fuzzuli v1.1.4 releases: find critical backup files
fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
In my application security testing journey that I have been doing for years, I found a lot of critical backup files kept in externally accessible directories. While naming these files, common preferred words were used. (such as backup.zip, db.rar, conf.tar.gz, etc). However, most of these files were named using the domain name where the application was located. Let’s suppose we have a domain address fuzzuli.musana.net. If the developer keeps critical backup files in the accessible directory, the possible file names will be like this.
It is not possible to find these files in the traditional wordlist approach.
When naming these files, the domain name is often taken as a reference. I’ve encountered scenarios when naming these files where the dots in the domain are deleted, vowel letters are deleted, or the domain name is used as-is. I took this into account when developing this tool. Therefore, when creating a domain-based wordlist, I took the variants without dots, without vowels, both without dots and without vowels. Then the domain passes from the following function after removing dots, vowel letters both dot and vowel letters.
It goes through the below function after a domain is reversed in the reverse method.
mixed-method changes the position of each subdomain. The results go through the below function.
A mathematical equation is like this.
shuffle method just shuffles subdomains and removes dots, vowel letters both dots and vowel letters. It does not iterate over each char in the domain string.
fuzzuli consists of two main parts. One of them creates a wordlist dynamically. The other sends the HTTP request and checks the response for backup/sensitive files.
The flow chart of fuzzuli is the following.
fuzzuli is using 7 different methods for creating wordlists. Let’s see the results for fuzzuli.musana.net
concurrency issue fixed
Copyright (c) 2022 musana