After this lesson, you will be able to: Fuzz for hidden content and parameters: directory/file discovery (and when to use feroxbuster/gobuster instead), parameter and header fuzzing, SecLists wordlists, and Turbo Intruder for speed.
Fuzzing sends unexpected or wordlist-driven input to discover hidden content and behavior. This lesson covers directory/file discovery, parameter and header fuzzing, the SecLists wordlists, and Turbo Intruder, plus when a dedicated tool beats Burp for the job.
Fuzzing sends many crafted or wordlist-based inputs to find crashes, errors, or hidden behavior. In web testing, the most common kinds are content discovery (finding hidden paths and files) and parameter discovery (finding undocumented inputs). The signal is usually a response status or length that differs from the baseline.
Hidden admin panels, backup files (.bak, .old), and config files are common finds. You can fuzz paths with Intruder against a wordlist, but for this specific task dedicated tools are much faster: feroxbuster and gobuster are built for content discovery and outpace Burp Community's throttled Intruder. Use Burp when you need its session handling or want everything in one place; use feroxbuster/gobuster for raw speed on directory brute forcing.
Applications often accept parameters that are not in any documentation or form. Parameter fuzzing tries a wordlist of parameter names to see which ones change the response, revealing hidden functionality (the Param Miner extension automates this). Header fuzzing tests custom and security-relevant headers: X-Forwarded-For manipulation, and Host header attacks that can poison password-reset links or cache. These hidden inputs are frequently where the interesting bugs hide.
SecLists is the essential collection of wordlists: different lists for directory brute forcing, parameter names, usernames, and passwords. Choosing the right list for the task matters more than list size. Turbo Intruder is a Burp extension that runs Intruder-style attacks at high speed via a short Python script, the standard way to get speed in Community. For pure content discovery, though, feroxbuster is often the simplest fast option.
Use a PortSwigger lab.
1. Pick a lab with hidden content (or an access-control lab with an unlinked admin path).
2. Send a request for a path to Intruder, mark the path segment as the position, and load a SecLists directory wordlist.
3. Run the attack and sort by status/length; a 200 or 302 among many 404s is your hidden endpoint.
4. Confirm by browsing to it. Note how feroxbuster would do the same faster outside Burp.
Pick the best reason.
Using a giant wordlist when a targeted one would do. Ignoring 302/401/403 responses, which often reveal protected-but-present paths. Forgetting parameter and header fuzzing entirely (where many bugs hide). Fighting Community's throttle instead of using Turbo Intruder or feroxbuster. Fuzzing a real target without authorization. Not baselining the normal response, so you cannot tell what is an outlier.
Sign in and purchase access to unlock this lesson.