Table of Contents
BBC Ch 25: Automated Vulnerability Discovery / Fuzzing
Source: Bug Bounty Bootcamp by Vickie Li
Top bug bounty hunters automate the majority of their workflow: continuous recon, automated scanning, and immediate verification when a potential vulnerability is flagged. Fuzzing (fuzz testing) drives a large share of new CVE discoveries and is equally applicable to web applications.
What Is Fuzzing?
Fuzzing is the process of sending a wide range of invalid and unexpected data to an application and monitoring it for exceptions. The goal is to induce unexpected behavior (crashes, errors, unexpected output) and determine whether it is exploitable.
Web application fuzzing targets common injection points to expose vulnerabilities like XSS, SQL injection, IDORs, open redirects, and authentication bypass – without requiring source code access.
How a Web Fuzzer Works
A web fuzzer replaces marked injection points in requests with strings from a wordlist, fires the requests, and tracks server responses. Wfuzz uses the keyword FUZZ as the injection point marker:
wfuzz -w wordlist.txt http://example.com/FUZZ
This generates one request per wordlist entry, substituting FUZZ with each string.
The 4-Step Fuzzing Process
Step 1: Determine Data Injection Points
Identify all locations where user input enters the application: URL path segments, query parameters, POST body parameters, HTTP headers, cookies.
Classify injection points by likely vulnerability:
# IDOR candidates -- numeric IDs GET /email_inbox?user_id=FUZZ POST /delete_user (body: user_id=FUZZ) # XSS candidates -- search/display fields GET /search?q=FUZZ POST /send_email (body: title=FUZZ&body=FUZZ)
Step 2: Choose the Payload List
Match the wordlist to the vulnerability type:
- Path enumeration: directory wordlists (SecLists
Discovery/Web-Content/) - IDOR/ID fuzzing: numeric ranges (1-10000)
- XSS: XSS payload lists (SecLists
Fuzzing/XSS/) - SQLi: SQL injection wordlists (SecLists
Fuzzing/SQLi/) - Auth brute-force: credential lists (SecLists
Passwords/)
Recommended resources:
- Big List of Naughty Strings: https://github.com/minimaxir/big-list-of-naughty-strings/
Also try randomly generated payloads – extremely long strings, mixed encodings, special characters (newline, null byte, line feed) – to provoke unexpected behavior and discover new vulnerability classes.
Step 3: Fuzz
Burp Intruder (GUI, integrated with Burp proxy):
- Right-click any intercepted request → “Send to Intruder”
- Highlight injection points; click “Add”
- Configure payload list in the Payloads tab
- Note: free Burp throttles requests per minute; use Wfuzz for faster results
Wfuzz (CLI, unrestricted):
pip install wfuzz
Common Wfuzz commands:
Path enumeration (hide 404s, follow redirects):
wfuzz -w wordlist.txt -f output.txt --hc 404 --follow http://example.com/FUZZ
IDOR scanning:
wfuzz -w ids.txt http://example.com/view_inbox?user_id=FUZZ
HTTP Basic auth brute-force (single wordlist):
wfuzz -w wordlist.txt -H "Authorization: Basic FUZZ" http://example.com/admin
HTTP Basic auth brute-force (username + password lists):
wfuzz -w usernames.txt -w passwords.txt --basic FUZZ:FUZ2Z http://example.com/admin
Open redirect testing (verbose + follow to detect redirects):
wfuzz -w wordlist.txt -v --follow http://example.com?redirect=FUZZ
XSS reflection detection (filter for reflected payloads):
wfuzz -w xss.txt --filter "content~FUZZ" http://example.com/search?q=FUZZ
SQLi via POST body:
wfuzz -w sqli.txt -d "user_id=FUZZ" http://example.com/get_user
Step 4: Monitor Results
Interpret responses based on the vulnerability type being tested:
| Vulnerability | What to look for |
|---|---|
| Path enum | 200 status = valid path; 404 = not found |
| IDOR | 200 with content vs 403/404; response length differences |
| SQLi | Response time spike (time-based), length increase (data extracted), status code change |
| XSS | Payload reflected in response (use content~FUZZ filter) |
| Open redirect | Redirect to your domain (use –follow -v) |
Think of fuzzing as a metal detector – it finds suspicious spots; you inspect them manually to confirm and assess impact.
Fuzzing vs. Static Analysis
| Static Analysis | Fuzzing | |
| Source code required | Yes | No |
| Tests live behavior | No | Yes |
| Finds logic errors | Yes | Rarely |
| Finds injection bugs | Yes | Yes |
| Black-box friendly | No | Yes |
Use both: static analysis when source is available, fuzzing for black-box targets. Neither replaces manual testing for business logic errors and multi-step vulnerabilities.
Pitfalls
- Rate limiting: the server may throttle or ban your IP; use
–delayin Wfuzz when necessary; always obtain permission before heavy fuzzing - Limited impact assessment: without source code, classifying a bug's severity requires additional manual testing
- Misses logic errors: fuzzing won't catch business logic bugs or vulnerabilities requiring multiple coordinated steps
- False positives: always manually verify each anomaly before reporting
Building Your Toolkit
- Read the documentation and source code of every tool you add (Wfuzz, Sublist3r, etc.)
- Understanding how tools work teaches you how to write your own
- Modify open source tools to add features; contribute back if useful
- Automate recon and basic scanning; spend manual time on logic and chaining
4-Step Checklist
- Identify all data injection points in the target; classify each by likely vulnerability.
- Select appropriate payload wordlists (SecLists, FuzzDB) for each injection type.
- Run Wfuzz against each injection point with the matching payload list; throttle if necessary to avoid disruption.
- Analyze results for status code, response length, and response time anomalies; manually verify each candidate before reporting.