🛡️ Methodology Checklist
- Directory brute-force:
ffuf -u http://[TARGET]/FUZZ -w [WORDLIST] -mc 200,301,302 - Filter noise:
-fs [SIZE]to remove false positives by size - Recursive:
-recursion -recursion-depth 2 - File extension fuzzing:
ffuf -u http://[TARGET]/FUZZ -w [WORDLIST] -e .php,.txt,.html,.bak - Output to file:
-o results.json -of json - Review all 2xx/3xx responses for interesting content
- Follow redirects:
-fr "Redirecting"
🎯 Operational Context
Use when: Mapping web application directory structure — fuzz for hidden directories, files, and endpoints before active vulnerability scanning.
Think Dumber First: ffuf -u http://[TARGET]/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,301,302,403 — run with medium wordlist first, then escalate. Filter by response size to remove false positives.
Skip when: Site returns 200 for everything (wildcard) — detect first, then filter with -fs [baseline_size].
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
ffuf -w [WORDLIST]:FUZZ -u http://[TARGET_IP]:[PORT]/FUZZ -ic | Basic directory fuzz; -ic strips copyright headers |
ffuf -w [WORDLIST]:FUZZ -u http://[TARGET_IP]:[PORT]/FUZZ -t 200 | Increase threads (local lab only — DoS risk on VPN) |
ffuf -w web-extensions.txt:FUZZ -u http://[TARGET_IP]:[PORT]/blog/indexFUZZ | Extension discovery — no dot before FUZZ (list already has dots) |
ffuf -w [WORDLIST]:FUZZ -u http://[TARGET_IP]:[PORT]/blog/FUZZ.php | Page fuzz with known extension |
ffuf -w [WORDLIST]:FUZZ -u http://[TARGET_IP]:[PORT]/FUZZ -recursion -recursion-depth 1 -e .php -v | Recursive fuzz — auto-crawls subdirs; -v shows full path |
locate directory-list-2.3-small.txt | Find wordlist path on PwnBox/Kali |
locate subdomains-top1million-5000.txt | Find DNS subdomain wordlist |
locate web-extensions.txt | Find extension wordlist |
🔬 Deep Dive & Workflow
Key Paths (SecLists on PwnBox)
/opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
/opt/useful/seclists/Discovery/Web-Content/web-extensions.txt
/opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt
Directory Fuzzing
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://[TARGET_IP]:[PORT]/FUZZ -icA 200 OK or 301 = directory exists. Blank page = directory listing disabled → fuzz inside it.
Extension Discovery (The Dot Trap)
# web-extensions.txt already contains dots (.php, .html, .aspx)
# URL must be: indexFUZZ NOT index.FUZZ (double dot = fail)
ffuf -w web-extensions.txt:FUZZ -u http://[TARGET_IP]:[PORT]/blog/indexFUZZApache = usually .php; IIS = usually .asp/.aspx (check Server: header).
Page Fuzzing
# After confirming extension .php:
ffuf -w directory-list-2.3-small.txt:FUZZ \
-u http://[TARGET_IP]:[PORT]/blog/FUZZ.phpSize: 0 = file exists but empty. Look for size > 0 for actual content.
Recursive Fuzzing
ffuf -w directory-list-2.3-small.txt:FUZZ \
-u http://[TARGET_IP]:[PORT]/FUZZ \
-recursion -recursion-depth 1 \
-e .php -v-e .phpdoubles wordlist size (each word tested as dir AND as.phpfile)-vis mandatory — without it you getadmin.phpbut not/blog/admin.php- Use depth 1 on exams; run targeted scans against interesting nested dirs manually
Default threads = 40
-t default is fine over VPN. -t 200 only on local lab. Reduce with -t 4 if service crashes.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| All paths return 200 | Wildcard/catch-all response | Baseline: curl http://[TARGET]/randomstring123 to get size; filter: -fs [size] |
| ffuf too slow | Large wordlist + slow target | Use -t 50 threads; also try -rate 200 to limit requests/sec on rate-limited targets |
| 403 responses not investigated | Forbidden assumed = empty | 403 can mean resource exists but auth required — try bypass techniques on 403 paths |
| Extension fuzzing finds nothing | Wrong extensions for tech stack | Match extensions to tech: PHP → .php, Java → .jsp, .NET → .aspx; use raft-medium-extensions.txt |
| Recursive flag causing too many requests | -recursion too deep | Limit depth: -recursion-depth 2; or manually fuzz interesting 403/301 directories found |
📝 Reporting Trigger
Finding Title: Hidden Web Directories and Files Enumerated
Impact: Directory and file enumeration reveals hidden administration panels, backup files, configuration files, and development endpoints not linked from the main application, exposing additional attack surface.
Root Cause: Web server serves files by default without access control. Development artifacts and backup files left in web root. No endpoint inventory or access control enforcement on unlisted paths.
Recommendation: Configure web server to return 404 for all unlisted paths (no directory listing). Remove backup files, .git, and development artifacts from web root. Implement access control on all administrative endpoints regardless of obscurity.