Skip to content

Commit c51eea5

Browse files
authored
Fixed Issue #1182 (#1183)
* Update C-Fuzzing.md fixed some typos * Update .textlintrc Added other(s) and wordlist(s) typos --------- Co-authored-by: Rick M <[email protected]>
1 parent 58c76af commit c51eea5

File tree

2 files changed

+14
-6
lines changed

2 files changed

+14
-6
lines changed

.github/configs/.textlintrc

+8
Original file line numberDiff line numberDiff line change
@@ -512,6 +512,10 @@
512512
"localised",
513513
"localized"
514514
],
515+
[
516+
"otehr(s)?",
517+
"other$1"
518+
],
515519
[
516520
"pacakge(s)?",
517521
"package$1"
@@ -560,6 +564,10 @@
560564
"utilising",
561565
"utilizing"
562566
]
567+
[
568+
"worldlist(s)?",
569+
"wordlist$1"
570+
],
563571
]
564572
}
565573
}

document/6-Appendix/C-Fuzzing.md

+6-6
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Introduction
44

5-
Fuzzing is the process or technique of sending a number of request to as target site in a certain interval of time. In other words, it is also similar to bruteforcing. Fuzzing is a process which can be achieved using tools like Wfuzz, ffuf, and so on. As a tester you would need to provide the tool with the target URL, parameter, endpoint, etc, and some sort of inputs. Then the fuzzing tool crafts requests and sends them to the target. After the fuzzing has finished, the responses, timing, status codes, and otehr characteristics need to be analyzed for potential vulnerabilities.
5+
Fuzzing is the process or technique of sending a number of request to as target site in a certain interval of time. In other words, it is also similar to bruteforcing. Fuzzing is a process which can be achieved using tools like Wfuzz, ffuf, and so on. As a tester you would need to provide the tool with the target URL, parameter, endpoint, etc, and some sort of inputs. Then the fuzzing tool crafts requests and sends them to the target. After the fuzzing has finished, the responses, timing, status codes, and other characteristics need to be analyzed for potential vulnerabilities.
66

77
## Why fuzzing?
88

@@ -20,11 +20,11 @@ There are hundreds of tools available in the industry for doing fuzzing. But som
2020
wfuzz -w userIDs.txt https://example.com/view_photo?userId=FUZZ
2121
```
2222

23-
In the above command, `userIds.txt` is a worldlist file containing numeric ID values. Here, we are telling wfuzz to fuzz the request to the example URL. Note that `FUZZ` word in the URL, it will act as a placeholder for wfuzz to replace with values from the wordlist. All the numeric ID values from the `userIDs.txt` file will be inserted replacing the `FUZZ` keyword.
23+
In the above command, `userIds.txt` is a wordlist file containing numeric ID values. Here, we are telling wfuzz to fuzz the request to the example URL. Note that `FUZZ` word in the URL, it will act as a placeholder for wfuzz to replace with values from the wordlist. All the numeric ID values from the `userIDs.txt` file will be inserted replacing the `FUZZ` keyword.
2424

2525
### Ffuf
2626

27-
[Ffuf](https://github.com/ffuf/ffuf) is a web fuzzing tool written in the Go language which is very fast and recursive in nature. It works similar to Wfuzz but in contrast it is recursive. Ffuf also works by replacing the placeholder `FUZZ` with worldlist values. For example:
27+
[Ffuf](https://github.com/ffuf/ffuf) is a web fuzzing tool written in the Go language which is very fast and recursive in nature. It works similar to Wfuzz but in contrast it is recursive. Ffuf also works by replacing the placeholder `FUZZ` with wordlist values. For example:
2828

2929
```bash
3030
ffuf -w userIDs.txt -u https://example.com/view_photo?userId=FUZZ
@@ -40,17 +40,17 @@ Here the `-w` is the flag for wordlist and `-u` is the flag for the target URL.
4040
gobuster dir -w endpoints.txt -u https://example.com
4141
```
4242

43-
In the above command `dir` specifies we are fuzzing a directory, `-u` is the flag for URL, and `-w` is the flag for wordlist where `endpoints.txt` is the worldlist file payloads will be taken from. The command runs concurrent requests to the endpoint to find available directories.
43+
In the above command `dir` specifies we are fuzzing a directory, `-u` is the flag for URL, and `-w` is the flag for wordlist where `endpoints.txt` is the wordlist file payloads will be taken from. The command runs concurrent requests to the endpoint to find available directories.
4444

4545
### ZAP
4646

47-
[ZAP](https://owasp.org/www-project-zap) is a web application security scanner that can be used to find vulnerabilities and weaknesses in web applications. It also includes a [Fuzzer](https://www.zaproxy.org/docs/desktop/addons/fuzzer/).
47+
[ZAP](https://www.zaproxy.org) is a web application security scanner that can be used to find vulnerabilities and weaknesses in web applications. It also includes a [Fuzzer](https://www.zaproxy.org/docs/desktop/addons/fuzzer/).
4848

4949
One of the key features of ZAP is its ability to perform both passive and active scans. Passive scans involve observing the traffic between the user and the web application, while active scans involve sending test payloads to the web application to identify vulnerabilities.
5050

5151
### Wordlists and References
5252

53-
In the examples above we have seen why we need a wordlist. Just wordlists are not enough, the worlist must great for your fuzzing scenario. If you don't find any wordlists that match the necessary scenario then consider generating your own wordlist. Some popular wordlists and references are provided below.
53+
In the examples above we have seen why we need a wordlist. Just wordlists are not enough, the wordlist must great for your fuzzing scenario. If you don't find any wordlists that match the necessary scenario then consider generating your own wordlist. Some popular wordlists and references are provided below.
5454

5555
- [Cross-site scripting (XSS) cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
5656
- [AwesomeXSS](https://github.com/s0md3v/AwesomeXSS)

0 commit comments

Comments
 (0)