"Some content on websites is seemingly hidden – that is, without their address, we are not able to access it. Often these are some remnants still from the stage of application development – the developer was supposed to remove them later, but forgot ̄_(ツ)_/ ̄ ." – it's a mention of DIRB. Mention, because with me he gave way to a new, incredibly fast tool – FFUF. The principle of operation is the same – enter the url and dictionary, and you may find some files /directories that should not be available. With any luck, it can also happen that you detect some kind of error or unusual behavior of the server.
It requires the Installed Golang compiler to work. Under Linux you can install it with the command – apt get install golang . Now we can install ffuf command – go get-u github.com/ffuf/ffuf.
Most often I use this tool with flswitch, responsible for filtering out server responses containing a certain number of lines. This is to get rid of false positivów, in other words, generic server responses when a given file/directory does not exist. The -w switch indicates the location of the dictionary, and -at the address of the test page where the word FUZZ should be inserted in the appropriate location. The ready-made sample command to run the tool looks like the following:
./ffuf -w /root/starter.txt -u https://my127001.pl/FUZZ -fl 1