Gobuster
# Basic usage
gobuster dir -u https://target/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Directory fuzzing, ignoring cert validation
gobuster dir -u https://target.tld -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
# Add extensions
gobuster dir -u https://target/FUZZ -w wordlist.txt -x php,txt,html -k
# Virtual host fuzzing
gobuster vhost -u http://target -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
# DNS subdomain fuzzing
gobuster dns -d domain.tld -w /usr/share/wordlists/dns/subdomains.txtffuf
https://github.com/ffuf/ffuf
# Basic directory fuzzing
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://target/FUZZ
# Match all responses (for debugging)
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://target/FUZZ -mc all
# Filter by status code
ffuf -w wordlist.txt -u https://target/FUZZ -fc 404
# Filter by response size
ffuf -w wordlist.txt -u https://target/FUZZ -fs 1234
# Follow redirects
ffuf -w wordlist.txt -u https://target/FUZZ -r
# Use a proxy (e.g. Burp)
ffuf -w wordlist.txt -u https://target/FUZZ -x http://127.0.0.1:8080
# POST fuzzing with injected value
ffuf -w params.txt -u https://target -X POST -d "username=FUZZ&password=test"
# Fuzz a header
ffuf -w wordlist.txt -u https://target -H "Host: FUZZ.target"
# Multiple fuzz points
ffuf -w users.txt:U -w passwords.txt:P -u https://target/login -X POST -d "user=U&pass=P"
# Recursive fuzzing
ffuf -w wordlist.txt -u https://target/FUZZ -recursion -recursion-depth 2
# Auto-calibration to detect timing-based indicators
ffuf -w wordlist.txt -u https://target/FUZZ -ac
# Rate-limit to reduce WAF noise or avoid bans
ffuf -w wordlist.txt -u https://target/FUZZ -p 0.5Wfuzz
https://github.com/xmendez/wfuzz
# Basic URL fuzzing
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 https://target/FUZZ
# POST param fuzzing
wfuzz -c -z file,params.txt -d "username=FUZZ&password=test" --hh=45 https://target/login
# Cookie fuzzing
wfuzz -z file,wordlist.txt -b "session=FUZZ" https://targetNon-HTTP Fuzzing Targets
SMB / RPC
# Fuzz usernames or shares
smbclient -L //host -U 'FUZZ%'
# Use alongside tools like:
# - crackmapexec
# - rpcclient
# - impacket scriptsFTP
# Credential fuzzing using hydra
hydra -L users.txt -P passwords.txt ftp://targetDNS
# DNS enumeration with massdns
massdns -r resolvers.txt -t A -o S -w results.txt wordlist.txtGraphQL
# Use graphql-cop, InQL, or Burp plugins
# Fuzz introspection, queries, mutations
# Example: fuzzing JSON body
ffuf -X POST -H "Content-Type: application/json" -d '{"query": "{FUZZ}"}' -w gql_fuzz.txt -u https://target/graphqlJWT
# Fuzz Authorization header
authorization: Bearer FUZZ
# Use jwt_tool.py to inspect/manipulate/test:
https://github.com/ticarpi/jwt_toolFile Uploads
# Common tricks to bypass file filters
file.jpg
file.jpg.php
file.php;.jpg
# Try bypassing MIME filters and test magic bytesWordlist Generation
CeWL
# Basic crawl and wordlist output
cewl https://target -w words.txt
# Increase crawl depth to 5 levels
cewl -d 5 https://target -w deep.txt
# Only collect words with 5 or more characters
cewl -m 5 https://target -w longwords.txt
# Combine recursion + length + silent + verbose
cewl -d 4 -m 6 -n -v https://target -w stealth.txt
# Include email addresses found on pages
cewl -e https://target -w emails_words.txt
# Crawl with HTTP Basic Authentication
cewl -u admin -p 'password123' https://target -w authed.txt
# Crawl with custom user-agent header
cewl -H "User-Agent: Mozilla/5.0" https://target -w custom_ua.txt
# Crawl an HTTPS site and ignore SSL errors
cewl -k https://target -w noverify.txtCrunch
# Generate all combinations of abc123 between 6 and 8 characters
crunch 6 8 abc123 -o customlist.txt
# Fixed-length wordlist of 8 characters using lowercase only
crunch 8 8 abcdefghijklmnopqrstuvwxyz -o lowercase8.txt
# Add prefix and suffix
crunch 6 6 -t admin@@ -o adminlist.txt
# Pipe directly into tools (no output file)
crunch 4 4 0123456789 | hydra -l admin -P - ftp://target
# Mix common patterns
crunch 5 5 -t @@123 -o patterns.txtAdditional Wordlist Repos