discovery/Web-Content/quickhits.txt
~/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
~/SecLists/Discovery/Web-Content/raft-small-files-lowercase.txt
~/SecLists/Discovery/Web-Content/spring-boot.txt
~/SecLists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt
~/SecLists/Discovery/Web-Content/swagger.txt
~/SecLists/Discovery/Web-Content/CMS/Django.txt
~/SecLists/Discovery/Web-Content/CMS/joomla-plugins.fuzz.txt
~/SecLists/Discovery/Web-Content/CMS/symfony-315-demo.txt | ffuf -w - -u https://utic.ba/FUZZ -mc 200,204,301,302,307,401,405 -fs 0


**ffufai** fuzzing (fuzz directories via AI):

The [ffufai](https://github.com/jthack/ffufai) is an AI-powered wrapper for the popular web fuzzer ffuf. It automatically suggests file extensions for fuzzing based on the target URL and its headers, using either OpenAI or Antropic's Claude models. You need to install and configure `ffufai` first, via commands below:

$ git clone git@github.com:jthack/ffufai.git $ cd ffufai $ python3 -m venv path/to/venv $ source path/to/venv/bin/activate $ python3 -m pip install requests openai anthropic $ export OPENAI_API_KEY=‘your-api-key-here’ $ export ANTHROPIC_API_KEY=‘your-api-key-here’


To use `ffufai`, type the commands you usually use with `ffuf`, but make sure to replace the name (use `ffufai`):

$ python3 ffufai.py -u https://example.com/FUZZ -w /path/to/wordlist.txt


**ffuf** fuzzing for *.svn/.git/[common_php]*:

cat ~/SecLists/Discovery/Web-Content/CMS/symphony-267-xslt-cms.txt
~/SecLists/Discovery/Web-Content/CMS/symfony-315-demo.txt
~/SecLists/Discovery/Web-Content/SVNDigger/symfony.txt
~/SecLists/Discovery/Web-Content/SVNDigger/all.txt
~/SecLists/Discovery/Web-Content/SVNDigger/all-dirs.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/error.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/index.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/install.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/readme.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/root.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/setup.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/test.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/debug.txt
~/SecLists/Discovery/Web-Content/SVNDigger/context/admin.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Conf/conf.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Conf/config.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Conf/htaccess.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Database/inc.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Database/ini.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Database/sql.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Database/xml.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Language/js.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Language/html.txt
~/SecLists/Discovery/Web-Content/SVNDigger/cat/Language/jar.txt
~/SecLists/Discovery/Web-Content/api/actions-lowercase.txt
~/SecLists/Discovery/Web-Content/Common-DB-Backups.txt
~/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt
~/SecLists/Discovery/Web-Content/PHP.fuzz.txt
~/SecLists/Discovery/Web-Content/common.txt | ffuf -w - -u https://utic.ba/FUZZ -mc 200,204,301,302,307,401,403,405 -fs 0


### Fuzz List

=> Symfony / Laravel Framework

Discovery/Web-Content/CMS/symphony-267-xslt-cms.txt Discovery/Web-Content/CMS/symfony-315-demo.txt Discovery/Web-Content/SVNDigger/symfony.txt

