FFUF is a fast web fuzzer written in Go. So let have a look on some of the features of the tool that will make user understand more about it;
Example Cases
Typical directory discovery
Also Read – AntiDisposmail : Detecting Disposable Email Addresses
By using the FUZZ keyword at the end of URL (-u
):
ffuf -w /path/to/wordlist -u https://target/FUZZ
Virtual host discovery (without DNS records)
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242
)while fuzzing the Host – header:
ffuf -w /path/to/vhost/wordlist -u https://target -H “Host: FUZZ” -fs 4242
GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ
keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
POST Data Fuzzing
This is a very straightforward operation, again by using the FUZZ
keyword. This example is fuzzing only part of the POST request. We’re again filtering out the 401 responses.
ffuf -w /path/to/postdata.txt -X POST -d “username=admin\&password=FUZZ” -u https://target/login.php -fc 401
Using External Mutator To Produce Test Cases
For this example, we’ll fuzz JSON data that’s sent over POST. Radamsa is used as the mutator.
When --input-cmd
is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable $FFUF_NUM
. We’ll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code 400 - Bad request
:
ffuf –input-cmd ‘radamsa –seed $FFUF_NUM example1.txt example2.txt’ -H “Content-Type: application/json” -X POST -u https://ffuf.io.fi/ -mc all -fc 400
Usage
To define the test case for ffuf, use the keyword FUZZ
anywhere in the URL (-u
), headers (-H
), or POST data (-d
).
Usage of ./ffuf:
-D DirSearch style wordlist compatibility mode. Used in conjunction with -e flag. Replaces %EXT% in wordlist entry with each of the extensions provided by -e.
-H “Name: Value”
Header “Name: Value”, separated by colon. Multiple -H flags are accepted.
-V Show version information.
-X string
HTTP method to use (default “GET”)
-ac
Automatically calibrate filtering options
-acc value
Custom auto-calibration string. Can be used multiple times. Implies -ac
-b “NAME1=VALUE1; NAME2=VALUE2”
Cookie data “NAME1=VALUE1; NAME2=VALUE2” for copy as curl functionality.
Results unpredictable when combined with -H “Cookie: …”
-c Colorize output.
-compressed
Dummy flag for copy as curl functionality (ignored) (default true)
-cookie value
Cookie data (alias of -b)
-d string
POST data
-data string
POST data (alias of -d)
-data-ascii string
POST data (alias of -d)
-data-binary string
POST data (alias of -d)
-debug-log string
Write all of the internal logging to the specified file.
-e string
Comma separated list of extensions to apply. Each extension provided will extend the wordlist entry once.
-fc string
Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl string
Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr string
Filter regexp
-fs string
Filter HTTP response size. Comma separated list of sizes and ranges
-fw string
Filter by amount of words in response. Comma separated list of word counts and ranges
-i Dummy flag for copy as curl functionality (ignored) (default true)
-input-cmd value
Command producing the input. –input-num is required when using this input method. Overrides -w.
-input-num int
Number of inputs to test. Used in conjunction with –input-cmd. (default 100)
-k TLS identity verification
-mc string
Match HTTP status codes from respose, use “all” to match every response code. (default “200,204,301,302,307,401,403”)
-ml string
Match amount of lines in response
-mode string
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default “clusterbomb”)
-mr string
Match regexp
-ms string
Match HTTP response size
-mw string
Match amount of words in response
-o string
Write output to file
-of string
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default “json”)
-p delay
Seconds of delay between requests, or a range of random delay. For example “0.1” or “0.1-2.0”
-r Follow redirects
-s Do not print additional information (silent mode)
-sa
Stop on all error cases. Implies -sf and -se
-se
Stop on spurious errors
-sf
Stop when > 95% of responses return 403 Forbidden
-t int
Number of concurrent threads. (default 40)
-timeout int
HTTP request timeout in seconds. (default 10)
-u string
Target URL
-v Verbose output, printing full URL and redirect location (if any) with the results.
-w value
Wordlist file path and (optional) custom fuzz keyword, using colon as delimiter. Use file path ‘-‘ to read from standard input. Can be supplied multiple times. Format: ‘/path/to/wordlist:KEYWORD’
-x string
HTTP Proxy URL
Installation
go get github.com/ffuf/ffuf
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
Changelog
-e
(extensions) to a single keyword: FUZZ--mode
, possible values: clusterbomb
and pitchfork
.-o
)-o
)-v
for verbose output. Including full URL, and redirect location.-o
files before exiting.--debug-log
no correctly logs connection errors-l
flag in favor of -v
-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"
.-debug-log
flag.ModTask is an advanced C# tool designed for red teaming operations, focusing on manipulating scheduled…
HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect…
SharpRedirect is a simple .NET Framework-based redirector from a specified local port to a destination…
Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…
A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…
LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…