Introduction
In the second part of the guide, we’ll cover more advanced techniques, including the use of many wordlists in different fuzzing modes (such as clusterbomb, pitchfork, and sniper). How to leverage powerful matchers and filters. Additionally, we’ll explore scenarios, such as fuzzing POST requests with complex data structures like JSON, and how to work with HTTP headers.
TL;DR
You can find a shorter cheat sheet version of this article here.
Table of contents
Open Table of contents
Multiple Wordlists
Ffuf allows you to use many wordlists to fuzz multiple parts of a URL or data fields simultaneously. You can fuzz more than the URL paths; parameters or query strings can also be fuzzed. This feature is helpful when testing APIs or endpoints that expect more than one variable.
Fuzzing with multiple wordlists in ffuf
can be a powerful technique to test different parts of a web application. There are three main modes in ffuf
for handling multiple wordlists: clusterbomb, pitchfork, and sniper. Each mode serves a different purpose, depending on how you want to combine the wordlists during fuzzing.
Here are examples of how to use each mode:
Clusterbomb Mode
The clusterbomb mode attempts every combination of values from multiple wordlists. This is useful when you need to test all possible combinations of input parameters, like trying different usernames and passwords together.
Examples:
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode clusterbomb
In this mode, ffuf
will try every possible combination of usernames and passwords, ensuring that all pairs are covered. It’s useful for brute-forcing login forms or testing multiple fields simultaneously.
You can fuzz multiple parts of the JSON request:
ffuf -w usernames.txt:U -w passwords.txt:P -X POST -d '{"username":"U","password":"P"}' -H 'Content-Type: application/json' -u https://example.com/api/login
Or fuzz both directory and file names, increasing the chances of finding hidden resources within nested paths:
ffuf -w dirs.txt:DIR -w files.txt:FILE -u https://example.com/DIR/FILE
Pitchfork Mode
The pitchfork mode processes each wordlist simultaneously in a one-to-one mapping. It takes the first item from the first wordlist, the first item from the second wordlist, and pairs them together. This mode is ideal when you want to test matched pairs of inputs, such as username-password pairs that belong together.
Example:
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode pitchfork
Here, ffuf
will take the first username from the users.txt
list and the first password from the passwords.txt
list, and send them together. It will then take the second items from each list, and so on, making this mode useful when the parameters are meant to match in sequence.
Sniper Mode
The sniper mode is used when you want to fuzz one parameter at a time with a single wordlist, while the other parameters remain static. This mode is great for discovering how different inputs affect specific parts of a request.
Example:
ffuf -w payloads.txt -u https://example.com/search?query=FUZZ&staticparam=value --mode sniper
In this case, ffuf
will fuzz only the query
parameter using the payloads.txt
wordlist, while keeping staticparam=value
unchanged. The sniper mode is effective for focused fuzzing when you are targeting one input field or parameter at a time.
Key Differences
- Clusterbomb: Tests all combinations of multiple wordlists.
- Pitchfork: Pairs matching items from multiple wordlists.
- Sniper: Tests one parameter at a time with a single wordlist, keeping others constant.
These modes give flexibility depending on how you want to interact with the application.
Matchers
Here are some examples of using ffuf’s matcher options:
Matching Status Code
A basic use of ffuf’s matcher is to find responses with specific status codes using the -mc
flag. For example, if you’re looking for pages that return a 200
status code, you can use:
ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200
This only shows responses with a 200 status code, filtering out all others.
Matching Response Size
If you want to match responses based on their size, use the -ms
flag. For example, if you’re targeting responses exactly 1000 bytes in size:
ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 1000
You can also match a range of response size:
ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 900-1100
This command will return responses between 900 and 1100 bytes.
Matching on Word Count
You can use the -mw
flag to filter responses based on the number of words in the body. For instance, if you’re looking for responses with exactly 50 words:
ffuf -u https://example.com/FUZZ -w wordlist.txt -mw 50
Matching by Response Lines
Another useful feature is matching based on the number of lines in the response. Use the -ml
option to filter responses based on the number of lines. For example, if you’re looking for responses with exactly 10 lines:
ffuf -u https://example.com/FUZZ -w wordlist.txt -ml 10
These matcher options allow you to fine-tune your fuzzing to filter out irrelevant results and focus on specific response patterns.
Regex Matching
Sometimes, filtering by status code or size isn’t enough. Ffuf offers regex matching on the response body, which allows you to focus only on responses that contain specific content.
