Page Fuzzing¶
The Full Pipeline¶
At this stage you already know:
- Directories that exist (from directory fuzzing)
- File extensions the application uses (from extension fuzzing)
Page fuzzing combines these two pieces of intelligence to find actual files and pages within the discovered directories. This is where you uncover login forms, admin panels, configuration pages, upload handlers, and other attack surfaces.
Why Not Just Directory Fuzz with Extensions?¶
You could run one massive scan with -e .php,.html against the root — but that's inefficient and noisy. The targeted approach:
- Fuzz directories on the root → find
/admin/,/blog/,/api/ - Identify extensions → confirm
.php - Fuzz for pages within each directory → find
/admin/login.php,/admin/config.php,/blog/post.php
This focused methodology gives you better results faster, with less noise to filter.
Basic Page Fuzzing Command¶
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://SERVER_IP:PORT/blog/FUZZ.php -fc 404
This tests every word in the list as a PHP filename within the /blog/ directory:
http://SERVER_IP:PORT/blog/index.phphttp://SERVER_IP:PORT/blog/admin.phphttp://SERVER_IP:PORT/blog/config.phphttp://SERVER_IP:PORT/blog/upload.php- ...
Practical Walkthrough¶
Step 1: Confirm What You Know¶
From previous fuzzing stages:
# Directory fuzzing found:
# /blog/ [Status: 301]
# /admin/ [Status: 403]
# /forum/ [Status: 200]
# Extension fuzzing confirmed:
# .php [Status: 200] — PHP application
Step 2: Fuzz Each Directory¶
# Fuzz pages in /blog/
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://10.10.10.5:8080/blog/FUZZ.php -fc 404
________________________________________________
index [Status: 200, Size: 15842, Words: 3420, Lines: 312, Duration: 45ms]
post [Status: 200, Size: 4521, Words: 891, Lines: 85, Duration: 42ms]
archive [Status: 200, Size: 8932, Words: 1823, Lines: 156, Duration: 48ms]
config [Status: 403, Size: 289, Words: 21, Lines: 11, Duration: 38ms]
# Fuzz pages in /admin/
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://10.10.10.5:8080/admin/FUZZ.php -fc 404
________________________________________________
login [Status: 200, Size: 3245, Words: 432, Lines: 67, Duration: 41ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
users [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 40ms]
upload [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
Step 3: Interpret Results¶
| Finding | Meaning | Next Step |
|---|---|---|
login.php (200) |
Login page accessible | Test for default creds, SQLi |
dashboard.php (302) |
Redirects (needs auth) | Try after getting creds |
upload.php (302) |
File upload exists | High-value target post-auth |
config.php (403) |
Config file exists | Try backup extensions (.php.bak) |
Handling False Positives on Page Fuzzing¶
Custom 404 pages that return 200 are common. Measure the baseline first:
# Check what a non-existent page returns
curl -s http://10.10.10.5:8080/blog/definitelynotarealpage12345.php | wc -c
# Output: 1987
# Filter that size
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://10.10.10.5:8080/blog/FUZZ.php -fs 1987
Using Targeted Wordlists¶
The general directory-list works, but purpose-built wordlists often yield better results for page fuzzing:
# Common filenames (smaller, faster)
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ \
-u http://10.10.10.5:8080/admin/FUZZ.php -fc 404
# Raft filenames (community-sourced)
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt:FUZZ \
-u http://10.10.10.5:8080/admin/FUZZ -fc 404
raft-medium-files.txt
This wordlist already includes extensions in the filenames (e.g., index.php, login.html), so you don't need to append .php manually. Use it WITHOUT adding the extension in the URL.
Multi-Extension Page Fuzzing¶
When the application uses multiple technologies (e.g., PHP + static HTML):
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ \
-u http://10.10.10.5:8080/blog/FUZZ -e .php,.html,.txt -fc 404
Or use multi-keyword mode for full control:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:PAGE \
-w /tmp/extensions.txt:EXT \
-u http://10.10.10.5:8080/blog/PAGE.EXT -fc 404
Where /tmp/extensions.txt contains only your confirmed extensions:
Building the Attack Surface Map¶
After page fuzzing all directories, compile your findings into a map:
http://10.10.10.5:8080/
├── blog/
│ ├── index.php (200) — Public blog
│ ├── post.php (200) — Individual posts
│ ├── archive.php (200) — Archive listing
│ └── config.php (403) — Configuration (blocked)
├── admin/
│ ├── login.php (200) — Login form ← TEST THIS
│ ├── dashboard.php (302) — Needs auth
│ ├── users.php (302) — User management
│ └── upload.php (302) — File upload ← HIGH VALUE
└── forum/
├── index.php (200) — Forum home
├── thread.php (200) — Thread viewer
└── profile.php (200) — User profiles
This map tells you exactly where to focus your exploitation efforts:
login.php→ try default creds, SQLi, brute-forceupload.php→ file upload attacks (once authenticated)config.php→ try.php.bak,.php.old,.php~post.php/thread.php→ likely take parameters (ID?) → parameter fuzzing
Quick Wins: Common Interesting Pages¶
Always check for these pages regardless of directory fuzzing results:
# Quick check for common sensitive files at root
ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt:FUZZ \
-u http://10.10.10.5:8080/FUZZ -fc 404
The quickhits.txt wordlist contains known-interesting paths like:
/.env/robots.txt/sitemap.xml/.git/HEAD/wp-config.php.bak/server-status/phpinfo.php
Revision Recap
- Page fuzzing combines directory + extension knowledge to find actual files
- The command pattern:
ffuf -w wordlist:FUZZ -u http://target/directory/FUZZ.ext - Always filter — check the baseline size of non-existent pages first
- Fuzz each discovered directory individually for focused results
- Status codes tell a story: 200 = accessible, 302 = auth-gated, 403 = exists but blocked
- Build an attack surface map from your combined results
- Don't forget
quickhits.txtfor common sensitive files at the root
➡️ Next: Recursive Fuzzing — automatically spider nested directories