whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/exploit/web/forced_browsing/forced_browsing.md

961 B
Raw Blame History

Forced Browsing

Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note.

Usage

Tools

wfuzz

  • pip install wfuzz
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt
Parameter Detail
-c Shows the output in color
-z Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with
--hc Don't show certain http response codes
--hl Don't show a certain amount of lines in the response
--hh Don't show a certain amount of words
--hw Don't show word response return val of this length