Attacking Web Applications with Ffuf Easy
This module covers the fundamental enumeration skills of web fuzzing and directory brute forcing using the Ffuf tool. The techniques learned in this module will help us in locating hidden pages, directories, and parameters when targeting web applications.
Created by 21y4d
Summary
Web enumeration is one of the most important skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public, and hence are prone to be less secure.
In the Attacking Web Applications with Ffuf module, you will learn how to locate hidden pages, directories, and parameters within web applications and leverage these to attack the target web applications.
In this module, we will cover:
- Finding various web application pages and directories
- Identifying hidden vhosts and subdomains
- Fuzzing for PHP parameters
- Fuzzing for parameter values
This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the target host provided in the interactive sections or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Easy" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Introduction to Networking
- Linux Fundamentals
- Web Requests
Sections
- Introduction
- Web Fuzzing
- Directory Fuzzing
- Page Fuzzing
- Recursive Fuzzing
- DNS Records
- Sub-domain Fuzzing
- Vhost Fuzzing
- Filtering Results
- Parameter Fuzzing - GET
- Parameter Fuzzing - POST
- Value Fuzzing
- Skills Assessment - Web Fuzzing
Relevant Paths
This module progresses you towards the following Paths
Medium 76 Sections
Cubes Required: 370
In this path, modules cover the basic tools needed to be successful in network and web application penetration testing. This is not an exhaustive listing of all tools (both open source and commercial) available to us as security practitioners but covers tried and true tools that we find ourselves using on every technical assessment that we perform. Learning how to use the basic toolset is essential, as many different tools are used in penetration testing. We need to understand which of them to use for the various situations we will come across.