Parameter Fuzzing Tools

Comprehensive collection of parameter fuzzing tools and techniques for web application security testing.

FFuF (Fuzz Faster U Fool)

Basic Parameter Fuzzing

# Basic parameter fuzzing
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ"

# With POST data
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL" -d "FUZZ=value"

# With GET parameters
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=value"

# With multiple parameters
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=value&id=1"

# With output file
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -o results.txt

# With JSON output
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -json -o results.json

# With verbose output
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -v

# With silent output
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -s

Advanced FFuF Options

# With specific status codes
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -sc 200,204,301,302,307,401,403

# With exclude status codes
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -fs 404,500

# With threads
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -t 50

# With delay
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -d 1s

# With cookies
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -b "PHPSESSID=abc123"

# With headers
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -H "User-Agent: CustomAgent"

# With proxy
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -p http://127.0.0.1:8080

# With authentication
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -u admin:password

# With SSL options
ffuf -w /usr/share/wordlists/parameter-names.txt -u "https://TARGET_URL/FUZZ" -k

# With recursive fuzzing
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -recursion

# With wordlist for values
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -w /usr/share/wordlists/parameter-values.txt -u "http://TARGET_URL?FUZZ=FUZZ2"

Wfuzz

Basic Parameter Fuzzing

# Basic parameter fuzzing
wfuzz -w /usr/share/wordlists/parameter-names.txt http://TARGET_URL/FUZZ

# With POST data
wfuzz -w /usr/share/wordlists/parameter-names.txt -d "FUZZ=value" http://TARGET_URL

# With GET parameters
wfuzz -w /usr/share/wordlists/parameter-names.txt http://TARGET_URL?FUZZ=value

# With multiple parameters
wfuzz -w /usr/share/wordlists/parameter-names.txt http://TARGET_URL?FUZZ=value&id=1

# With output file
wfuzz -w /usr/share/wordlists/parameter-names.txt -o results.txt http://TARGET_URL/FUZZ

# With JSON output
wfuzz -w /usr/share/wordlists/parameter-names.txt -o results.json -f json http://TARGET_URL/FUZZ

# With verbose output
wfuzz -w /usr/share/wordlists/parameter-names.txt -v http://TARGET_URL/FUZZ

# With silent output
wfuzz -w /usr/share/wordlists/parameter-names.txt -s http://TARGET_URL/FUZZ

Advanced Wfuzz Options

# With specific status codes
wfuzz -w /usr/share/wordlists/parameter-names.txt --sc 200,204,301,302,307,401,403 http://TARGET_URL/FUZZ

# With exclude status codes
wfuzz -w /usr/share/wordlists/parameter-names.txt --ss 404,500 http://TARGET_URL/FUZZ

# With threads
wfuzz -w /usr/share/wordlists/parameter-names.txt -t 50 http://TARGET_URL/FUZZ

# With delay
wfuzz -w /usr/share/wordlists/parameter-names.txt -d 1 http://TARGET_URL/FUZZ

# With cookies
wfuzz -w /usr/share/wordlists/parameter-names.txt -b "PHPSESSID=abc123" http://TARGET_URL/FUZZ

# With headers
wfuzz -w /usr/share/wordlists/parameter-names.txt -H "User-Agent: CustomAgent" http://TARGET_URL/FUZZ

# With proxy
wfuzz -w /usr/share/wordlists/parameter-names.txt -p 127.0.0.1:8080 http://TARGET_URL/FUZZ

# With authentication
wfuzz -w /usr/share/wordlists/parameter-names.txt -u admin:password http://TARGET_URL/FUZZ

# With SSL options
wfuzz -w /usr/share/wordlists/parameter-names.txt -k https://TARGET_URL/FUZZ

# With recursive fuzzing
wfuzz -w /usr/share/wordlists/parameter-names.txt -r http://TARGET_URL/FUZZ

# With wordlist for values
wfuzz -w /usr/share/wordlists/parameter-names.txt -w /usr/share/wordlists/parameter-values.txt http://TARGET_URL?FUZZ=FUZZ2

