Parameter Fuzzing

First of all, edit the /etc/hosts file and add the admin.academy.htb VHost. Otherwise you'll get stuck forever in this exercise.

Let's make sure we add the option -fs 798at the end to avoid an output like this:

Let's gather what we learn in this lesson and use the following command:

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:31472/admin/admin.php?FUZZ=key -fs 798

And the application responded with the user parameter!

Last updated 1 year ago