Content Discovery

Hidden directories, backup files, and forgotten endpoints are goldmines for bug bounty hunters. Content discovery finds what developers meant to hide.

Directory Fuzzing with ffuf

ffuf (Fuzz Faster U Fool) is the 2026 standard for directory fuzzing:

# Basic directory fuzzing
ffuf -u https://example.com/FUZZ -w /path/to/wordlist.txt

# Filter by status code (remove 404s)
ffuf -u https://example.com/FUZZ -w wordlist.txt -fc 404

# Filter by response size (remove noise)
ffuf -u https://example.com/FUZZ -w wordlist.txt -fs 1234

# Multiple wordlists
ffuf -u https://example.com/FUZZ -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZZ2

# Recursive fuzzing
ffuf -u https://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

Essential Wordlists

Wordlist	Use Case	Size
directory-list-2.3-medium.txt	General directories	220K
common.txt	Quick scan	4.6K
raft-large-files.txt	File discovery	37K
api-endpoints.txt	API fuzzing	5K
backup-files.txt	Backup detection	1K

# Location in SecLists
ls ~/wordlists/SecLists/Discovery/Web-Content/

Parameter Discovery

Find hidden GET/POST parameters:

# Using Arjun
arjun -u https://example.com/page -m GET

# Using ffuf for parameter fuzzing
ffuf -u "https://example.com/page?FUZZ=test" -w params.txt -fs 4242

# Using paramspider
paramspider -d example.com

File Extension Fuzzing

Find files with specific extensions:

# Backup files
ffuf -u https://example.com/config.FUZZ -w extensions.txt

# Common backup extensions
# .bak, .old, .backup, .swp, .sav, .orig, ~, .copy

# Source files
ffuf -u https://example.com/index.FUZZ -w extensions.txt -fc 404

Historical Content Recovery

Wayback Machine reveals deleted content:

# Using waybackurls
echo "example.com" | waybackurls | grep -E "\.(php|asp|aspx|jsp|json)$"

# Using gau (Get All URLs)
gau example.com --threads 5 | grep -E "api|admin|config|backup"

# Check if historical URLs still work
cat historical-urls.txt | httpx -silent -status-code | grep "\[200\]"

Common Findings

Sensitive Files

# Files to always check
/.env
/.git/config
/config.php.bak
/web.config
/.htaccess
/server-status
/info.php
/phpinfo.php
/.DS_Store
/backup.sql
/database.sql

Admin Panels

# Common admin paths
/admin
/administrator
/wp-admin
/cpanel
/webmaster
/siteadmin
/dashboard
/manage

API Endpoints

# API patterns
/api/v1/
/api/v2/
/graphql
/swagger
/api-docs
/openapi.json
/__debug__

Nuclei for Content Discovery

Automate finding exposed files:

# Run exposed file templates
nuclei -l live-hosts.txt -tags exposure,config -o exposed-files.txt

# Specific templates
nuclei -l live-hosts.txt -t exposures/files/ -t exposures/configs/

Real Attack Chain

1. ffuf finds /backup/
2. Further fuzzing reveals /backup/db-2025-01.sql.gz
3. Download contains database credentials
4. Credentials work on exposed admin panel
5. Result: Critical vulnerability, $10,000+ bounty

Efficient Fuzzing Strategy

# Phase 1: Quick common scan
ffuf -u https://example.com/FUZZ -w common.txt -fc 404 -t 100

# Phase 2: Medium wordlist on interesting paths
ffuf -u https://example.com/api/FUZZ -w directory-list-2.3-medium.txt -fc 404

# Phase 3: Extension fuzzing on found directories
ffuf -u https://example.com/backup/FUZZ -w filenames.txt -e .bak,.sql,.zip,.gz

Documentation

## Content Discovery: example.com

### Directories Found
- /admin (403 Forbidden - ACL in place)
- /api/v1 (200 - needs authentication)
- /backup (301 → requires further fuzzing)

### Interesting Files
- /robots.txt - reveals /staging, /internal
- /.git/config - 404 but .git/HEAD returns content!

### Next Steps
- Exploit .git exposure
- Fuzz /backup with file extensions
- Test /api/v1 with default creds

Pro Tip: Low and slow wins the race. Aggressive fuzzing gets you blocked. Use -rate 50 or lower on sensitive targets.

Next module: We dive into OWASP Top 10:2025 web vulnerabilities. :::