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "success|welcome"
This command shows responses where the content contains either “success” or “welcome.” Regex matching is helpful when certain keywords indicate valid or vulnerable pages.
To match responses containing a pattern like /\..*/
, which could identify hidden files or directories, you can use:
ffuf -u https://example.com/FUZZ -w wordlist.txt -mr '/\..*/'
This command searches for responses that contain a period followed by any characters.
Throttling
Rate limits
If you’re fuzzing a web application with rate-limiting or time-based restrictions, ffuf’s timeout and rate-limiting options can help you manage requests without being blocked.
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -rate 50 -timeout 5
In this case, ffuf will send at most of 50 requests per second and wait up to 5 seconds for a response. This is particularly useful for avoiding security protections on endpoints with heavy rate-limiting.
Delays
ffuf can adjust the rate at which requests are sent to avoid triggering rate limits:
ffuf -w wordlist.txt -u https://example.com/FUZZ -t 2 -p 1
This command sets the number of threads (-t) to 2 and introduces a delay (-p) of 1 second between requests. This reduces the chance of being blocked.
Fuzzing POST Requests
While GET requests are the default in ffuf, testing POST requests is useful for fuzzing forms and API endpoints. You can fuzz the body of POST requests using the -X
and -d
flags.
Simple POST Data Fuzzing
For instance, to fuzz username values in a login form:
ffuf -w usernames.txt -u https://example.com/login -X POST -d "username=FUZZ&password=admin"
This command tests different usernames while keeping the password constant. It’s useful for password-spraying.
Fuzzing JSON POST Data
If the target application uses a JSON-based API, you can fuzz the JSON data by placing the FUZZ keyword in the payload:
ffuf -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "FUZZ"}' -w /path/to/wordlist.txt -u http://example.com/api/login
This command sends JSON-formatted POST requests to the specified URL, replacing FUZZ with each value from the wordlist.
Filtering and Matching POST Responses
While fuzzing, you may want to narrow down results by using response matchers and filters. For example, you can filter by specific response codes or match content length:
ffuf -X POST -d "username=admin&password=FUZZ" -w /path/to/wordlist.txt -u http://example.com/login -fc 401
Here, the -fc 401
flag filters out responses with the 401
status code, making it easier to spot valid login attempts.
Customizing Request Headers
To simulate authenticated or personalized requests, ffuf allows you to add custom HTTP headers. This is helpful when testing APIs or endpoints behind authentication mechanisms.
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Authorization: Bearer mytoken"
By using headers like Authorization
, you can fuzz API endpoints that need valid authentication tokens.
This example fuzzes a protected endpoint with a valid token. You can also fuzz headers themselves:
ffuf -w tokens.txt -H "Authorization: Bearer FUZZ" -u https://example.com/api/resource
This fuzzes different authentication tokens.
Another example - useful for identifying vulnerabilities within headers like X-Forwarded-For or User-Agent.
ffuf -w /path/to/wordlist.txt -u http://example.com -H "X-Forwarded-For: FUZZ"
This command replaces FUZZ with each value from the wordlist within the header, enabling you to discover variations that might bypass security checks or reveal internal details.
Output Options
After completing fuzzing jobs, it’s important to store results for later analysis or automation. Ffuf allows output in various formats such as JSON or CSV, making it easy to process results programmatically.
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -o results.json -of json
This stores the output in JSON format, which can then be fed into other tools or manually parsed.
You can also log in CSV or HTML formats:
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv
To save output in all supported formats, use:
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all
Combining ffuf with Nmap
Another powerful combination is using ffuf with nmap. For instance, you can scan for open ports using nmap and then use ffuf to fuzz discovered HTTP services:
nmap -p- -oG open_ports.txt 192.168.1.1
ffuf -w open_ports.txt -u http://192.168.1.1:FUZZ -o results.html
This allows you to discover services and fuzz them.
Conclusion
In this part of the guide, we explored more advanced features of ffuf, like how to use multiple wordlists, different fuzzing modes, and testing POST requests. These features allow you to dig deeper into web applications to find hidden vulnerabilities. By understanding these options, you can make your fuzzing more targeted and effective.
Ffuf flexibility and power help security testers handle complex applications and get results faster. With these techniques, you can be more precise and efficient, which makes ffuf a valuable tool in web security testing. Keep practicing, and you’ll get better at spotting issues that might otherwise go unnoticed!