URL Fuzz testing or URL Fuzzing is a technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Also URL Fuzzing is a technique to find hidden files and directories on a web server, discover activities which allows you to discover resources that were not meant to be publicly accessible. For example the backups, index.php.old, archive.tgz, source_code.zip, etc.
By using this URL Fuzzing online tool, attacker will allow to categories mutual servers, content management system installed on the web server and domains extensions that the attacker want to check over to discover hidden files, folders and backups that might contain valuable information.
- Base URL: This is the URL on the target server that will be fuzzed. All the requests will be done by using this value as base URL
- Search for directories: If selected, the tool will search for directories located at the base URL
- Search for files: If selected, the tool will search for files located at the base URL. You can specify the file extension that you want to search, including double extensions (ex. .php.old, .jsp.bak, .tgz, etc)
How it works
The URL Fuzzing Tool uses a customize built-in dictionary file for finding files and directories. The dictionary file that contains more than 100000 common names of known files and directories. For each WORD in the dictionary-file, it will make HTTP request to: Base_URL/WORD/ or to Base_URL/WORD.EXT in case you chose to fuzz a certain EXTension.
Hidden files and directories that are found, are returned together with their HTTP response code.