WEB

Introduction

Nowadays, websites are programmed using various technologies such as databases, web development frameworks, programming languages, APIs, data formats, protocols and browsers. Each of them has specific vulnerabilities that the developer should be aware of, which is not always the case, as you can see in OWASP Top Ten.
This section contains several vulnerabilities worth checking if you encounter a web pentesting.

Form fuzzing

During a web vulnerability assessment, it is for sure that the web page might have one or several post forms asking for user data.
Fuzzing the forms might allow you to brute force credentials or discover vulnerabilities like SSTI, SQLi, XSS, etc.
ffuf -w "./usuarios.txt:USERS" -w "./wordlist.txt:PASSWDS" -t 60 -u http://<URL>/login -H "Content-Type: application/json;charset=utf-8" -X POST -d '{"username":"USERS","password":"PASSWDS"}'
There might also be the case that you need to encode the data (URL format, base64, etc.) before sending it to the server. For doing so, you need to use wfuzz because ffuf doesn't support it.
wfuzz -u http://<URL>/search -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d 'name=FUZZ' -z file,/usr/share/wordlists/SecLists/Fuzzing/special-chars.txt,urlencode
Last modified 14d ago
Copy link
On this page
Introduction
Form fuzzing