Description
FuzzDB is a comprehensive dictionary of attack patterns, predictable resource locations, regex patterns for server response identification, and documentation resources. It's the go-to payload database for manual and automated web application testing.
Installation
BASH
git clone https://github.com/fuzzdb-project/fuzzdb.git
# Or use directly in tools
# ffuf, Burp Intruder, wfuzz, etc. can reference FuzzDB filesDirectory Structure
TEXT
fuzzdb/
├── attack/ # Attack payloads
│ ├── sql-injection/ # SQLi payloads
│ ├── xss/ # XSS payloads
│ ├── os-cmd-execution/ # Command injection
│ ├── lfi/ # Local file inclusion
│ ├── rfi/ # Remote file inclusion
│ ├── xxe/ # XXE payloads
│ └── path-traversal/ # Directory traversal
├── discovery/ # Resource discovery
│ ├── predictable-filepaths/ # Common file/dir paths
│ ├── dns/ # DNS wordlists
│ └── web-content/ # Web content paths
├── regex/ # Detection patterns
│ ├── errors/ # Error message patterns
│ └── credit-cards/ # CC number patterns
└── wordlists-user-passwd/ # Username/password listsCommon Usage
BASH
# Use with ffuf for content discovery
ffuf -u https://target.com/FUZZ -w fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-medium-directories.txt
# Use with Burp Intruder for SQLi testing
# Load: fuzzdb/attack/sql-injection/detect/xplatform.txt
# XSS payload testing
ffuf -u "https://target.com/search?q=FUZZ" -w fuzzdb/attack/xss/xss-uri.txt -fr "FUZZ"
# LFI testing
ffuf -u "https://target.com/page?file=FUZZ" -w fuzzdb/attack/lfi/common-lfi-params.txt
# Error-based detection
# Use regex patterns from fuzzdb/regex/errors/ to detect SQL errors, stack tracesBug Bounty Tips
BASH
# Most useful wordlists for bug bounty:
# 1. fuzzdb/attack/sql-injection/detect/*.txt → quick SQLi detection
# 2. fuzzdb/attack/xss/*.txt → comprehensive XSS payloads
# 3. fuzzdb/discovery/predictable-filepaths/ → hidden file discovery
# 4. fuzzdb/attack/lfi/ → LFI/path traversal payloads
# 5. fuzzdb/attack/os-cmd-execution/ → command injection payloads