Gobuster & ffuf: Web & Subdomain Fuzzing

Gobuster and ffuf are two of the most popular fuzzing tools in web penetration testing. They discover hidden directories, files, parameters, and subdomains through dictionary-based attacks.

1. Installation & Wordlists

# Gobuster (Go):
apt install gobuster

# ffuf (Go — faster and more flexible):
apt install ffuf

# Recommended wordlists (SecLists):
apt install seclists

2. Key HTTP Codes in Fuzzing

• 200 OK: Resource exists.
• 301 / 302: Redirect (Explore where it leads).
• 401 Unauthorized: Requires basic auth.
• 403 Forbidden: Exists, but access denied (Target for bypasses!).
• 404 Not Found: Doesn't exist (Noise).
• 500 Internal Error: Server crashed handling your payload.

3. Gobuster — Directory Enumeration

gobuster dir -u http://target.com -w common.txt -x php,txt,bak
gobuster dir -u http://target.com -w wordlist.txt -b 404,403

4. ffuf — Advanced Fuzzing (The Modern King)

ffuf uses the FUZZ keyword to inject the wordlist anywhere in the request.

# Directory fuzzing:
ffuf -u http://target.com/FUZZ -w dict.txt

# GET parameter name fuzzing:
ffuf -u "http://target.com/page.php?FUZZ=test" -w params.txt

# POST fuzzing:
ffuf -u http://target.com/login \
  -w rockyou.txt \
  -X POST -d "username=admin&password=FUZZ" \
  -H "Content-Type: application/x-www-form-urlencoded"

5. The "Catch-all" Problem (Filtering)

Sometimes servers return 200 OK for everything, flooding our results with false positives. We analyze the default error page size and tell ffuf to filter it out.

# Filter by size in Bytes (-fs):
ffuf -u http://target.com/FUZZ -w dict.txt -fs 512

# Filter by word (-fw) or line count (-fl):
ffuf -u http://target.com/FUZZ -w dict.txt -fw 10 -fl 25

6. Subdomains & VHosts

# VHost fuzzing via Host header:
ffuf -u http://SERVER_IP -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242