Directory and File Fuzzing
Overview
Directory and file fuzzing is a technique used in web application security testing to uncover hidden directories and files which may not be directly accessible through the main user interface. These hidden resources can contain:
- Sensitive Data: Backups, configurations, logs with credentials.
- Outdated Content: Old versions of files/scripts vulnerable to exploits.
- Development Resources: Test/staging environments, admin panels.
- Hidden Functionalities: Undocumented features/endpoints.
Importance
- Security Posture Assessment: Helps security researchers understand the attack surface.
- Proactive Defense: Finding hidden assets can prevent potential exploits.
- Useful Intel: Even if not directly exploitable, can aid in later penetration testing stages.
Methodology
Directory and file fuzzing involves:
- Systematically probing web applications using potential directory/file names.
- Analyzing server responses to identify valid paths.
Wordlists
Role of Wordlists
- Central to fuzzing – they define the names to test against the server.
- Effective wordlists enhance the success rate of discovering hidden assets.
Sources
- Web scraping for common names.
- Public data breaches.
- Known vulnerability disclosures.
Tools & Compatibility
- Tools like
ffuf,wfuzzrequire external wordlists. - Flexibility to use or customize lists per target/scenario.
Key Wordlists from SecLists
Discovery/Web-Content/common.txt: This general-purpose wordlist contains a broad range of common directory and file names on web servers. It's an excellent starting point for fuzzing and often yields valuable results.Discovery/Web-Content/directory-list-2.3-medium.txt: This is a more extensive wordlist specifically focused on directory names. It's a good choice when you need a deeper dive into potential directories.Discovery/Web-Content/raft-large-directories.txt: This wordlist boasts a massive collection of directory names compiled from various sources. It's a valuable resource for thorough fuzzing campaigns.Discovery/Web-Content/big.txt: As the name suggests, this is a massive wordlist containing both directory and file names. It's useful when you want to cast a wide net and explore all possibilities.
SecLists GitHub Repository
https://github.com/danielmiessler/SecLists
Actually Fuzzing
We'll use ffuf, a powerful and flexible fuzzing tool, to uncover hidden directories and files on our target web application.
ffuf
Here's how ffuf generally works:
- Wordlist: You provide
ffufwith a wordlist containing potential directory or file names. - URL with FUZZ keyword: You construct a URL with the
FUZZkeyword as a placeholder where the wordlist entries will be inserted. - Requests:
ffufiterates through the wordlist, replacing theFUZZkeyword in the URL with each entry and sending HTTP requests to the target web server. - Response Analysis:
ffufanalyzes the server's responses (status codes, content length, etc.) and filters the results based on your criteria.
For example, if you want to fuzz for directories, you might use a URL like this:
http://localhost/FUZZ
- ffuf will replace FUZZ with words like "admin," "backup," "uploads," etc., from your chosen wordlist and then send requests to
http://localhost/admin,http://localhost/backup, and so on.
Directory Fuzzing
The first step is to perform directory fuzzing, which helps us discover hidden directories on the web server. For example
m4cc18@htb[/htb]$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://IP:PORT/FUZZ
-w(wordlist): Specifies the path to the wordlist we want to use. In this case, we're using a medium-sized directory list from SecLists.-u(URL): Specifies the base URL to fuzz. TheFUZZkeyword acts as a placeholder where the fuzzer will insert words from the wordlist.
Output:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://IP:PORT/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-399
________________________________________________
[...]
w2ksvrus [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 0ms]
:: Progress: [220559/220559] :: Job [1/1] :: 100000 req/sec :: Duration: [0:00:03] :: Errors: 0 ::
- The output above shows that ffuf has discovered a directory called w2ksvrus on the target web server, as indicated by the 301 (Moved Permanently) status code. This could be a potential entry point for further investigation.
