Making Zero Days

Otto has written some zero-days for cryptocurrencies. Joona authored a world-leading web fuzzer. Nikita can hack Active Directory.

And they all visited my penetration testing course, sharing their advice with me & my students.

Fuffme - Install Web Fuzzing Target on Debian

Web fuzzers can find unlinked, hidden directories. They can also find vulnerabilities in query parameters.

This article shows you how to install ffufme pratice target and ffuf, the leading web fuzzer.

Find Hidden Web Directories - Fuzz URLs with ffuf

Web servers often have secret directories, not linked from anywhere.

You could find them by trying different paths manually: /secret, /.svn /admin. This article shows you how fuff can do this to you automatically.

For practice, I coded a target that you can run locally, without Internet. I will also tell you the solution, so you can test your environment. As bonus, there is a challenge target where you can find to solution yourself.