Climbing Mount WebAppSec – Discovering Directories & Files with Wfuzz

This is the second part of my mini-series on “Domain Discovery”. The first part is here.

Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping

Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files).

In this post I will cover directories/files.

As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the webmaster assumed would never be publicly accessed, as they are not directly linkable from within the website.

There are a number of tools available to us for brute-forcing website directories and files – sometimes known as “Forced-Browsing” – but I have settled on two: Wfuzz & ZAP.

I will be covering ZAP in the next post.

As a quick aside, GoBuster comes highly recommended for this task, but I simply struggled with installation of the Go programming language. Note however, GoBuster is successfully utilised for subdomain brute-forcing within the brutesubs Docker container which I talk about here.

Right, Wfuzz.

I found this command-line tool great fun to work with and very easy to use.

Wfuzz comes pre-installed in TrustedSec’s Penetration Testers Framework (PTF) – I have blogged about this framework and would heartily encourage you to install and have a play. Wfuzz can be found in the Vulnerability-Analysis module.

Before I move on to Wfuzz usage – a quick reminder from the discovering subdomains post:

A VERY important aspect of this job are the wordlists fed to the tools.

My advice at this stage is to go and grab all of the wordlists inside SecLists on Github (courtesy of Jason Haddix (again) and Daniel Miessler).

The wordlists of particular interest to us can be found in the “Web Content” folder within “Discovery”.

As you can see there’s a huge number of lists to choose from. My favourites so far:

– SVNDigger – You can read about these here.

– Top1000-RobotsDisallowed – Wordlists compiled from URL’s webmasters *did not* want spidered for one reason or another.

– Raft Lists – Because Jason Haddix said so!

Anyway, there are enough wordlists to play around with for weeks.

Now to Wfuzz – from the website:

Wfuzz was created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the keyword FUZZ by the value of a given payload. A payload in Wfuzz is a source of data.

And here’s an example:

wfuzz -c -w /pentest/seclists/Discovery/Web_Content/Top100-RobotsDisallowed.txt --hc 404

Note the position of “FUZZ” – you place this wherever you want Wfuzz to insert the keywords from the wordlists.

-c is for output with colours (which I like) | -w for the wordlist | –hc 404 http removes all 404 results from the output which is needed as we get a lot!

There are many more configurations you can employ: -h for all options.

One issue I did have with Wfuzz was my inability to output results to file, but the author of the tool (Xavi Mendez) put me right on that score:

This is a superb tool. Very fast, very simple and great fun.