Fuzzing is a method for testing web sites or the input fields of software programs.
Software developers use fuzzing to test their programs by sending strings of characters (generally unusual strings of characters) into their programs’ input streams to see if any of that will cause memory leaks, errors or crashes.
A hacker will use fuzzing differently. Fuzzing helps to discover pages or directories in a web application that don’t have direct links pointing to them. The pages discovered by fuzzing may correspond to a new version of a web site under development, or parts of an older site that have been largely forgotten but not taken offline. Both may have useful information in them, such as developer credentials or indications of where you might find other useful data elsewhere on the web site.
Fuzzing typically helps penetration testers or bug bounty hunters widen their attack surface by mapping out the target web site beyond what may be found by just navigating the site.
Fuzzing tools like Dirb, FFUF or Gobuster use lists of commonly used words (also called wordlists) to guess potential URLs that may exist on the target web app, then indicate which ones are responding.
Fuzzing can also be used for subdomain enumeration (guessing which subdomains of the target domain name may exist beyond the ones you already know).
Fuzzing can also be used to try to gain access to restricted sections of a web site by guessing user name and password combinations. This can be done using Burp Suite’s Intruder module, or even FFUF.
Ready to get your hands dirty? Install and try out Dirb or – my personal favourite – FFUF.
One important word of advice, however:
Fuzzing usually sends a massive stream of requests to the target web site. This is why fuzzing apps usually include throttling features that let you adjust that. Fuzzing without any control over the stream of requests sent may either raise a flag on the security layer of the server or even damage the app in a worse case scenario.
So make sure you stay inside a practice environment or within the scope of a pentest ou bug bounty engagement and please don’t go on a rampage fuzzing random web sites on the Internet, okay ? 😉