> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/parameter-fuzzing/trick-0202.md).

# HTTP Parameter Fuzzing (Numeric Range)

***

Discover a hidden GET parameter's valid numeric value by fuzzing a specific range. This is often hinted at by error messages or source code comments suggesting a numeric input range (e.g., 0-99).

Use `ffuf` with a wordlist containing the numeric range and filter responses to identify unique status codes, sizes, or word counts that indicate a valid parameter value was hit.

```bash
ffuf -w numbers_0_to_99.txt -u http://target/hidden_page/?param=FUZZ -mc all -fw 45
```

In this command, `numbers_0_to_99.txt` is a wordlist containing integers from 0 to 99. The `-fw 45` filter is used to exclude responses with a specific word count (45), helping to spot unique responses that indicate a valid value for the `param` was found. A unique response could reveal different content or behavior specific to that valid input.

Beyond using pre-generated wordlists, `ffuf` can directly fuzz a numeric range.

```bash
ffuf -w 0-100:NUM -u http://target.com/page.php?id=NUM -mc 200
```

This command will fuzz the parameter `id` with numbers from 0 to 100, looking for responses with a 200 status code. This technique is useful for fuzzing a numeric range.

`ffuf` also supports using multiple wordlists simultaneously for more complex scenarios, such as fuzzing different parts of the request.

```bash
ffuf -w /path/to/wordlist1:W1 -w /path/to/wordlist2:W2 -u http://target.com/W1/page?param=W2 -recursion
```

This command will fuzz the URL path with `wordlist1` (aliased as `W1`) and the parameter `param` with `wordlist2` (aliased as `W2`). The `-recursion` flag can be used to follow redirects and continue fuzzing.

Filtering is crucial to identify interesting responses. You can filter based on various aspects of the HTTP response. Common filtering options include:

* `-mc <status codes>`: Match status codes (e.g., `-mc 200,204,301`).
* `-fc <status codes>`: Filter out status codes (e.g., `-fc 404`).
* `-fs <size>`: Filter out response size (e.g., `-fs 0`).
* `-fw <word count>`: Filter out word count (e.g., `-fw 1`).
* `-fl <line count>`: Filter out line count (e.g., `-fl 1`).
* `-ms <size>`: Match response size.
* `-mw <word count>`: Match word count.
* `-ml <line count>`: Match line count.

For example, to fuzz a directory and filter out common 404 responses:

```bash
ffuf -w /path/to/wordlist -u http://target.com/FUZZ -fc 404
```

To filter based on response size, excluding responses that are 0 bytes:

```bash
ffuf -w /path/to/wordlist -u http://target.com/FUZZ -fs 0
```

Beyond URL path and query parameters, `ffuf` can also fuzz HTTP headers using the `-H` flag. This is useful for discovering vulnerabilities related to specific header values. The `FUZZ` keyword is placed within the header value.

```bash
ffuf -w users.txt -u http://example.com -H "X-Forwarded-For: FUZZ" -mc 200
```

This command attempts to fuzz the `X-Forwarded-For` header with values from `users.txt` and matches responses with a 200 status code.

Fuzzing cookies is another common use case for header fuzzing:

```bash
ffuf -w wordlist.txt -u https://target.com -H "Cookie: name=FUZZ"
```

For testing endpoints that require data sent in the request body, such as login forms, `ffuf` supports specifying the HTTP method with `-X` and the POST data with `-d`.

```bash
ffuf -w /path/to/wordlist -u http://target.com/login -X POST -d "username=FUZZ&password=password" -mc 200,302
```

This command fuzzes the `username` parameter in a POST request body, targeting a login endpoint and matching successful login redirects (302) or success pages (200). Multiple parameters in the POST data can also be fuzzed by adding more `FUZZ` keywords and corresponding wordlists using aliases.
