Home

Awesome

header-fuzz

Version Language License

Build Status

header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate success or failure based on the returning HTTP status code.

:tada: Install

sudo make install

:no_entry_sign: Uninstall

sudo make uninstall

:computer: Usage

$ header-fuzz -h

Usage: header-fuzz [-H <header>] [-i <code>] [-p <proxy>] [-f <FUZZ>] -w </path/wordlist> -u <url>
       header-fuzz -h
       header-fuzz -v

Description:
    header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate
    success or failure based on the returning HTTP status code.

Required arguments::
    -w     Path to wordlist
    -u     URL to test against.

Optional arguments:
    -f     Fuzz string. Insert, prepend or apped %FUZZ% into your string.
           Default: %FUZZ%
    -H     Header name to fuzz.
           Default: Host
    -i     Comma separated string HTTP status codes to ignore.
           Default: 403
    -p     Use proxy for all requests.

Misc arguments:
    -h     Print this help.
    -v     Print version.

:bulb: Examples

Find virtual hosts

The following examples are trying to find various domains and subdomains based on a HTTP status different than 403:

# Try to guess the domain
header-fuzz -H Host -f '%FUZZ%.tld'            -w /path/to/domains.txt -u 'http://10.0.0.1'

# Try to guess a subdomain
header-fuzz -H Host -f '%FUZZ%.domain.tld'     -w /path/to/domains.txt -u 'http://10.0.0.1'

# Try to guess part of a subdomain
header-fuzz -H Host -f 'pre-%FUZZ%.domain.tld' -w /path/to/domains.txt -u 'http://10.0.0.1'
header-fuzz -H Host -f '%FUZZ%-suf.domain.tld' -w /path/to/domains.txt -u 'http://10.0.0.1'

Find protected robots.txt or sitemap.xml

Some sites only server the robots.txt or sitemap.xml if requested by specifc bot useragent, such as google bot and others. If none of these files exist, you can try to check them with different user agents.

header-fuzz -H User-Agent -w /path/to/useragents.txt -u 'http://10.0.0.1/robots.txt'
header-fuzz -H User-Agent -w /path/to/useragents.txt -u 'http://10.0.0.1/sitemap.xml'

IP blacklisting

Sometimes IP blacklisting is poorly implemented base on the X-FOrwarded-For header. Try to fuzz this.

header-fuzz -H X-Forwarded-For -w /path/to/ip-addresses.txt -u 'http://10.0.0.1'

Proxy through Burpsuite

Send all your requests through Burp to later also quickly check the returned file sizes or status codes and triage further based on this

header-fuzz -p http://localhost:8080 -w /path/to/wordlist.txt -u 'http://10.0.0.1'

:lock: cytopia sec tools

Below is a list of sec tools and docs I am maintaining.

NameCategoryLanguageDescription
offsecDocumentationMarkdownOffsec checklist, tools and examples
header-fuzzEnumerationBashFuzz HTTP headers
smtp-user-enumEnumerationPython 2+3SMTP users enumerator
urlbusterEnumerationPython 2+3Mutable web directory fuzzer
netcatPivotingPython 2+3Cross-platform netcat
badcharsReverse EngineeringPython 2+3Badchar generator
fuzzaReverse EngineeringPython 2+3TCP fuzzing tool

:octocat: Contributing

See Contributing guidelines to help to improve this project.

:exclamation: Disclaimer

This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.

:page_facing_up: License

MIT License

Copyright (c) 2020 cytopia