=> many stuff

Discovery/Web-Content/SVNDigger/all.txt Discovery/Web-Content/SVNDigger/all-dirs.txt Discovery/Web-Content/SVNDigger/context/error.txt Discovery/Web-Content/SVNDigger/context/index.txt Discovery/Web-Content/SVNDigger/context/install.txt Discovery/Web-Content/SVNDigger/context/readme.txt Discovery/Web-Content/SVNDigger/context/root.txt Discovery/Web-Content/SVNDigger/context/setup.txt Discovery/Web-Content/SVNDigger/context/test.txt Discovery/Web-Content/SVNDigger/context/debug.txt Discovery/Web-Content/SVNDigger/context/admin.txt Discovery/Web-Content/SVNDigger/cat/Conf/conf.txt Discovery/Web-Content/SVNDigger/cat/Conf/config.txt Discovery/Web-Content/SVNDigger/cat/Conf/htaccess.txt Discovery/Web-Content/SVNDigger/cat/Database/inc.txt Discovery/Web-Content/SVNDigger/cat/Database/ini.txt Discovery/Web-Content/SVNDigger/cat/Database/sql.txt Discovery/Web-Content/SVNDigger/cat/Database/xml.txt Discovery/Web-Content/SVNDigger/cat/Language/php.txt Discovery/Web-Content/SVNDigger/cat/Language/js.txt Discovery/Web-Content/SVNDigger/cat/Language/html.txt Discovery/Web-Content/SVNDigger/cat/Language/jar.txt Discovery/Web-Content/api/actions-lowercase.txt

=> ruby

https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/webservers-appservers/Ruby_Rails.txt

=> mostly php stuff

Discovery/Web-Content/Common-DB-Backups.txt # => good stuff Discovery/Web-Content/Common-PHP-Filenames.txt # => good stuff Discovery/Web-Content/PHP.fuzz.txt # => good for phpmyadmins Discovery/Web-Content/common.txt # => usual stuff like .git/.rc-s/dotfiles https://raw.githubusercontent.com/xajkep/wordlists/master/discovery/php_files_only.txt # => more php

=> mostly api

Discovery/Web-Content/swagger.txt # => find swagger location Discovery/Web-Content/api/api_endpoints.txt # => api endpoints

=> all web extensions are available below:

Discovery/Web-Content/web-extensions.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/filename-dirname-bruteforce/CommonWebExtensions.txt

=> also this one for backups

https://raw.githubusercontent.com/xajkep/wordlists/master/discovery/backup_files_only.txt https://raw.githubusercontent.com/xajkep/wordlists/master/discovery/log_files_only.txt

=> for login/admin pages

https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/login-file-locations/Logins.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/login-file-locations/cfm.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/login-file-locations/html.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/login-file-locations/jsp.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/login-file-locations/php.txt

=> webservers

https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/webservers-appservers/Apache.txt https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/webservers-appservers/ApacheTomcat.txt

=> other …

https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/discovery/predictable-filepaths/UnixDotfiles.txt


## Other Resources & Tools

* [ffuf cheatsheet](https://netwerklabs.com/fuff-cheat-sheet/)
* [kiterunner](https://github.com/assetnote/kiterunner)
* [w9w/JSA](https://github.com/w9w/JSA)
* [ShuffleDNS Fuzzing](https://github.com/projectdiscovery/shuffledns)
* [Keyhacks](https://github.com/streaak/keyhacks)
* [SubEnum](https://github.com/bing0o/SubEnum)
* [s3scanner](https://github.com/sa7mon/S3Scanner)
* [sqlmap](https://github.com/sqlmapproject/sqlmap)
* [commix - OS CMD Injection Exploitation tool](https://github.com/commixproject/commix)
* [jsrecon-buddy](https://github.com/TheArqsz/JSRecon-Buddy) - Chrome Extension
* [scanner-box](https://github.com/We5ter/Scanners-Box)

## Automated

* [cariddi](https://github.com/edoardottt/cariddi)
* [axiom](https://github.com/pry0cc/axiom)
* [hakrawler](https://github.com/hakluke/hakrawler), also [katana](https://github.com/projectdiscovery/katana) for crawling
* [subjs](https://github.com/lc/subjs)
* [Findomain](https://github.com/Findomain/Findomain)
* [osmedeus](https://github.com/j3ssie/osmedeus)
* **bbrf** (Bug Bounty Recon Framework) - A recon coordination framework for workflows across multiple devices
  - [bbrf-server](https://github.com/honoki/bbrf-server)
  - [bbrf-dashboard](https://github.com/honoki/bbrf-dashboard)

halis duraki

security rep+

consulting

blog

~ notes