Skip to content

Web Application Fuzzing & Enumeration

This cheatsheet covers heavy directory brute-forcing, Virtual Host (VHost) discovery, and parameter mapping. This is where you map out the attack surface of the custom application logic (PHP, Laravel, Spring Boot, etc.) running on top of the web server.

VHost Fuzzing

Often, a single IP address hosts multiple web applications. If the web server doesn't receive a recognized Host header, it serves a default page. We must fuzz the Host header to find hidden administrative or development portals.

Fuzz the Host header while pointing to the target IP.
Use -fs (filter size) to hide the default fallback page size. 

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://10.10.10.10/ -H "Host: FUZZ.target.thm" -fs 2450

Gobuster's dedicated vhost mode 

gobuster vhost -u http://target.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

Rabbit Hole

If every single VHost fuzzing request returns a 200 OK or 302 Redirect, you are hitting a wildcard DNS record or a default server catch-all. You must actively filter these out using -fs (filter size), -fw (filter words), or -fc (filter status code) in ffuf to spot the true anomalies.

Directory & File Fuzzing

Map the application's structure. Tailor your wordlists and file extensions to the backend technology discovered during infrastructure recon.

Fuzzing with specific extensions (e.g., PHP and Laravel-heavy environments) 

ffuf -u http://target.thm/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -e .php,.txt,.env,.bak -t 50 -mc 200,204,301,302,403

Recursive fuzzing. Excellent for deeply nested API endpoints or CMS structures. 

feroxbuster -u http://target.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 --depth 3 -x php,txt

Efficiency

Always check for framework-specific files. If you suspect Laravel, prioritize .env and phpunit.xml. If you suspect Spring Boot, fuzz for /actuator/env and /heapdump.

Parameter Fuzzing

If you find an endpoint that behaves differently or returns a blank page (e.g., index.php), it might be waiting for a hidden GET or POST parameter to trigger a function (LFI, SSRF, Command Injection).

Fuzzing for hidden GET parameters (e.g., ?page=, ?cmd=, ?url=) 

ffuf -u "http://target.thm/index.php?FUZZ=id" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 1024