KagisoSec_
Misc & payloads
WEB

Web Recon & Fuzzing

Directory, file, vhost, subdomain and parameter fuzzing with ffuf / gobuster / feroxbuster, plus recon (whatweb, crt.sh, Google dorks) and the key files to always check. From the CWES path.

web ffuf fuzzing recon cwes

The progression: start small, escalate

The rule for every kind of fuzzing: run a small list first (seconds, catches the obvious), and only escalate to a bigger one if it comes back thin. Bigger lists cost time and noise — earn them.

Fuzz type① Small (first pass)② Medium (escalate)③ Large (last resort)
DirectoriesDiscovery/Web-Content/common.txtDiscovery/Web-Content/directory-list-2.3-medium.txtDiscovery/Web-Content/directory-list-2.3-big.txt
FilesDiscovery/Web-Content/raft-small-files.txtDiscovery/Web-Content/raft-medium-files.txtDiscovery/Web-Content/raft-large-files.txt
ParametersDiscovery/Web-Content/burp-parameter-names.txtDiscovery/Web-Content/raft-medium-words.txtDiscovery/Web-Content/raft-large-words.txt
Subdomains / VHostsDiscovery/DNS/subdomains-top1million-5000.txtDiscovery/DNS/subdomains-top1million-110000.txtDiscovery/DNS/bitquark-subdomains-top100000.txt

All paths are under /usr/share/seclists/. Then: extensions on directory hits → recursion on interesting dirs.

Directory & file fuzzing

① Small — quick first pass to find the obvious folders:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://IP:PORT/FUZZ -fc 404

② Medium — escalate when the small list is thin:

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://IP:PORT/FUZZ -fc 404

③ Large — last resort, slow and loud:

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://IP:PORT/FUZZ -fc 404 -rate 500

File fuzzing with multiple extensions (start small, same escalation):

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt -u http://IP:PORT/FUZZ -e .php,.html,.txt,.bak,.js -v

Recursive fuzzing (go deep into found dirs):

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://IP:PORT/FUZZ -e .html -recursion -recursion-depth 2 -rate 500

Recursive fuzzing with feroxbuster:

feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --depth 3

Filter out false positives by size:

ffuf -w wordlist.txt -u http://TARGET/FUZZ -fc 404,403 -fs 0

Parameter fuzzing

① Small — GET parameter discovery with the curated Burp list:

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "http://IP:PORT/get.php?FUZZ=value" -mc all -fc 404

② Escalate — bigger word list when nothing lands:

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u "http://IP:PORT/get.php?FUZZ=value" -mc all -fc 404

POST parameter discovery:

ffuf -u http://IP:PORT/post.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "FUZZ=value" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -v

VHost & subdomain fuzzing

① Small — VHost fuzzing with the top-5k DNS list (filter by size/words):

ffuf -u http://inlanefreight.htb:81 -H "Host: FUZZ.inlanefreight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

② Escalate — jump to the top-110k list if the small one is empty:

ffuf -u http://inlanefreight.htb:81 -H "Host: FUZZ.inlanefreight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

VHost fuzzing with gobuster:

gobuster vhost -u http://inlanefreight.htb:31062 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain --xs 400 -t 50

DNS subdomain brute force (ffuf can’t do DNS):

gobuster dns --domain inlanefreight.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --resolver 1.1.1.1

API discovery

API endpoints:

ffuf -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -u http://TARGET/FUZZ -mc 200,201,204,301,302,401,403

HTTP method enumeration:

for method in GET POST PUT DELETE PATCH HEAD OPTIONS; do curl -s -o /dev/null -w "$method: %{http_code}\n" -X $method http://TARGET/api/endpoint; done

Recon

Tech fingerprint:

whatweb http://TARGET

Response headers (Server, X-Powered-By, Set-Cookie):

curl -I http://TARGET

WAF detection:

wafw00f inlanefreight.com

Certificate transparency subdomains:

curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].name_value' | sort -u

Google dork for login pages:

site:example.com inurl:login

Key files to always check

/robots.txt        /sitemap.xml        /.well-known/security.txt
/.git/config       /.svn/entries       /.env
/config.php.bak    /wp-config.php.bak
/backup/  /old/  /archive/