Vhost & Parameter Fuzzing with Wfuzz
enumerationtool
Summary
Uses Wfuzz for virtual host discovery (FUZZ in the Host header) and parameter fuzzing (FUZZ in the query string), hiding noise responses by character count with --hh.
Walkthrough
Use wfuzz to brute-force virtual hosts via the Host header and to discover hidden GET parameters.
Steps
- For vhosts, place
FUZZin theHost:header with a DNS wordlist; hide the default response by character count using--hh. - For parameter discovery, place
FUZZin the query string (e.g.?FUZZ=) with a parameter-names wordlist. - Pass authenticated session cookies with
-H "Cookie: ..."when needed.
Commands
bash
wfuzz -u http://<IP> -H "Host: FUZZ.<TARGET>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 1131
bash
wfuzz -u http://<IP> -H "Host: FUZZ.<TARGET>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
bash
wfuzz -u https://<TARGET>/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o" --hh 1678