name: directory-fuzzing description: Discover hidden directories, files, and endpoints on a web server origin: RedteamOpencode

Directory Fuzzing

When to Activate

• Web server identified, need hidden content discovery
• Looking for admin panels, backups, configs, API endpoints
• After identifying web technology (for targeted wordlists)

Tools

run_tool ffuf (primary), run_tool gobuster (fallback), run_tool curl (verification)

Methodology

1. Baseline Response

run_tool curl -s -o /dev/null -w "Code: %{http_code}, Size: %{size_download}" https://TARGET/nonexistent12345

2. Common Path Discovery

run_tool ffuf -u https://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404
run_tool ffuf -u https://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt -ac  # Auto-calibrate
run_tool gobuster dir -u https://TARGET -w /usr/share/wordlists/dirb/common.txt -t 50  # Fallback

3. Extension Fuzzing

run_tool ffuf -u https://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt \
  -e .php,.html,.js,.txt,.bak,.old,.conf,.xml,.json,.yml,.env,.log,.sql,.zip,.tar.gz
# Tech-specific: PHP(.phps,.phtml,.inc) ASP(.aspx,.config) Java(.jsp,.do,.action)

4. Filter Tuning

-fc 404,403,301        # Status code filter
-fs 1234               # Response size filter
-fw 42 / -fl 10        # Word/line count filter
-mc 200,301,302,403    # Match only specific codes

5. Recursive Discovery

run_tool ffuf -u https://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt -ac -recursion -recursion-depth 2
run_tool ffuf -u https://TARGET/admin/FUZZ -w /usr/share/wordlists/dirb/common.txt -ac

6. Wordlist Escalation

# L1: /usr/share/wordlists/dirb/common.txt (~4,600)
# L2: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt (~20,000)
# L3: /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt (~220,000)
# Specialized: /usr/share/seclists/Discovery/Web-Content/raft-medium-{directories,files}.txt
# API: /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

7. Backup and Sensitive Files

run_tool ffuf -u https://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -e .bak,.old,.orig,.save,.swp,.tmp,~,.copy
for f in .env .git/config .htaccess web.config wp-config.php .DS_Store; do
  code=$(run_tool curl -s -o /dev/null -w "%{http_code}" "https://TARGET/$f")
  [ "$code" != "404" ] && echo "$f -> $code"
done
run_tool curl -s https://TARGET/.git/HEAD
run_tool curl -s https://TARGET/.svn/entries | head -5

8. Virtual Host / Subdomain

run_tool ffuf -u https://TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -H "Host: FUZZ.TARGET" -ac

9. Output

run_tool ffuf -u https://TARGET/FUZZ -w wordlist.txt -ac -o $DIR/scans/dir_fuzz_results.json -of json
run_tool curl -sI https://TARGET/discovered_path  # Verify