☑️Fuzzing - Parameters

GET

ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx

POST

The main difference between POST requests and GET requests is that POST requests are not passed with the URL and cannot simply be appended after a ? symbol. POST requests are passed in the data field within the HTTP request.

So, let us repeat what we did earlier, but place our FUZZ keyword after the -d flag:

ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

For example, lets say id is a valid parameter. And if so then we will get something like 'Invalid ID' to tell us that the id parameter works.

With that we can do Value Fuzzing

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

PreviousFuzzing - Domain NextIntroduction

Last updated 1 year ago

hashtagGET

hashtagPOST

GET

POST