A Summary of Fuzzing Tools and Dictionaries For Bug Bounty Hunters

Pink Gaming YouTube Channel Art.png

Introduction

Testing for vulnerabilities by manually entering input can be unmanageable. In these days and age where people have low levels of time and patience, the idea of ​​manually providing input to find bugs/holes in a target can be overwhelming.

To reduce this overwhelming problem and save time, fuzzing can be a big advantage. Fuzzing is an automated process where all the heavy lifting is handled by a fuzzing tool. All the analyst has to do is see the response, time, and status code when the process is complete.

Consider a site with many input fields to test for XSS. In the manual method, all we do is feed the XSS payload to the input field one by one, which is too unmanageable.

Fuzzing is the process or technique of sending multiple requests to a target website within a certain time interval. In other words, it is also similar to brute force.

Fuzzing is a process that can be implemented using tools such as Wfuzz, ffuf, etc. You need to provide the tool with a target URL, parameters, endpoints, etc., and some kind of input.

The fuzzing tool then makes requests and sends them to the target one by one. After fuzzing is complete, the response, timing, and status codes need to be analyzed for vulnerabilities.

Tools for Fuzzing

There are hundreds of tools in the industry for fuzzing. Some of the top-rated popular fuzzing tools are listed below.

Wfuzz

Wfuzz works by replacing placeholders  FUZZ with wordlist values. To understand this more clearly, let's consider an example:

                wfuzz -w userIDs.txt https://example.com/view_photo?userId=FUZZ
            

In the above command, userIds.txt is a wordlist file containing numeric ID values. Here, we tell wfuzz to fuzz a request for an example URL. Note the word FUZZ in the URL, it will act as a placeholder for wfuzz to replace the value in the word list. All numeric ID values ​​of the file will be inserted in userIDs.txt, replacing  FUZZ keywords.

Ffuf

Ffuf is a network fuzzing tool written in Go which is very fast and recursive in nature. It works like Wfuzz, but it's recursive by comparison. Ffuf also works by replacing placeholders with wordlist values  FUZZ. E.g:

                ffuf -w userIDs.txt -u https://example.com/view_photo?userId=FUZZ
            


Here  -w is the wordlist logo, -u but the target URL logo. The rest of the working mechanism is the same as Wfuzz. It  userIDs.txt replaces  FUZZ placeholders with values.

GoBuster

GoBuster is another fuzzer written in Go, most commonly used to fuzz URIs, directories/paths, DNS subdomains, AWS S3 buckets, and virtual hostnames, and supports concurrency. E.g:

                gobuster dir -w endpoints.txt -u https://example.com
            

In the above command, dir specifies that we are fuzzing a directory, -u is the flag for the URL, which is the flag -w for wordlist, where  endpoints.txt is the wordlist file from which the payload will be fetched. The command runs concurrent requests to the endpoint to find available directories.

Fuzz Dictionaries and References

In the above example, we have seen why we need a dictionary. A dictionary alone is not enough, it must be very suitable for your fuzzing scenario. If you don't find any vocabulary that fits the necessary scenario, consider generating your own dictionary. Some popular dictionaries and references are provided below.

                XSS CheatSheat - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

AwesomeXSS - https://github.com/s0md3v/AwesomeXSS

payload - https://github.com/swisskyrepo/PayloadsAllTheThings

https://github.com/minimaxir/big-list-of-naughty-strings

https://github.com/Bo0oM/fuzz.txt

FuzzDB - https://github.com/fuzzdb-project/fuzzdb

bl4de - https://github.com/bl4de/dictionaries

payload - https://github.com/cujanovic/Open-Redirect-Payloads

EdOverflow - https://github.com/EdOverflow/bugbounty-cheatsheet

SecLists - https://github.com/danielmiessler/SecLists

XssPayloads - https://twitter.com/XssPayloads

XssPayloads - https://github.com/payloadbox/xss-payload-list
            

Wordlists

https://github.com/orwagodfather/WordList

https://github.com/Karanxa/Bug-Bounty-Wordlists

https://wordlists.assetnote.io/

https://github.com/six2dez/OneListForAll

Summary

Just to be clear, not everyone uses fuzzing tools. Everyone has different habits and methods.

Using a fuzzing tool is not mandatory. Depending on your conditions and situation, you can use fuzzing tools that will help you save time.

Fuzzing a large number of requests can cause your IP address to be banned by the target, and some people agree to do all the work manually instead of using a fuzzing tool. So it's up to you to manually test for vulnerabilities or let a fuzzing tool do it for you automatically


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!

Avatar

Varma Kollu

tut

@tutorialboy24
Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.
Stats
40

Influence

2k

Total Hits

11

Posts