Recently I found myself thinking in how performatic my wordlists are. I have custom lists with all sorts of information, but here I’m talking about fuzzing with general lists – not technology focused stuff, which makes obvious the need of having multiple lists.
What’s the difference between your subdomain, parameter or path list? I’ve been thinking about it and the conclusion I ended up with is: None! One list contains more words that other and that’s it.
Constantly I end up using my subdomain list for path fuzzing or my parameter list for subdomain discovering, at the end of day they usually uncover stuff that was not found before, because there’s nothing binding words that are in parameter list to parameters! It is way better to have a general list with every word out there and call it all.txt – just like what jhaddix did back then- and fuzz from there.
Of course there are exceptions, subdomains lists should comma values, paths should have specific dirs and etc…. But the point is, if you are trying to uncover something with a targetted list that you found in github saying that’s specific for certain research, you are, probably, missing something.
The same goes for file extensions focused stuff.
What’s your opinion?May 5, 2022 at 2:33 am #5251
Agree that they can be noisy. But from a “I need to get paths that no one found” perspective, it does not makes any sense to use smaller lists – yeah, you should have a quick list to fire into every target to see what’s the deal – but apart than that, if you have concerns about WAFs, it is way better to use a distributed scanner axiom/fleet/custom k8 with rabbit.May 5, 2022 at 12:06 pm #5256
- You must be logged in to reply to this topic.