fuzz
This skill contains shell command directives (!`command`) that may execute system commands. Review carefully before installing.
Fuzzing Workflow
Run web fuzzing and enumeration against the target URL.
Target
Target: $ARGUMENTS
Fuzzing targets are typically URLs (e.g., http://localhost:8080). If no target was provided, ask the user for a target URL. Verify the host portion is in .pentest/scope.json (run cat .pentest/scope.json to check). If not in scope, ask the user to add it with /scope add <target>.
Environment Detection
- Wrapper scripts available: !
test -f scripts/gobuster/discover-directories.sh && echo "YES" || echo "NO"
Steps
1. Directory Discovery
Brute-force discover hidden directories and files on the web server. Hidden admin panels, backup files, and configuration endpoints are high-value findings.
If wrapper scripts are available (YES above):
bash scripts/gobuster/discover-directories.sh $ARGUMENTS -j -x
If standalone (NO above), use direct gobuster commands:
gobuster dir -u $ARGUMENTS -w wordlist.txt-- Basic directory brute-forcegobuster dir -u $ARGUMENTS -w wordlist.txt -x php,html,txt-- Search for file extensionsgobuster dir -u $ARGUMENTS -w wordlist.txt -t 20-- 20 concurrent threads
Review the results. Note all discovered paths, status codes, and content lengths.
2. Parameter Fuzzing
Fuzz URL parameters, headers, and request bodies for hidden inputs. Parameters that trigger different responses may indicate injection points or hidden functionality.
If wrapper scripts are available (YES above):
bash scripts/ffuf/fuzz-parameters.sh $ARGUMENTS -j -x
If standalone (NO above), use direct ffuf commands:
ffuf -u "$ARGUMENTS?FUZZ=test" -w params.txt-- Fuzz GET parametersffuf -u "$ARGUMENTS/FUZZ" -w wordlist.txt -fc 404-- Directory fuzzing filtering 404sffuf -u "$ARGUMENTS" -w wordlist.txt -H "X-Custom: FUZZ"-- Header fuzzing
Look for parameters that trigger different responses -- these may indicate injection points, hidden functionality, or access control bypasses.
3. Web Vulnerability Scan
Scan for known web server vulnerabilities, misconfigurations, and dangerous files. Nikto covers a broad range of checks including outdated software, default credentials, dangerous HTTP methods, and sensitive file exposure.
If wrapper scripts are available (YES above):
bash scripts/nikto/scan-specific-vulnerabilities.sh $ARGUMENTS -j -x
If standalone (NO above), use direct nikto commands:
nikto -h $ARGUMENTS-- Default vulnerability scannikto -h $ARGUMENTS -Tuning 123-- Focus on file upload, default files, info disclosure
After Each Step
If wrapper scripts are available: Review the JSON output summary from the PostToolUse hook.
If standalone: Review the command output directly for key findings.
- Note discovered paths, parameters, and vulnerabilities
- If a tool is not installed, skip that step and note it in the summary
- Adapt subsequent steps based on findings (e.g., fuzz newly discovered paths in Step 2)
- If Step 1 reveals an admin panel, prioritize it in Step 3
Summary
After all steps complete, provide a structured fuzzing summary:
- Discovered Paths: Hidden directories, files, and admin endpoints found
- Parameters Found: URL parameters, headers, or body fields revealing hidden inputs
- Vulnerabilities: CVEs, misconfigurations, dangerous files, and outdated components identified
- Next Steps: High-priority targets for deeper exploitation based on findings