Virtual host fuzzing
A web server can host multiple websites for multiple domain names (websites). In order to choose what website to show for what domain, many use what is called "virtual hosting". Virtual hosting can be based on a name, an IP, or a port (read more).
Two main mechanisms can be used to access a website on a virtual host:
- HTTP: the use of the
Hostrequest header. The client uses the
<host>directive to connect to the domain name of the server. Optionally, it can use the
<port>directive to specify a TCP port number on which the server is listening.
- HTTPS: the use of the Server Name Indication (SNI) extension with TLS. The client indicates the hostname it wants to connect to at the start of the handshake process.
When having a domain name as scope, operating virtual host (a.k.a. vhost) fuzzing is recommended to possibly find alternate domain names of subdomains that point to a virtual host, and thus have a better knowledge of the attack surface. This technique relies on the attacker using a dictionary/wordlist. A request is made for every line of the wordlist to differentiate pages that exist and pages that don't
Vhost fuzzing needs to be slowed down when testing production instances as it could lead to an unintended denial of service.
gobuster vhost --useragent "PENTEST" --wordlist "/path/to/wordlist.txt" --url $URL
wfuzz -H "Host: FUZZ.something.com" --hc 404,403 -H "User-Agent: PENTEST" -c -z file,"/path/to/wordlist.txt" $URL
ffuf -H "Host: FUZZ.$DOMAIN" -H "User-Agent: PENTEST" -c -w "/path/to/wordlist.txt" -u $URL