← Back to search

Vhost & Parameter Fuzzing with Wfuzz

enumerationtool

Summary

Uses Wfuzz for virtual host discovery (FUZZ in the Host header) and parameter fuzzing (FUZZ in the query string), hiding noise responses by character count with --hh.

Walkthrough

Use wfuzz to brute-force virtual hosts via the Host header and to discover hidden GET parameters.

Steps

  • For vhosts, place FUZZ in the Host: header with a DNS wordlist; hide the default response by character count using --hh.
  • For parameter discovery, place FUZZ in the query string (e.g. ?FUZZ=) with a parameter-names wordlist.
  • Pass authenticated session cookies with -H "Cookie: ..." when needed.

Commands

bash

wfuzz -u http://<IP> -H "Host: FUZZ.<TARGET>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 1131

bash

wfuzz -u http://<IP> -H "Host: FUZZ.<TARGET>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

bash

wfuzz -u https://<TARGET>/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o" --hh 1678