Introduction
Ffuf (Fuzz Faster U Fool) is a versatile and powerful tool for fuzzing web applications, helping you discover hidden files, directories, subdomains, and more. This guide provides detailed examples for using ffuf in various scenarios.
TL;DR
You can find a shorter cheat sheet version of this article here.
Table of contents
Open Table of contents
Fuzzing Files and Paths
Fuzzing files and paths is a fundamental technique in web security testing, enabling the discovery of hidden files, directories, and endpoints that are not publicly listed. By using a wordlist, you can automate the process of probing a web server for these hidden resources, uncovering potentially interesting files.
Basic File/Path Fuzzing
To fuzz files and paths, using a wordlist:
ffuf -w wordlist.txt -u https://host.name:PORT/FUZZThis command will try each entry in wordlist.txt as a replacement for FUZZ in the URL, testing for potential files and directories. For example, if your wordlist contains admin, login, and test, ffuf will test URLs like https://host.name:PORT/admin, https://host.name:PORT/login, and https://host.name:PORT/test.
Fuzzing Extensions
To find files with different extensions:
ffuf -w wordlist.txt -u https://host.name/indexFUZZThis command appends each wordlist entry to index, allowing you to discover files with various extensions. For instance, if the wordlist includes .php, .html, and .js, ffuf will test https://host.name/index.php, https://host.name/index.html, and https://host.name/index.js.
Fuzzing File Name with Different Extension
To find specific file names with given extension:
ffuf -w wordlist.txt -u https://host.name/blog/FUZZ.phpThis will replace FUZZ with each word in the wordlist and append .php, helping you locate specific PHP files like https://host.name/blog/admin.php or https://host.name/blog/login.php.
You can create a wordlist of files without the extension and use it across targets using different technologies - .php, .asp, .js etc.
Recursive Fuzzing
To perform recursive fuzzing with a specified depth:
ffuf -recursion -recursion-depth 3 -w wordlist.txt -u https://host.name/FUZZThis command recursively searches up to 3 levels deep, increasing the chances of discovering deeply nested files and directories. For example, it might find https://host.name/admin, then https://host.name/admin/config, and further into https://host.name/admin/config/settings. By default recursive fuzzing is disabled.
Setting Cookies
To include cookies in your fuzzing requests:
ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u https://host.name/FUZZThis is useful for authenticated fuzzing where cookies are required for access. For example, if you need to authenticate with SESSIONID=12345 and USER=admin, you can include these cookies in your fuzzing attempts.
Subdomains and VHosts
Subdomain and virtual host (VHost) fuzzing is an essential practice for uncovering additional entry points into a target domain. By identifying subdomains and VHosts, you can discover additional services, applications, and potential vulnerabilities that may not be immediately visible.
Subdomain Fuzzing
To discover subdomains:
ffuf -w wordlist.txt -u https://FUZZ.host.name/This replaces FUZZ with each wordlist entry, helping identify subdomains under host.name. If your wordlist contains api, mail, and dev, ffuf will test https://api.host.name/, https://mail.host.name/, and https://dev.host.name/.
Virtual Hosts (VHosts) Fuzzing
To fuzz virtual hosts:
ffuf -w wordlist.txt -u http://host.name/ -H 'Host: FUZZ.host.name'This command changes the Host header, testing for virtual host-based sites. For example, testing api, staging, and beta as virtual hosts could reveal http://api.host.name/, http://staging.host.name/, and http://beta.host.name/.
HTTP Parameters
Fuzzing HTTP parameters is a crucial aspect of web application security testing. By probing different parameter names and values, you can discover new parameters and uncover hidden functionalities - entry points with potential vulnerabilities.
Fuzzing Parameter Names - GET
To fuzz GET parameter names:
ffuf -w wordlist.txt -u http://host.name/index.php?FUZZ=keyThis helps find parameter names that might accept a specific key. If your wordlist includes id, user, and token, ffuf will test http://host.name/index.php?id=key, http://host.name/index.php?user=key, and http://host.name/index.php?token=key.
Fuzzing Parameter Names - POST
To fuzz POST parameter names:
ffuf -w wordlist.txt -u https://host.name/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'This sends POST requests to discover parameter names. For instance, it will test parameters like username, password, and email in the POST data.