Burp Suite

Basic Parameter Fuzzing

# Using Burp Suite CLI
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt

# With POST data
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -d "FUZZ=value"

# With GET parameters
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -g "FUZZ=value"

# With multiple parameters
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -g "FUZZ=value&id=1"

# With output file
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -o results.txt

# With JSON output
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -j results.json

# With verbose output
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -v

# With silent output
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -s

Advanced Burp Suite Options

# With specific status codes
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -s 200,204,301,302,307,401,403

# With exclude status codes
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -e 404,500

# With threads
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -t 50

# With delay
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -d 1

# With cookies
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -c "PHPSESSID=abc123"

# With headers
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -H "User-Agent: CustomAgent"

# With proxy
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -p http://127.0.0.1:8080

# With authentication
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -a admin:password

# With SSL options
burp -u https://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -k

# With recursive fuzzing
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -r

# With wordlist for values
burp -u http://TARGET_URL -w /usr/share/wordlists/parameter-names.txt -w /usr/share/wordlists/parameter-values.txt -g "FUZZ=FUZZ2"

Custom Scripts

Python Parameter Fuzzer

import requests
import threading
import queue
import time
import re

def parameter_fuzzer(url, wordlist, threads=10, delay=0):
    def worker():
        while True:
            try:
                parameter = wordlist.get()
                if parameter is None:
                    break
                
                # Test GET parameter
                test_url = url + "?" + parameter + "=test"
                response = requests.get(test_url, timeout=5)
                
                if response.status_code == 200:
                    print(f"[GET] {test_url} - {response.status_code}")
                elif response.status_code == 301 or response.status_code == 302:
                    print(f"[GET] {test_url} - {response.status_code} -> {response.headers.get('Location', 'N/A')}")
                elif response.status_code == 403:
                    print(f"[GET] {test_url} - {response.status_code}")
                elif response.status_code == 401:
                    print(f"[GET] {test_url} - {response.status_code}")
                
                # Test POST parameter
                data = {parameter: "test"}
                response = requests.post(url, data=data, timeout=5)
                
                if response.status_code == 200:
                    print(f"[POST] {url} - {response.status_code}")
                elif response.status_code == 301 or response.status_code == 302:
                    print(f"[POST] {url} - {response.status_code} -> {response.headers.get('Location', 'N/A')}")
                elif response.status_code == 403:
                    print(f"[POST] {url} - {response.status_code}")
                elif response.status_code == 401:
                    print(f"[POST] {url} - {response.status_code}")
                
                time.sleep(delay)
                
            except Exception as e:
                pass
            finally:
                wordlist.task_done()
    
    # Start threads
    for i in range(threads):
        t = threading.Thread(target=worker)
        t.daemon = True
        t.start()
    
    # Add parameters to queue
    with open(wordlist_file, 'r') as f:
        for line in f:
            wordlist.put(line.strip())
    
    # Wait for completion
    wordlist.join()

# Usage
url = "http://TARGET_URL"
wordlist_file = "/usr/share/wordlists/parameter-names.txt"
wordlist = queue.Queue()
parameter_fuzzer(url, wordlist, threads=20, delay=0.1)

Bash Parameter Fuzzer

#!/bin/bash

TARGET_URL="http://TARGET_URL"
WORDLIST="/usr/share/wordlists/parameter-names.txt"
THREADS=10

# Function to check parameter
check_parameter() {
    local parameter=$1
    
    # Test GET parameter
    test_url="${TARGET_URL}?${parameter}=test"
    response=$(curl -s -o /dev/null -w "%{http_code}" "$test_url")
    
    case $response in
        200) echo "[GET] $test_url - $response" ;;
        301|302) echo "[GET] $test_url - $response" ;;
        403) echo "[GET] $test_url - $response" ;;
        401) echo "[GET] $test_url - $response" ;;
    esac
    
    # Test POST parameter
    response=$(curl -s -o /dev/null -w "%{http_code}" -d "${parameter}=test" "$TARGET_URL")
    
    case $response in
        200) echo "[POST] $TARGET_URL - $response" ;;
        301|302) echo "[POST] $TARGET_URL - $response" ;;
        403) echo "[POST] $TARGET_URL - $response" ;;
        401) echo "[POST] $TARGET_URL - $response" ;;
    esac
}

# Export function for parallel
export -f check_parameter
export TARGET_URL

# Run parallel parameter check
cat "$WORDLIST" | parallel -j "$THREADS" check_parameter {}

Wordlists

Common Parameter Wordlists

# SecLists parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/parameter-names.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/parameter-values.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/api-parameter-names.txt