File Fuzzing
While directory fuzzing focuses on finding folders, file fuzzing dives deeper into discovering specific files within those directories or even in the root of the web application. Web applications use various file types to serve content and perform different functions. Some common file extensions include:
.php: Files containing PHP code, a popular server-side scripting language..html: Files that define the structure and content of web pages..txt: Plain text files, often storing simple information or logs..bak: Backup files are created to preserve previous versions of files in case of errors or modifications..js: Files containing JavaScript code add interactivity and dynamic functionality to web pages.
By fuzzing for these common extensions with a wordlist of common file names, we increase our chances of discovering files that might be unintentionally exposed or misconfigured, potentially leading to information disclosure or other vulnerabilities.
For example, if the website uses PHP, discovering a backup file like config.php.bak could reveal sensitive information such as database credentials or API keys. Similarly, finding an old or unused script like test.php might expose vulnerabilities that attackers could exploit.
Here is how you can utilize ffuf and a wordlist of common file names to search for hidden files with specific extensions:
m4cc18@htb[/htb]$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://IP:PORT/w2ksvrus/FUZZ.html -e .php,.html,.txt,.bak,.js -v
Output:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://IP:PORT/w2ksvrus/FUZZ.html
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt .bak .js
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 111, Words: 2, Lines: 2, Duration: 0ms]
| URL | http://IP:PORT/w2ksvrus/dblclk.html
* FUZZ: dblclk
[Status: 200, Size: 112, Words: 6, Lines: 2, Duration: 0ms]
| URL | http://IP:PORT/w2ksvrus/index.html
* FUZZ: index
:: Progress: [28362/28362] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
The ffuf output shows that it discovered two files within the /w2ksvrus directory:
dblclk.html: This file is 111 bytes in size and consists of 2 words and 2 lines. Its purpose might not be immediately apparent, but it's a potential point of interest for further investigation. Perhaps it contains hidden content or functionality.index.html: This file is slightly larger at 112 bytes and contains 6 words and 2 lines. It's likely the default index page for thew2ksvrusdirectory.
Exercise
TARGET: 94.237.122.57:59531
Challenge 1
Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.
1. Directory fuzzing
First perform directory fuzzing using ffuf under the "webfuzzing_hidden_path":
┌──(macc㉿kaliLab)-[~]
└─$ ffuf -w ~/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://94.237.122.57:59531/webfuzzing_hidden_path/FUZZ
- This will take some time, so be patient
- Note the wordlist used here. it is equivalent to the
directory-list-2.3-medium.txtwordlist from SecLists
Output:
...
flag [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 76ms]
...
- We have found the directory:
webfuzzing_hidden_path/flag - It responds with a 301 but that at least tells us where we can start
2. File fuzzing
Secondly, perform file fuzzing using ffuf under the directory we just discovered during our previous directory fuzz:
┌──(macc㉿kaliLab)-[~]
└─$ ffuf -w ~/SecLists/Discovery/Web-Content/common.txt -u http://94.237.122.57:59531/webfuzzing_hidden_path/flag/FUZZ.html -e .php,.html,.txt,.bak,.js -v
Output:
...
[Status: 200, Size: 100, Words: 2, Lines: 2, Duration: 77ms]
| URL | http://94.237.122.57:59531/webfuzzing_hidden_path/flag/flag.html
* FUZZ: flag
...
[Status: 200, Size: 104, Words: 6, Lines: 2, Duration: 77ms]
| URL | http://94.237.122.57:59531/webfuzzing_hidden_path/flag/index.html
* FUZZ: index
...
- We have found two files:
flag.htmlandindex.html, the next step is to examine them.
3. Look for the flag
Examine both the flag.html and index.html files to look for any flag-like content. For this, we can use a simple curl command.
┌──(macc㉿kaliLab)-[~]
└─$ curl http://94.237.122.57:59531/webfuzzing_hidden_path/flag/flag.html
Output:
<html><head><title>Index page</title></head><body><h1>HTB{w3b_f1l3_fuzz1ng_fl4g}</h1></body></html>
- There is our flag!
flag: HTB