Fuzzing Parameter Values - POST
To fuzz values of a specific POST parameter:
ffuf -w ids.txt -u https://host.name/index.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'This helps identify valid parameter values. For example, if ids.txt contains 123, 456, and 789, ffuf will test values like id=123, id=456, and id=789.
Rate Limits
Managing the rate of requests is essential when fuzzing web applications to avoid overloading the server or triggering WAF. Rate limiting helps control the number of requests sent per second or the number of threads used during fuzzing. In this section, we’ll look at how to use ffuf to set rate limits and configure the number of threads, ensuring your testing is efficient and respectful of the target server’s resources. By fine-tuning these parameters, you can perform thorough and responsible fuzzing without causing unnecessary disruption.
Limiting Request Rate
To set a rate limit of 50 requests per second:
ffuf -rate 50 -w wordlist.txt -u https://host.name/FUZZThis ensures that your fuzzing doesn’t overwhelm the target server, helping maintain stability and avoiding potential bans.
Setting Number of Threads
To specify the number of threads:
ffuf -t 5 -w wordlist.txt -u https://host.name/FUZZThis controls the concurrency of your fuzzing requests, balancing speed and server load.
Filters
Filters are an essential feature in ffuf that allow you to narrow down your fuzzing results to those most relevant to your testing objectives. By applying filters, you can exclude unwanted responses based on various criteria such as HTTP status codes, response size, number of lines, and word count. This helps in identifying significant findings more quickly and efficiently.
Filtering by HTTP Codes
To exclude 301 and 302 HTTP codes:
ffuf -fc 301,302 -w wordlist.txt -u https://host.name/FUZZThis filters out results with these status codes, focusing on other responses that might be more interesting, such as 200 OK or 500 Internal Server Error.
Filtering by Response Size
To filter responses of a specific size (e.g., 2003 bytes):
ffuf -fs 2003 -w wordlist.txt -u https://host.name/FUZZThis helps in identifying content of specific sizes, which might indicate certain types of files or responses.
Filtering by Lines and Word Count
To filter by the number of lines:
ffuf -fl 5 -w wordlist.txt -u https://host.name/FUZZTo filter by word count:
ffuf -fw 10 -w wordlist.txt -u https://host.name/FUZZThese filters refine your results based on response structure, allowing you to focus on responses that match specific patterns.
Automatic Calibration
To automatically calibrate filtering options:
ffuf -ac -w wordlist.txt -u https://host.name/FUZZThis helps ffuf determine appropriate filters based on initial responses, improving the accuracy of your fuzzing results.
Other Useful Options
Apart from basic fuzzing capabilities, ffuf offers a range of advanced features to enhance your testing workflow. These options allow you to customize requests, handle proxies, set headers, and impose time constraints, optimizing your fuzzing process for diverse testing scenarios.
Ignoring Wordlist Comments
To ignore comments in the wordlist:
ffuf -ic -w wordlist.txt -u https://host.name/FUZZThis treats all lines as potential fuzzing targets, even those starting with #.
Using Proxies
When direct access to the target is not feasible, or when inspection of ffuf requests is necessary, it can be utilized through a proxy server.
For HTTP proxy:
ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZFor SOCKS proxy:
ffuf -x socks5://127.0.0.1:1080 -w wordlist.txt -u https://host.name/FUZZFor replay proxy:
ffuf -replay-proxy http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZWith this option ffuf will repeat each matched request using given proxy. This is useful to inspect ffuf findings in other tools such as Burp Suite.
Setting HTTP Headers
Ffuf provides capability to manipulate headers, enabling users to tailor requests to specific requirements. This is useful to mimic different user agents, content types, or to tag your traffic with custom headers (which is often required by bug bounty programs). Below are some examples of configuring HTTP headers in ffuf.
To change the user agent:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"To set Content-Type header for POST requests:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "Content-Type: application/json" -X POSTTo set custom header:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "X-Bug-Bounty: <bb-username>"Time Limits
Ffuf allows to set time limits both globally and per job, allowing users to control the duration of their fuzzing sessions precisely.
To set a maximum time limit for the fuzzing process:
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime 60To set a time limit per job:
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime-job 60These limits prevent long-running fuzzing jobs from taking too much time, helping you manage your testing schedule effectively.
Conclusion
Ffuf is an essential tool for web security testing, offering a wide range of options to customize and optimize your fuzzing tasks. By leveraging these commands and options, you can effectively discover hidden vulnerabilities and improve the security posture of web applications.