FFUF is a fast web fuzzer written in Go. So let have a look on some of the features of the tool that will make user understand more about it;
Example Cases
Typical directory discovery
Also Read – AntiDisposmail : Detecting Disposable Email Addresses
By using the FUZZ keyword at the end of URL (-u
):
ffuf -w /path/to/wordlist -u https://target/FUZZ
Virtual host discovery (without DNS records)
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242
)while fuzzing the Host – header:
ffuf -w /path/to/vhost/wordlist -u https://target -H “Host: FUZZ” -fs 4242
GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ
keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
POST Data Fuzzing
This is a very straightforward operation, again by using the FUZZ
keyword. This example is fuzzing only part of the POST request. We’re again filtering out the 401 responses.
ffuf -w /path/to/postdata.txt -X POST -d “username=admin\&password=FUZZ” -u https://target/login.php -fc 401
Using External Mutator To Produce Test Cases
For this example, we’ll fuzz JSON data that’s sent over POST. Radamsa is used as the mutator.
When --input-cmd
is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable $FFUF_NUM
. We’ll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code 400 - Bad request
:
ffuf –input-cmd ‘radamsa –seed $FFUF_NUM example1.txt example2.txt’ -H “Content-Type: application/json” -X POST -u https://ffuf.io.fi/ -mc all -fc 400
Usage
To define the test case for ffuf, use the keyword FUZZ
anywhere in the URL (-u
), headers (-H
), or POST data (-d
).
Usage of ./ffuf:
-D DirSearch style wordlist compatibility mode. Used in conjunction with -e flag. Replaces %EXT% in wordlist entry with each of the extensions provided by -e.
-H “Name: Value”
Header “Name: Value”, separated by colon. Multiple -H flags are accepted.
-V Show version information.
-X string
HTTP method to use (default “GET”)
-ac
Automatically calibrate filtering options
-acc value
Custom auto-calibration string. Can be used multiple times. Implies -ac
-b “NAME1=VALUE1; NAME2=VALUE2”
Cookie data “NAME1=VALUE1; NAME2=VALUE2” for copy as curl functionality.
Results unpredictable when combined with -H “Cookie: …”
-c Colorize output.
-compressed
Dummy flag for copy as curl functionality (ignored) (default true)
-cookie value
Cookie data (alias of -b)
-d string
POST data
-data string
POST data (alias of -d)
-data-ascii string
POST data (alias of -d)
-data-binary string
POST data (alias of -d)
-debug-log string
Write all of the internal logging to the specified file.
-e string
Comma separated list of extensions to apply. Each extension provided will extend the wordlist entry once.
-fc string
Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl string
Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr string
Filter regexp
-fs string
Filter HTTP response size. Comma separated list of sizes and ranges
-fw string
Filter by amount of words in response. Comma separated list of word counts and ranges
-i Dummy flag for copy as curl functionality (ignored) (default true)
-input-cmd value
Command producing the input. –input-num is required when using this input method. Overrides -w.
-input-num int
Number of inputs to test. Used in conjunction with –input-cmd. (default 100)
-k TLS identity verification
-mc string
Match HTTP status codes from respose, use “all” to match every response code. (default “200,204,301,302,307,401,403”)
-ml string
Match amount of lines in response
-mode string
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default “clusterbomb”)
-mr string
Match regexp
-ms string
Match HTTP response size
-mw string
Match amount of words in response
-o string
Write output to file
-of string
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default “json”)
-p delay
Seconds of delay between requests, or a range of random delay. For example “0.1” or “0.1-2.0”
-r Follow redirects
-s Do not print additional information (silent mode)
-sa
Stop on all error cases. Implies -sf and -se
-se
Stop on spurious errors
-sf
Stop when > 95% of responses return 403 Forbidden
-t int
Number of concurrent threads. (default 40)
-timeout int
HTTP request timeout in seconds. (default 10)
-u string
Target URL
-v Verbose output, printing full URL and redirect location (if any) with the results.
-w value
Wordlist file path and (optional) custom fuzz keyword, using colon as delimiter. Use file path ‘-‘ to read from standard input. Can be supplied multiple times. Format: ‘/path/to/wordlist:KEYWORD’
-x string
HTTP Proxy URL
Installation
go get github.com/ffuf/ffuf
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
Changelog
-e
(extensions) to a single keyword: FUZZ--mode
, possible values: clusterbomb
and pitchfork
.-o
)-o
)-v
for verbose output. Including full URL, and redirect location.-o
files before exiting.--debug-log
no correctly logs connection errors-l
flag in favor of -v
-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"
.-debug-log
flag.Got it! Below is the updated README.md file with instructions for downloading the project on…
Termo-Kali bridges the gap between powerful Linux capabilities and the convenience of mobile devices by…
Welcome to the Ethical Hacking Quiz Application, designed to help learners test their knowledge of…
The WPA2 Handshake Automation Tool is a Python3 script designed to simplify the process of setting up…
A custom bash script designed to streamline your startup process and enhance your scripting skills.…
Welcome to the Cybersecurity Toolkit, a collection of essential Python tools designed for penetration testing…