Working with Vaf Tool on Kali Linux
Example 1: Simple Fuzz
In this example, We will be fuzzing files and directories from the target domain testphp.vulnweb.com. We have specified the target domain in the -u tag and specified the wordlist of possible files and directories phrases in the -w tag.
./vaf_linux_amd64 -u http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt
In the below Screenshot, We have got the results or the directories and files hosted on the target domain server.
Example 2: Specific Response Code
In this example, We will be fuzzing the directories and files with all the status code responses. We have used -sc tag to use all status codes.
./vaf_linux_amd64 -u http://testphp.vulnweb.com/[ ] -sc any -w /usr/share/wordlists/dirb/common.txt
In the below Screenshot, We have got the results of various status codes like 200, 404.
Example 3: Specific Extension Files
In this example, We will be fuzzing directories and files with a specific extension like PHP, HTML. We have used -sf tag to specify the extensions.
./vaf_linux_amd64 -u http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html
In the below Screenshot, We have got the results which are only the files that have the extension of .php, .html.
Example 4: Print URL
In this example, We will be displaying the full URL of identified files and directories.
./vaf_linux_amd64 -u http://testphp.vulnweb.com/[] -w /usr/share/wordlists/dirb/common.txt -sf .php,.html -pu
In the below Screenshot, We have got the full URL of identified files and directories.
In the below Screenshot, We are actually visiting the URL which contains file 404.php.
VAF – Fast and Advance Fuzzer Tool in Kali Linux
In this article, we are going to see the VAF tools, which is used to automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program and detect the bug.
URL Fuzzing is the art of finding hidden files and directories on the target domain server. These files and directories can have sensitive data and information that can reveal the application’s internal architecture. Doing this fuzzing task in an automated way makes it a more straightforward and time saver process for every penetration tester. VAF is the computerized tool used to fuzz the files and directories from the target domain. VAF tool is open-source and free to use. We can filter out our results by excluding specific status codes and including only the essential extensions of files like .php, .html.