jorepipiv
Ad Targeting Master
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Hey Folks, in this tutorial we are going to talk about an advance fuzzer tool for web application penetration testing called “vaf”. Fuzzing is the art of automatic bug finding, and it’s role is to find software implementation faults, and identify them if possible. Likewise, it is also a fast web fuzzer that helps to find bugs in web applications.
Let’s take a look
!!Vaf Tool Installation
Let’s try to find the easiest way to use this tool. Ok
!! You do not need to install this tool because there is also a “vaf_linux_amd64” binary for linux users, so we can operate it directly. Just donwload the entire project and go to the directory of this tool.git clone https://github.com/d4rckh/vaf.git
cd vaf/
ls -l123git clone
https://github.com/d4rckh/vaf.gitcd vaf/ls-l
Good
!! Once downloaded and entered into the directory you can operate it directly using a binary file../vaf_linux_amd64 -h1./vaf_linux_amd64-h
Example
The tool does not have its own wordlist, so we need to provide the wordlist with the target as well. We use the “-u” parameter to add the target URL and the “-w” parameter to add our own wordlist and you have to follow the same procedure. But make sure you put the “[ ]” symbol in the URL where you want to do perform this attack. As soon as we execute the command, we get some sensitive files or directories which we cannot normally see by visiting on the website.
Usage
!! ./vaf_linux_amd64 -u < URL >/[ ] -w < wordlist >./vaf_linux_amd64 -u http://testphp.vulnweb.com/[ ] -w /usr/share/wordlists/dirb/common.txt1./vaf_linux_amd64-u
http://testphp.vulnweb.com/[ ] -w /usr/share/wordlists/dirb/common.txt
Specific Response Code
As we know that the first out of three digit of the Status-Code defines the class of response comes from the server side. By default it only gets “200” response code results but we can change it accordingly using the “-sc” parameter. We have added “any” to the below command which means that whatever the response code is, it will catch all the results.
Usage
!! ./vaf_linux_amd64 -u < URL >/[ ] -sc < code > -w < wordlist >./vaf_linux_amd64 -u http://testphp.vulnweb.com/[ ] -sc any -w /usr/share/wordlists/dirb/common.txt1./vaf_linux_amd64-u
http://testphp.vulnweb.com/[ ] -sc any -w /usr/share/wordlists/dirb/common.txt
Likewise, you can refer to any specific response code such as the result you want.
Specific Extension Files
Sometimes we only need to grab some specific extension files like .php .xml etc. Therefore we can use the “-sf” parameter which will give us the result according to the extension given by us. As you can see in the image below, it has enumerate only those files whose extension is .php, .html.
Usage
!! ./vaf_linux_amd64 -u < URL >/[ ] -sc < code > -w < wordlist > -sf < extensions >./vaf_linux_amd64 -u http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html1./vaf_linux_amd64-u
http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html
Print URL
Using this feature of this tool, we can print the URL with the results on the terminal, which is disabled by default.
./vaf_linux_amd64 -u http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html -pu1./vaf_linux_amd64-u
http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html -pu
Good
!! We have omitted covering the remaining features of this tool as they do not seem so useful, so you can use those features by yourself.