-
You can perform web application fuzzing on any server that is running a web service (including SSL).
-
Burp Suite is a Java-based tool that can be used on Microsoft Windows, but for Wfuzz and ffuf, you have to install Python on Windows as these tools are Python-based.
-
No. Performing fuzz testing is optional in a regular penetration test and it needs to be discussed with the client. If the client asks for it, then it will be mandatory; otherwise, pen testing can be done without fuzzing. However, it's always a good practice to perform fuzzing anyway because you may find a critical-severity vulnerability that has been missed by the scanner.
-
These range from technical vulnerabilities, such as Remote Code Executions (RCE), SQL Injections (SQLi), and Cross-Site Scripting (XSS) to logical vulnerabilities such as account takeovers, parameter manipulations, response manipulations, and authentication token bypasses.