# GET Request Fuzzing ![[images/Pasted image 20251116191922.png]] - `GET` requests are usually passed right after the URL with a `?` symbol - For example, `http://admin.academy.htb:PORT/admin/admin.php?param1=key` ```shell ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx -c -ic ``` ![[images/Pasted image 20251116192140.png]]![[images/Pasted image 20251116192230.png]] # POST Request Fuzzing - The main difference between `POST` requests and `GET` requests is that `POST` requests are not passed with the URL and cannot simply be appended after a `?` symbol - In contrast, `POST` requests are passed in the `data` field within the HTTP request - To fuzz the data field with `ffuf` we can use the `-d` flag - We also have to use the `-X POST` flag to send `POST` requests ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx -c -ic ``` ![[images/Pasted image 20251116192437.png]] - After fuzzing, we can send a `POST` request with `curl` ```bash curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' ``` ![[images/Pasted image 20251116192503.png]]![[images/Pasted image 20251116192527.png]] # Value Fuzzing - After fuzzing a working parameter, we now have to fuzz the correct value - When it comes to fuzzing parameter values, we may not always find a pre-made wordlist that would work for us, as each parameter would expect a certain type of value. - For some parameters, like usernames, we can find a pre-made wordlist for potential usernames, or we may create our own based on users that may potentially be using the website - In other cases, like custom parameters, we may have to develop our own wordlist. In this case, we can guess that the `id` parameter can accept a number input of some sort ## Custom Wordlist - This `for` loop creates monotonically increasing id values from 1 to 1000 ```bash for i in $(seq 1 1000); do echo $i >> ids.txt; done ``` ![[images/Pasted image 20251116192640.png]] ## Value Fuzzing with Custom Wordlist - Now we can use the custom wordlist generated above `ids.txt` to fuzz the id parameter value ```bash ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx -c -ic ``` ![[images/Pasted image 20251116192733.png]] - After fuzzing, we can send a `POST` request with `curl` ```bash curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' ``` ![[images/Pasted image 20251116192828.png]]