FFUF
ffuf (Fuzz Faster U Fool) is a high-performance web fuzzer written in the Go programming language. It is designed for speed and is a staple tool for security researchers and penetration testers. Its primary purpose is to discover hidden files, directories, subdomains, or GET/POST parameters by bruteforcing web servers with a given wordlist.
Key Features¶
-
Speed: Blazingly fast due to its concurrent nature.
-
Flexibility: Supports fuzzing directories, files, vhosts (subdomains), and request parameters.
-
Powerful Filtering: Easily filter out unwanted results based on status codes, response size, words, or regular expressions.
-
Multiple Input Sources: Can take input from wordlists, stdin, and more.
-
Recursive Scanning: Can automatically scan directories it discovers.
-
Versatile Output: Supports various output formats like JSON, eJSON, HTML, Markdown, CSV, and eCSV.
-
Proxy Support: Can route traffic through proxies like Burp Suite or OWASP ZAP.
Installation¶
The most common way to install ffuf is using Go's package manager.
Alternatively, on systems with package managers like APT (Debian/Ubuntu) or Homebrew (macOS):
Basic Usage¶
The core concept of ffuf revolves around placing the FUZZ keyword in the URL. ffuf replaces this keyword with each payload from the specified wordlist.
The basic syntax is:
-
w: Specifies the path to the wordlist file. -
u: Specifies the target URL, including theFUZZkeyword.
Usage Examples¶
1. Directory and File Discovery¶
This is the most common use case. The goal is to find hidden directories and files on a web server.
- Explanation:
ffufwill take each word fromdirectory-list-2.3-medium.txtand make a request tohttp://example.com/<word>. By default, it hides 404 responses.
2. Subdomain Enumeration (Virtual Host Fuzzing)¶
You can discover subdomains by placing the FUZZ keyword in the host part of the URL.
- Explanation:
ffufwill try each word insubdomains.txtas a subdomain ofexample.com. The-Hflag sets the necessaryHostheader.
3. Fuzzing for Specific File Extensions¶
If you are looking for files with certain extensions (e.g., .php, .bak, .config), you can use the -e flag.
- Explanation: For each word in the wordlist,
ffufwill try appending each of the specified extensions. For example, if the word isadmin, it will testadmin.php,admin.html,admin.bak, andadmin.txt.
4. Filtering Results¶
Filtering is crucial for reducing noise and focusing on interesting results.
-
Filter by Status Code (-fc):
To filter out common "Not Found" (404) and "Forbidden" (403) responses.
-
Filter by Response Size (-fs):
If a "Not Found" page always returns a specific size (e.g., 1250 bytes), you can filter it out.
-
Match by Status Code (-mc):
To only show results with specific status codes (e.g., only show successful 200 OK responses).
5. Recursive Fuzzing¶
To find directories within directories that have been discovered.
- Explanation: If
ffuffinds a directory (e.g.,/admin), it will start a new scan athttp://example.com/admin/FUZZ. The-recursion-depthflag limits how deep it will go.
6. POST Request Fuzzing¶
Fuzzing for parameters in a POST request, such as a username field.
ffuf -w /path/to/users.txt -u http://example.com/login -X POST -d 'user=FUZZ&pass=password123' -H "Content-Type: application/x-www-form-urlencoded"
-
Explanation:
-
-X POST: Specifies the request method. -
-d: Sets the data for the POST request body.FUZZis replaced with usernames from the wordlist. -
-H: Adds a required header for form submissions.
-
7. Saving Output to a File¶
You can save the results for later analysis in various formats.
-
Explanation:
-
-o: Specifies the output file name. -
-of: Specifies the output format (json,html,csv, etc.).
-