Fuzzing or fuzz testing is an automated software used to test error handling of the software by providing invalid, unexpected, or random inputs.
Wordlists: Wordlists are text files containing a sequence of commonly used words. This can be lists of common user names, passwords, website directories, typical files on a website, etc.
- Common directory and file names
- Backup files
- Configuration files
- Vulnerable scripts
Fuzzer: A software tool that automates generating and sending payloads to a web application and analyzing the responses. Example- ffuf, wfuzz, Burp Suite.
The most commonly used wordlists for fuzzing web directories and files from SecLists are:
- Wordlist: You provide ffuf with a wordlist containing potential directory or file names.
- URL with FUZZ keyword: You construct a URL with the FUZZ keyword as a placeholder where the wordlist entries will be inserted.
- Requests: ffuf iterates through the wordlist, replacing the FUZZ keyword in the URL with each entry and sending HTTP requests to the target web server.
- Response Analysis: ffuf analyzes the server's responses (status codes, content length, etc.) and filters the results based on your criteria.