Fuzzing for Bug Bounty Hunting

Manish Basnet
4 min readOct 9, 2022
fuzzing in bug bounty | wfuzz|ffuf|gobuster| web fuzzer | fuzzing tools
Photo by FLY:D on Unsplash

Testing for vulnerabilities by feeding input one by one manually can be hectic. In the present era where people have got less time and less patience level, the idea of manually feeding input for finding bugs/vulnerabilities in the target can be overwhelming. To reduce this overwhelming problem and to save time, fuzzing can be a big plus point. Fuzzing is an automated process where all the hard work is handled by a fuzzing tool. All an analyst has to do is look is the responses, timing, and the status codes after the process is done. Consider a site where there are a many input fields to test for XSS. In a manual approach, all we do is feed the input field with XSS payloads one by one, which would be much too hectic. In contrast, for an automated approach, all you need is to provide the XSS payload list to the fuzzer and all input testing is handled by fuzzer.


Fuzzing is the process or technique of sending a number of request to the target website in a certain interval of time. In other words, it is also similar to bruteforcing. Fuzzing is a process which can be achieved using tools like Wfuzz, ffuf, and so on. You need to provide the tool with the target URL, parameter, endpoint, etc and some sort of inputs. Then the fuzzing tool crafts requests and send them to the target one after another. After the fuzzing has finished, the responses, timing, and status codes need to be analyzed for vulnerabilities.

Tools to Use for Fuzzing

There are hundreds of tools available in the industry for doing fuzzing. But some of the top rated, popular fuzzing tools are listed below.


Wfuzz works by replacing the placeholder `FUZZ` with wordlist values. To understand this more clearly let’s consider an example:

$ wfuzz -w userIDs.txt https://example.com/view_photo?userId=FUZZ

In the above command, `userIds.txt` is a worldlist file containing numeric ID values. Here,we are telling wfuzz to fuzz the request to the example URL. Note that `FUZZ` word in the URL, it will act as a placeholder for wfuzz to replace with values from the wordlist. All the numeric IDs value of the `userIDs.txt` file will be inserted replacing `FUZZ` keyword.


Ffuf is a web fuzzing tool written in the Go language which is very fast and recursive in nature. It works similar to Wfuzz but in contrast it is recursive. Ffuf also works by replacing the placeholder `FUZZ` with worldlist values. For example:

$ ffuf -w userIDs.txt -u https://example.com/view_photo?userId=FUZZ

Here the `-w` is the flag for wordlist and `-u` is the flag for the target URL. The rest of the working mechanism is the same as the Wfuzz. It replaces the `FUZZ` placeholder with `userIDs.txt` values.


GoBuster is another fuzzer written in the Go language which is most used for fuzzing URIs, directories/paths, DNS subdomains, AWS S3 buckets, vhost names, and supports concurrency. For example:

$ gobuster dir -w endpoints.txt -u https://example.com

In the above command `dir` specifies we are fuzzing a directory, `-u` is the flag for URL and `-w` is the flag for wordlist where `endpoints.txt` is the worldlist file payloads will be taken from. The command runs concurrent request to the endpoint to find available directories.

Wordlists and References

In the examples above we have seen why we need a wordlist. Just wordlists are not enough, the worlist must great for your fuzzing scenario. If you don’t find any wordlists that match the necessary scenario then consider generating your own wordlist. Some popular wordlists and references are provided below.

- Cross-site scripting (XSS) cheat sheet
- AwesomeXSS
- Payloads All The Things
- Big List of Naughty Strings
- Bo0oM Fuzz List
- FuzzDB
- bl4de Dictionaries
- Open Redirect Payloads
- EdOverflow Bug Bounty Cheat Sheet
- Daniel Miessler — SecLists
- XssPayloads Twitter Feed
- XssPayloads List

Note ☠️

I clearly want to state that , not everyone use fuzzing tools. Everyone have got different taste. It isn’t mandatory to use sort of fuzzing tools.According to your condition and circumstances you may use fuzzing tool which will favor you to save your time.
Maximum usage of fuzzing request will may block your IP address.Some agree to do all stuff manually rather than using fuzzing tools.So its up to you to test vulnerability manually or to make fuzzing tools do it for you automatically.

Wanna Connect with me 👋

LinkedIn :https://www.linkedin.com/in/manish-basnet-200526213/

Github : https://github.com/maheshbasnet089