# Custom parameter wordlists
/usr/share/wordlists/custom/parameter-names.txt
/usr/share/wordlists/custom/parameter-values.txt
/usr/share/wordlists/custom/api-parameters.txt

# Generate custom wordlists
echo "id,user,admin,test,debug,dev,prod,staging" | tr ',' '\n' > custom_parameters.txt

Creating Custom Wordlists

# Extract parameters from JavaScript
grep -oP '\.\w+\s*=' *.js | sed 's/\.//g' | sed 's/\s*=.*//g' | sort -u > js_parameters.txt

# Extract parameters from HTML forms
grep -oP 'name="[^"]*"' *.html | sed 's/name="//g' | sed 's/"//g' | sort -u > form_parameters.txt

# Extract parameters from API documentation
grep -oP '"[^"]*":\s*{' *.json | sed 's/"//g' | sed 's/:\s*{//g' | sort -u > api_parameters.txt

# Combine multiple wordlists
cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt

# Remove empty lines and duplicates
grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt

Fuzzing Techniques

GET Parameter Fuzzing

# Basic GET parameter fuzzing
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=value"

# With multiple parameters
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=value&id=1&name=test"

# With specific values
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=admin"

# With encoded values
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL?FUZZ=%61%64%6d%69%6e"

POST Parameter Fuzzing

# Basic POST parameter fuzzing
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL" -d "FUZZ=value"

# With multiple parameters
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL" -d "FUZZ=value&id=1&name=test"

# With specific values
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL" -d "FUZZ=admin"

# With encoded values
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL" -d "FUZZ=%61%64%6d%69%6e"

Header Fuzzing

# Basic header fuzzing
ffuf -w /usr/share/wordlists/header-names.txt -u "http://TARGET_URL" -H "FUZZ: value"

# With multiple headers
ffuf -w /usr/share/wordlists/header-names.txt -u "http://TARGET_URL" -H "FUZZ: value" -H "X-Custom: test"

# With specific values
ffuf -w /usr/share/wordlists/header-names.txt -u "http://TARGET_URL" -H "FUZZ: admin"

# With encoded values
ffuf -w /usr/share/wordlists/header-names.txt -u "http://TARGET_URL" -H "FUZZ: %61%64%6d%69%6e"

# Basic cookie fuzzing
ffuf -w /usr/share/wordlists/cookie-names.txt -u "http://TARGET_URL" -b "FUZZ=value"

# With multiple cookies
ffuf -w /usr/share/wordlists/cookie-names.txt -u "http://TARGET_URL" -b "FUZZ=value; PHPSESSID=abc123"

# With specific values
ffuf -w /usr/share/wordlists/cookie-names.txt -u "http://TARGET_URL" -b "FUZZ=admin"

# With encoded values
ffuf -w /usr/share/wordlists/cookie-names.txt -u "http://TARGET_URL" -b "FUZZ=%61%64%6d%69%6e"

Best Practices

Rate Limiting

# Add delay between requests
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -d 1s

# Use fewer threads
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -t 10

# Use proxy rotation
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -p http://proxy1:8080

Stealth Mode

# Use random user agents
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use realistic delays
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -d 2s

# Use smaller wordlists
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/parameter-names.txt -u "http://TARGET_URL/FUZZ"

Output Analysis

# Save results to file
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -o results.txt

# Filter by status code
grep "200" results.txt
grep "403" results.txt
grep "301\|302" results.txt

# Sort by response size
sort -k3 -n results.txt

Troubleshooting

Common Issues

# Connection timeout
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -t 5

# Too many requests
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -d 2s

# Invalid SSL certificate
ffuf -w /usr/share/wordlists/parameter-names.txt -u "https://TARGET_URL/FUZZ" -k

# Authentication required
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -u admin:password

Performance Optimization

# Use appropriate thread count
ffuf -w /usr/share/wordlists/parameter-names.txt -u "http://TARGET_URL/FUZZ" -t 20

# Use smaller wordlists for initial scan
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/parameter-names.txt -u "http://TARGET_URL/FUZZ"

# Use specific wordlists
ffuf -w /usr/share/wordlists/api-parameter-names.txt -u "http://TARGET_URL/FUZZ"
  • Always obtain proper authorization before testing
  • Respect rate limits and server resources
  • Use appropriate wordlists for the target
  • Document findings properly
  • Follow responsible disclosure practices