> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/parameter-fuzzing/trick-0394.md).

# Gobuster Fuzz Parameter Value

***

Generate a wordlist containing potential values for the parameter. For example, generating numbers 0-99:

```python
python -c 'for i in range(0,100): print(i)' > 100nums.txt
```

Then, use `gobuster fuzz` to test potential values for a parameter. The `FUZZ` keyword is used as a placeholder for the value that will be replaced by entries from the wordlist. For fuzzing a GET parameter, specify the target URL with `FUZZ` in the parameter's value:

```bash
gobuster fuzz -u https://example.com/path?param=FUZZ -w wordlist.txt
```

You can also include custom headers and cookies when fuzzing GET requests:

```bash
gobuster fuzz -u "http://example.com/index.php?id=FUZZ" -w /path/to/wordlist.txt -c "cookie1=value1; cookie2=value2" -H "X-Forwarded-For: 127.0.0.1"
```

For fuzzing POST data, use the `-X POST` flag and the `-d` flag to specify the data body, again using `FUZZ` as the placeholder:

```bash
gobuster fuzz -u "http://example.com/login.php" -w /path/to/wordlist.txt -X POST -d "username=admin&password=FUZZ"
```

Key options when using `gobuster fuzz` include:

* `-u`: Specifies the target URL, including the `FUZZ` placeholder.
* `-w`: Specifies the wordlist file containing potential values.
* `-X`: Specifies the HTTP method (e.g., `GET`, `POST`).
* `-d`: Specifies the data to send with non-GET requests (e.g., POST data), using the `FUZZ` keyword.
* `-c`: Adds custom cookies to the request.
* `-H`: Adds custom headers to the request.
* `-t`: Sets the number of concurrent threads (concurrency level).
* `-to`: Specifies the timeout for requests.
* `-k`: Skips SSL certificate verification (insecure).
* `-s`: Filters results based on status codes (e.g., `200,204,301`).
* `-L`: Filters results based on response length.

After running the command, monitor the output for different response lengths or status codes that might indicate valid or interesting values. This is a common way to identify successful hits or different behavior. For example, a different response length for `secret=73` might signify a successful or unique interaction. You can use the `-s` and `-L` flags to automatically filter results based on these criteria.
