Skip to main content

Web Application Fuzzing: Finding Hidden Bugs

Fuzzing is the art of throwing unexpected input at applications to discover vulnerabilities, hidden endpoints, and edge cases. This guide covers practical fuzzing techniques for web security testing and CTF competitions.

What is Web Fuzzing?โ€‹

Web fuzzing automates the process of sending variations of input to web applications, analyzing responses to find:

  • Hidden directories and files
  • Injection vulnerabilities
  • Authentication bypasses
  • Parameter pollution
  • Rate limiting issues

Unlike manual testing, fuzzing scales to test thousands of payloads in minutes.

Essential Fuzzing Toolsโ€‹

ffuf - Fast Web Fuzzerโ€‹

The modern choice for directory brute-forcing and parameter discovery:

# Directory fuzzing
ffuf -w wordlist.txt -u https://target.com/FUZZ

# Virtual host discovery
ffuf -w vhosts.txt -u https://target.com -H "Host: FUZZ.target.com"

# Parameter fuzzing
ffuf -w params.txt -u https://target.com?FUZZ=test

# POST data fuzzing
ffuf -w payloads.txt -u https://target.com/api -X POST -d "user=FUZZ"

Key features: Fast multithreading, response matching/filtering, multiple wordlist support, easy output formats.

wfuzz - Swiss Army Knifeโ€‹

Versatile tool for complex fuzzing:

# Multiple injection points
wfuzz -w users.txt -w passwords.txt http://target.com/login?user=FUZZ&pass=FUZ2Z

# Filter by response code
wfuzz -w wordlist.txt --hc 404 http://target.com/FUZZ

Practical Fuzzing Techniquesโ€‹

Directory and File Discoveryโ€‹

Start with common wordlists from SecLists or Dirbuster:

# Common files
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u https://target.com/FUZZ \
     -mc 200,301,302,403

# Backup files
ffuf -w /usr/share/seclists/Discovery/Web-Content/backup-files.txt \
     -u https://target.com/FUZZ \
     -e .bak,.old,.backup,.swp

Pro tip: Fuzzing with extensions -e .php,.html,.txt,.zip often reveals hidden resources.

Parameter Pollutionโ€‹

Test how applications handle duplicate parameters:

# Test parameter priority
curl "https://target.com/api?id=1&id=2&id=3"

# Array-style parameters
curl "https://target.com/api?user[]=admin&user[]=guest"

Applications may process the first, last, or all parameter values differently, leading to unexpected behavior.

Authentication Bypass Fuzzingโ€‹

Test authentication mechanisms:

# Username enumeration
ffuf -w usernames.txt -u https://target.com/login \
     -X POST -d "username=FUZZ&password=test" \
     -fr "Invalid username"

# SQL injection patterns
wfuzz -w /usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt \
      -u https://target.com/login \
      -d "username=admin&password=FUZZ"

Filter by response differences: Size (-fs), lines (-fl), words (-fw), or regex (-fr).

Header Fuzzingโ€‹

Test HTTP headers for injection points:

# User-Agent fuzzing
ffuf -w payloads.txt -u https://target.com -H "User-Agent: FUZZ"

# X-Forwarded-For bypass
ffuf -w ips.txt -u https://admin.target.com \
     -H "X-Forwarded-For: FUZZ" -mc 200

Many applications trust headers like X-Forwarded-For, X-Real-IP, or X-Original-URL for access control.

Building Effective Wordlistsโ€‹

Extract keywords from target site:

# Spider and extract unique words
cewl https://target.com -d 2 -m 5 -w wordlist.txt

# Combine multiple sources
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

Build wordlists based on reconnaissance:

  • Technology stack (Laravel โ†’ routes, api, admin)
  • Industry (finance โ†’ payment, transaction, account)
  • Framework patterns (Django โ†’ api/v1, admin/, static/)

Fuzzing Strategiesโ€‹

Progressive Fuzzingโ€‹

1. Quick scan - Small wordlist (1k-5k entries)
2. Medium scan - Targeted wordlist (10k-50k)
3. Deep scan - Large comprehensive list (100k+)

Start fast, then dive deeper based on findings.

Response Analysisโ€‹

Look beyond status codes:

  • Size anomalies - Different response size may indicate success
  • Timing attacks - Slower responses might indicate database queries
  • Error messages - Stack traces reveal technology details
  • Redirect chains - 302 โ†’ 200 may indicate successful bypass

Rate Limiting Awarenessโ€‹

Avoid IP bans:

# Add delays
ffuf -w wordlist.txt -u https://target.com/FUZZ -p 0.5

# Use proxy rotation
ffuf -w wordlist.txt -u https://target.com/FUZZ -x http://proxy:8080

Common CTF Fuzzing Patternsโ€‹

Hidden admin panels - Fuzz /admin, /panel, /dashboard, /manager
Backup files - .bak, .old, .swp, .save, ~
Config files - .env, .git/config, wp-config.php, web.config
API versions - /api/v1, /api/v2, /api/internal
Debug endpoints - /debug, /test, /dev, /staging

Quick CTF Scriptโ€‹

#!/bin/bash
TARGET=$1
echo "[+] Quick directory fuzz"
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u $TARGET/FUZZ -mc 200,301,302,403 -t 50

echo "[+] Backup file check"
ffuf -w /usr/share/seclists/Discovery/Web-Content/backup-files.txt \
     -u $TARGET/FUZZ -mc 200 -t 50

Fuzzing Best Practicesโ€‹

Start with reconnaissance - Know your target before fuzzing
Filter noise - Use response size/content filters to reduce false positives
Test locally first - Understand application behavior before live testing
Respect scope - Only fuzz authorized targets
Document findings - Keep logs of successful payloads

Conclusionโ€‹

Fuzzing transforms manual testing into automated discovery. Master these tools and techniques to find hidden vulnerabilities faster, whether in CTF challenges or real-world assessments.

Start with directory fuzzing, progress to parameter testing, and always analyze responses carefully. The difference between a 404 and a 403 can be the key to finding your next bug.

Happy fuzzing!