Fuzzing is one of the most powerful techniques in cybersecurity for finding hidden vulnerabilities. It involves sending unexpected, malformed, or random data to an application to trigger crashes, errors, or security flaws. By doing this, security researchers and ethical hackers can identify weaknesses before attackers exploit them.
Fuzzing is effective because:
- It automates the discovery of bugs that manual testing might miss.
- It helps uncover zero-day vulnerabilities in web apps, APIs, and network services.
- It saves time by testing thousands of inputs in seconds.
In this guide, we’ll explore two popular fuzzing tools: GooFuzz and httpx. We’ll cover how to install them on Linux and use them for real-world security analysis.
1. GooFuzz: A Web Directory and File Fuzzer
GooFuzz is a tool designed for brute-forcing web directories, files, and parameters. It’s useful for discovering hidden endpoints, admin panels, and sensitive files on a target website.
Installation on Linux
Since GooFuzz is written in Go, installation is straightforward:
- Install Go if not installed already
- Clone the repo
git clone https://github.com/m3n0sd0n4ld/GooFuzz.git
- Navigate into the directory and make the file executable
Using GooFuzz
Search for Specific Files
We can use this tool to search for specific files related to a website. The command for it will be
./GooFuzz -t india.gov.in -e pdf,bak,old -d 10
- -t india.gov.in sets the target domain to india.gov.in
- -e pdf,bak,old specifies file extensions to search for: pdf, bak, and old
- -d 10 sets the Google search result depth (number of pages) to 10
Defining Own Extensions
You can also define your own extensions list in a file and use that for searching. For example,
./GooFuzz -t nasa.gov -e wordlists/extensions.txt -d 30
In the above example, wordlists/extensions.txt is already present in this tool’s directory.
Search for Specific Paths
We can also list directories or files by specifying paths, words or names. For example, we can use below command
./GooFuzz -t nasa.gov -w /login/,password,db.html -p 3
Sample output from tool manual page looks like this
Exclusion of subdomains
We can exclude the domains that are not meant to be searched for. Sometimes websites do not allow scanning of critical infrastructure. In that case we can exclude those domains from our automation. We can use below command
./GooFuzz -t example.com -w /login/,password,db.html -p 3 -x abc.example.com
Sample output from manual
Subdomains enumeration
The -s parameter in GooFuzz allows you to enumerate subdomains of a target organization. When combined with the -p parameter, which controls the number of Google search result pages to parse (ideally between 10 and 20), it significantly increases the chances of discovering a wide range of subdomains associated with the target domain.
This is useful for reconnaissance, as subdomains can sometimes expose development, staging, or legacy systems not directly visible on the main website.
Issue with GooFuzz
Google Search has built-in protections to detect and limit automated or suspicious activity. If the tool stops returning results during use, it likely means that Google has temporarily restricted access from your IP address.
This happens to prevent abuse from automated queries and protect the integrity of their services. If encountered, you may need to wait for a while or manually solve the CAPTCHA before resuming.
2. httpx: Fast and Versatile HTTP Toolkit
httpx is a high-speed, versatile HTTP toolkit used for sending multiple HTTP requests (or probes) efficiently. It leverages the retryablehttp library, which automatically retries failed requests to improve reliability. Designed for performance, httpx can handle a large number of concurrent threads without compromising the accuracy and consistency of its results. It checks for live websites, detects technologies, and extracts useful information like titles, status codes, and web servers.
Installation on Linux
Install golang
First, you need golang to to install our tool so lets install that
sudo apt update && sudo apt install golang -y
Install httpx
We can install httpx with a very simple command
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
Add in PATH
Now we need to add it in the PATH using below commands
export PATH="$PATH:$(go env GOPATH)/bin"
source ~/.bashrc
Now you can run httpx easily
Using httpx
Let us create a basic file containing two random websites and use that file for our tutorial.
Basic Probe with Status Code
We can use flag `sc` to get the status code in the response. For example,
Get Technology Details
We can use the `td` flag which means “technology-dept” to get basic information of which site is created i.e. display technology in use based on the wappalyzer dataset. For example,
Integration with Subfinder
A particularly effective and widely adopted use case is the integration of httpx with subfinder.
subfinder is a powerful subdomain discovery tool that enumerates subdomains associated with a target domain. However, identifying subdomains alone isn’t enough, it’s equally important to determine which of those subdomains are alive and responding to HTTP requests.
This is where httpx complements the process. By piping the output from subfinder directly into httpx, security professionals can quickly probe the discovered subdomains, gather HTTP response details, and identify live web services for further analysis.
Check this out
subfinder -d nasa.gov -silent | httpx -status-code -title -content-length -tech-detect
Setting Requests Frequency
It is important to note that we should carefully set the number of requests per second to avoid getting blocked from our target.
Output Options
We have below options to save our results in files. Let us try simple one.
subfinder -d india.gov.in -silent | httpx -status-code -title -content-length -tech-detect -o alive-subdomains.txt
httpx is an extensive tool and you can read more about it here
https://github.com/projectdiscovery/httpx
Conclusion
Mastering GooFuzz, httpx, and Subfinder is a game-changer for penetration testers, especially in the initial reconnaissance phase. These tools work seamlessly together. Subfinder uncovers hidden subdomains, httpx quickly verifies live hosts and detects technologies, and GooFuzz brute-forces directories and files to expose vulnerabilities. By combining them, security professionals can automate the discovery of attack surfaces, identify weak points (like exposed admin panels or outdated servers), and prioritize targets efficiently. This approach not only speeds up assessments but also uncovers critical flaws that manual testing might miss. For bug bounty hunters and red teams, proficiency in these tools means finding more vulnerabilities faster, making them essential skills in modern cybersecurity.