Fuzzing ¶

Fuzzing refers to injecting data into something to study how it reacts. A keyword "FUZZ" is replaced with a word from a wordlist. It can be used to easily inject words in a URL, a form, or basically anything 💥.

• Guessing a subdomain? FUZZ.example.com
• Forced browsing? example.com/FUZZ
• Find Insecure Direct Object References? example.com?id=FUZZ
• Find Hidden Parameters? example.com?FUZZ=xxx
• Find Virtual Hosts example.com and Host: FUZZ.example.com
• ...

FUZZ will be replaced with the values in the wordlist, one by one.

⚠️ Note that example.com/FUZZ.php and example.com/FUZZ -e .php are often different. The latter will look for both FUZZ and FUZZ.php.

Common fuzzing tools are:

• ffuf
• wfuzz
• gobuster
• feroxfuzz (0.2k ⭐) for ferox buster users

• fuzzingbook (software testing)