Web fuzzing tools such as ffuf and Wfuzz automate the discovery of hidden directories, parameters, virtual hosts, API endpoints, files, and injection points by sending大量s of requests with substituted payloads. These tools reveal attack surfaces that developers do not intentionally expose. Web fuzzing is essential for mapping the real footprint of an application before deeper testing.

Understanding Web Fuzzing

Web fuzzing brute-forces web application surfaces using wordlists. It replaces placeholders inside URLs, headers, POST bodies, or cookies to identify:

• hidden directories
• hidden files
• backup files
• misconfigured endpoints
• admin panels
• SSRF endpoints
• unused parameters
• vulnerable parameters
• brute-forcible GET/POST inputs

Fuzzing shows entry points that scanners and crawlers often miss.

Why Web Fuzzing Tools Matter

Web fuzzers detect:

• endpoint exposure
• forgotten dev routes
• backup files such as .old or .bak
• hidden API versions
• misconfigurations in routing
• file disclosure vectors
• unlinked admin pages
• potential injection parameters

They reveal the true structure of the application.

ffuf and Wfuzz are the two most widely used command-line fuzzers for modern web testing.

ffuf Overview

ffuf (Fast Web Fuzzer):

• extremely fast
• supports recursion
• fuzzing in URL, headers, cookies, POST bodies
• flexible match/ignore filters
• used for web enumeration, API discovery, parameter mining

Example placeholders:

FUZZ
FUZ2Z

Wfuzz Overview

Wfuzz:

• advanced filtering
• multiple wordlist injection points
• complex payload structures
• supports authentication
• flexible encoders
• fuzzing multiple parameters simultaneously

Wfuzz is ideal for scenarios where multiple inputs need fuzzing at once.

---

ffuf Features

• directory fuzzing
• vhost fuzzing
• parameter discovery
• POST body fuzzing
• recursion
• filtering by status code, size, words
• proxy support
• raw request fuzzing

ffuf is optimized for speed and large-scale fuzzing.

---

Wfuzz Features

• multiple payload injection
• fuzzing via POST, GET, headers, cookies
• authentication support
• encoded payloads
• recursive fuzzing
• JSON and XML injection support

Wfuzz is more flexible, especially for heavy customization.

---

Practical Section (Full-Length)

Extensive hands-on tasks using ffuf and Wfuzz.

---

Practical 1: Directory Fuzzing With ffuf

ffuf -u https://target.com/FUZZ -w wordlist.txt

Discover hidden directories and files.

---

Practical 2: Filter by Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404

Hide 404 responses.

---

Practical 3: Filter by Response Size

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 0

Exclude zero-length responses.

---

Practical 4: Recursion in ffuf

ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion

Automatically fuzz discovered directories.

---

Practical 5: Parameter Discovery With ffuf

ffuf -u "https://target.com/page.php?FUZZ=test" -w params.txt

Find hidden GET parameters.

---

Practical 6: POST Parameter Fuzzing

ffuf -u https://target.com/login -w params.txt -X POST -d "FUZZ=test"

Detect valid POST parameter names.

---

Practical 7: Header Fuzzing

ffuf -u https://target.com/ -w headers.txt -H "FUZZ: test"

Find sensitive or internal headers.

---

Practical 8: Cookie Fuzzing

ffuf -u https://target.com/profile -w cookies.txt -b "FUZZ=1"

Find cookie-based injection points.

---

Practical 9: API Version Discovery

ffuf -u https://api.target.com/vFUZZ/ -w versions.txt

Identify hidden API versions.

---

Practical 10: Virtual Host Discovery

ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fc 404

Find vhosts.

---

Practical 11: File Extension Fuzzing

ffuf -u https://target.com/admin/FUZZ -w extensions.txt

Test for .php, .old, .bak, .zip.

---

Practical 12: Using Raw Request Files

Save request to file:

ffuf -request raw.txt -w wordlist.txt -request-proto http

Useful when fuzzing complex applications.

---

Wfuzz Practical Section

---

Practical 13: Basic Directory Fuzzing With Wfuzz

wfuzz -c -w wordlist.txt https://target.com/FUZZ

---

Practical 14: Filter by Status Code

wfuzz -w wordlist.txt -c --hc 404 https://target.com/FUZZ

---

Practical 15: Multiple Injection Points

wfuzz -w users.txt -w passwords.txt \
  "https://target.com/login?user=FUZZ&pass=FUZ2Z"

Performs double-fuzzing.

---

Practical 16: Header-Based Fuzzing (Wfuzz)

wfuzz -w headers.txt -H "FUZZ: test" https://target.com

---

Practical 17: POST Body Fuzzing (JSON)

wfuzz -w data.txt -d '{"user":"FUZZ"}' https://target.com/api/login

---

Practical 18: Authenticated Fuzzing

wfuzz -w wordlist.txt -b "sessionid=abcd" https://target.com/FUZZ

---

Practical 19: GraphQL Fuzzing

wfuzz -w graphql.txt -d '{"query":"FUZZ"}' https://target.com/graphql

Tests GraphQL query structures.

---

Practical 20: Full Fuzzing Architecture

Build a complete fuzzing workflow:

• ffuf for directory scans
• ffuf for parameter discovery
• ffuf for vhost enumeration
• Wfuzz for multi-parameter fuzzing
• fuzz JSON, XML, and GraphQL
• use raw request files
• run ffuf nightly in CI
• export fuzz results to DevSecOps dashboards
• use findings to feed DAST and API fuzzers
• recursively fuzz API responses
• monitor server logs for unusual behavior

This creates a complete web fuzzing capability inside your DevSecOps pipeline.

---

Intel Dump

• ffuf and Wfuzz enumerate hidden directories, parameters, APIs, vhosts, and injection points
• ffuf is optimized for speed
• Wfuzz is optimized for complex payload injection
• Fuzzing reveals real attack surfaces missed by crawlers
• Practicals include directory fuzzing, parameter fuzzing, header fuzzing, vhost fuzzing, JSON fuzzing, recursion, raw request fuzzing, and multi-parameter fuzzing
• A full fuzzing architecture uses both tools for complete coverage