Web-Fuzzing-Box
→ View on GitHubAI Summary: Web-Fuzzing-Box is a tool designed for web application security testing, offering a diverse collection of dictionaries and payloads for conducting fuzzing attacks, including brute force, directory and file enumeration, and exploitation of web vulnerabilities. Notable features include a comprehensive suite of dictionaries tailored for specific vulnerabilities such as SQL injection, XSS, and authentication bypass, as well as case studies demonstrating the practical application of these resources in real-world scenarios. This tool is particularly valuable for penetration testers and security researchers seeking to enhance their web application assessments.
README
Web-Fuzzing-Box
Web Fuzzing Box - A collection of web fuzzing dictionaries and payloads, including: brute force attacks, directory and file enumeration, web vulnerabilities…
Real-world case studies using these dictionaries: https://gh0st.cn/archives/2019-11-11/1 https://gh0st.cn/archives/2018-07-25/1
Some parameters, directories, filenames and related data are sourced from the CaA project: https://github.com/gh0stkey/CaA
❯ tree -L 2
.
├── Brute [Brute Force]
│ ├── Application [Service & Application Dictionary]
│ ├── Basic_401_Login.txt [401 Authentication Dictionary]
│ ├── Full_Name [Name Pinyin Dictionary]
│ ├── Password [Password Dictionary]
│ ├── Ports [Port Dictionary]
│ ├── Security_Product [Security Products]
│ ├── Subdomain [Subdomain]
│ ├── Top_Password [Top Ranked Passwords]
│ ├── Test_Chinese_Mobilephonenumber.txt [Test Mobile Numbers]
│ └── Username [Username Dictionary]
├── Dir [Directory, Filename, API]
│ ├── Others [Other Dictionaries]
│ ├── Burpsuite [Dictionaries for BurpSuite]
│ ├── Wooyun [Wooyun Historical Vulnerability Directories & Files]
│ └── Yujian [Chinese Yujian Dictionary]
├── Vuln [Vulnerability Related Dictionaries]
│ ├── Api_Bypass [API Vulnerabilities: 403 Bypass, Auth Bypass]
│ ├── File_Upload [File Upload Vulnerabilities]
│ ├── Logic [Logic Vulnerabilities]
│ ├── File_Include [File Inclusion Dictionary]
│ ├── Image_Dos [Image Resource DoS Vulnerability Dictionary]
│ ├── JWT_Attack [JWT Attack Dictionary]
│ ├── Jsonp [JSONP Cross-Domain Hijacking Dictionary]
│ ├── Open_Redirect [URL Redirect Vulnerability Dictionary]
│ ├── Sql_Injection [SQL Injection Dictionary]
│ ├── Traversal_Directory [Directory Traversal Vulnerability Dictionary]
│ ├── Xml_Bomb [XML Bomb Payloads]
│ └── Xss [XSS Dictionary & Payloads]
├── Other [Other Dictionaries]
│ ├── 2W_Words.txt
│ └── Chinese Province Mobile Number Segments
└── Web [Web Testing Dictionary]
├── File_Path [Some Files and Paths]
├── Funcation_Name.txt [Function Names]
├── HTML [HTML Related]
├── Headers [HTTP Headers]
├── Http_Methods.txt [HTTP Request Methods]
├── Integer_Overflows.txt [Integer Overflow]
├── Javascript_Filename.txt [JavaScript Filenames]
├── Lcoalhost.txt [Localhost Addresses]
├── Dict [Verb/Noun Dictionary, Request Parameters]
├── URL [URL Related Protocols and Types]
└── ViewState_Key.txt [For ViewState Deserialization]
Acknowledgements
yuanhaiGreg: Contributed file upload parameters, ViewState_Key
wallarm: jwt-secrets author