ffuf

Fuzz Faster U Fool

Install from source

go get github.com/ffuf/ffuf

Operators

• -u -> Target URL.

• -w -> Path to wordlist.

• -r -> Follow Redirects.

• -t -> Number of threads to run ( Normal : 50; Fast: 200).

• -v -> Verbose Output.

• -c -> Colorful output.

• -e <extension> -> Scan for extensions.

• -sf -> Stop in first found result.

• -p -> Set a pause between request.

• -rate <10> -> Set rate-requests per second.

• -retries -> Number of retries for each request.

• -timeout -> Timeout before giving up on a request.

• -of <format> -> Output format (json, csv, html)

• -x -> Use a proxy for requests.

• -replay-proxy -> Routes only fuzzed requests through the proxy.

• -H <"Header: Value"> -> Set a custom header.

• -auth <username:password> -> Basic HTTP authentication.

• -recursion -recursion-depth 1 -> Recursive fuzzing.

• -request request.txt -> Specifies a custom HTTP request file that serves as a template (Add fuzzing points inside).

Matches/Filters

• -mc -> Match specific status code.

• -ms -> Match specific response size.

• -mr <"regex"> -> Match by regex.

• -ml -> Match amount of lines in the response.

• -mw -> Match by words count in response.

• -fw -> Filter by content length.

• -fc -> Filter out specific status codes.

• -ac -> Set Auto-calibration filter.

• -acc -> Filter Custom-calibration.

• -ic -> Ignores comments and copyright.

Directory Fuzzing

Basic Scan

ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ

Recursive Scan

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -recursion -recursion-depth 2

Scan for PHP pages

ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ.php

Scan for HTML pages

ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ.html

Fuzz Multiple locations

ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2

Get the Baseline Size of the response to filter failing requests

This is particularly useful when the login returns HTTP 200 for both success and failure

curl -s -d "password=test&proc_login=true&remember=yes&login=Log+In" https://target.com/login | wc -c

Extension fuzzing

Standard use

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -e .bak, .zip

Extension + Recursion

ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v -c

Subdomain fuzzing

Subdomains

ffuf -w ~/Documents/CTF/Wordlists/bitquark-subdomains-top100000.txt -u https://FUZZ.ffuf.fi/

VHOST Fuzzing

ffuf -c -w ~/Documents/CTF/Wordlists/bitquark-subdomains-top100000.txt -u https://ffuf.io.fi -H "Host: FUZZ.ffuf.io.fi"

Wordlists

bitquark-subdomains-top100000.txt

subdomains-top1million-20000.txt

HTTP Fuzzing

Cookie-based Authentication

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -b "sessionId=cookie_val"

Fuzz from request template

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -u http://site.com

Request Template + Proxy

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -x http://127.0.0.1:8080

Request Template + Replay-proxy

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -replay-proxy http://127.0.0.1:8080

Parameter Fuzzing

GET Parameter Fuzzing

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi?FUZZ=test_value

POST Data Fuzzing

ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php

JSON POST data fuzzing

ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php

Path Traversal fuzzing

Fuzz LFI

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzz webroot path

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287