Taking ffuf Fuzzing Further

Introduction

In the second part of the guide, we’ll cover more advanced techniques, including the use of many wordlists in different fuzzing modes (such as clusterbomb, pitchfork, and sniper). How to leverage powerful matchers and filters. Additionally, we’ll explore scenarios, such as fuzzing POST requests with complex data structures like JSON, and how to work with HTTP headers.

TL;DR

You can find a shorter cheat sheet version of this article here.

Open Table of contents

Multiple Wordlists
Matchers
Throttling
- Rate limits
- Delays
Fuzzing POST Requests
Customizing Request Headers
Output Options
Combining ffuf with Nmap
Conclusion

Multiple Wordlists

Ffuf allows you to use many wordlists to fuzz multiple parts of a URL or data fields simultaneously. You can fuzz more than the URL paths; parameters or query strings can also be fuzzed. This feature is helpful when testing APIs or endpoints that expect more than one variable.

Fuzzing with multiple wordlists in ffuf can be a powerful technique to test different parts of a web application. There are three main modes in ffuf for handling multiple wordlists: clusterbomb, pitchfork, and sniper. Each mode serves a different purpose, depending on how you want to combine the wordlists during fuzzing.

Here are examples of how to use each mode:

Clusterbomb Mode

The clusterbomb mode attempts every combination of values from multiple wordlists. This is useful when you need to test all possible combinations of input parameters, like trying different usernames and passwords together.

Examples:

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode clusterbomb

In this mode, ffuf will try every possible combination of usernames and passwords, ensuring that all pairs are covered. It’s useful for brute-forcing login forms or testing multiple fields simultaneously.

You can fuzz multiple parts of the JSON request:

ffuf -w usernames.txt:U -w passwords.txt:P -X POST -d '{"username":"U","password":"P"}' -H 'Content-Type: application/json' -u https://example.com/api/login

Or fuzz both directory and file names, increasing the chances of finding hidden resources within nested paths:

ffuf -w dirs.txt:DIR -w files.txt:FILE -u https://example.com/DIR/FILE

Pitchfork Mode

The pitchfork mode processes each wordlist simultaneously in a one-to-one mapping. It takes the first item from the first wordlist, the first item from the second wordlist, and pairs them together. This mode is ideal when you want to test matched pairs of inputs, such as username-password pairs that belong together.

Example:

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode pitchfork

Here, ffuf will take the first username from the users.txt list and the first password from the passwords.txt list, and send them together. It will then take the second items from each list, and so on, making this mode useful when the parameters are meant to match in sequence.

Sniper Mode

The sniper mode is used when you want to fuzz one parameter at a time with a single wordlist, while the other parameters remain static. This mode is great for discovering how different inputs affect specific parts of a request.

Example:

ffuf -w payloads.txt -u https://example.com/search?query=FUZZ&staticparam=value --mode sniper

In this case, ffuf will fuzz only the query parameter using the payloads.txt wordlist, while keeping staticparam=value unchanged. The sniper mode is effective for focused fuzzing when you are targeting one input field or parameter at a time.

Key Differences

Clusterbomb: Tests all combinations of multiple wordlists.
Pitchfork: Pairs matching items from multiple wordlists.
Sniper: Tests one parameter at a time with a single wordlist, keeping others constant.

These modes give flexibility depending on how you want to interact with the application.

Matchers

Here are some examples of using ffuf’s matcher options:

Matching Status Code

A basic use of ffuf’s matcher is to find responses with specific status codes using the -mc flag. For example, if you’re looking for pages that return a 200 status code, you can use:

ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200

This only shows responses with a 200 status code, filtering out all others.

Matching Response Size

If you want to match responses based on their size, use the -ms flag. For example, if you’re targeting responses exactly 1000 bytes in size:

ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 1000

You can also match a range of response size:

ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 900-1100

This command will return responses between 900 and 1100 bytes.

Matching on Word Count

You can use the -mw flag to filter responses based on the number of words in the body. For instance, if you’re looking for responses with exactly 50 words:

ffuf -u https://example.com/FUZZ -w wordlist.txt -mw 50

Matching by Response Lines

Another useful feature is matching based on the number of lines in the response. Use the -ml option to filter responses based on the number of lines. For example, if you’re looking for responses with exactly 10 lines:

ffuf -u https://example.com/FUZZ -w wordlist.txt -ml 10

These matcher options allow you to fine-tune your fuzzing to filter out irrelevant results and focus on specific response patterns.

Regex Matching

Sometimes, filtering by status code or size isn’t enough. Ffuf offers regex matching on the response body, which allows you to focus only on responses that contain specific content.

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "success|welcome"

This command shows responses where the content contains either “success” or “welcome.” Regex matching is helpful when certain keywords indicate valid or vulnerable pages.

To match responses containing a pattern like /\..*/, which could identify hidden files or directories, you can use:

ffuf -u https://example.com/FUZZ -w wordlist.txt -mr '/\..*/'

This command searches for responses that contain a period followed by any characters.

Throttling

Rate limits

If you’re fuzzing a web application with rate-limiting or time-based restrictions, ffuf’s timeout and rate-limiting options can help you manage requests without being blocked.

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -rate 50 -timeout 5

In this case, ffuf will send at most of 50 requests per second and wait up to 5 seconds for a response. This is particularly useful for avoiding security protections on endpoints with heavy rate-limiting.

Delays

ffuf can adjust the rate at which requests are sent to avoid triggering rate limits:

ffuf -w wordlist.txt -u https://example.com/FUZZ -t 2 -p 1

This command sets the number of threads (-t) to 2 and introduces a delay (-p) of 1 second between requests. This reduces the chance of being blocked.

Fuzzing POST Requests

While GET requests are the default in ffuf, testing POST requests is useful for fuzzing forms and API endpoints. You can fuzz the body of POST requests using the -X and -d flags.

Simple POST Data Fuzzing

For instance, to fuzz username values in a login form:

ffuf -w usernames.txt -u https://example.com/login -X POST -d "username=FUZZ&password=admin"

This command tests different usernames while keeping the password constant. It’s useful for password-spraying.

Fuzzing JSON POST Data

If the target application uses a JSON-based API, you can fuzz the JSON data by placing the FUZZ keyword in the payload:

ffuf -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "FUZZ"}' -w /path/to/wordlist.txt -u http://example.com/api/login

This command sends JSON-formatted POST requests to the specified URL, replacing FUZZ with each value from the wordlist.

Filtering and Matching POST Responses

While fuzzing, you may want to narrow down results by using response matchers and filters. For example, you can filter by specific response codes or match content length:

ffuf -X POST -d "username=admin&password=FUZZ" -w /path/to/wordlist.txt -u http://example.com/login -fc 401

Here, the -fc 401 flag filters out responses with the 401 status code, making it easier to spot valid login attempts.

Customizing Request Headers

To simulate authenticated or personalized requests, ffuf allows you to add custom HTTP headers. This is helpful when testing APIs or endpoints behind authentication mechanisms.

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Authorization: Bearer mytoken"

By using headers like Authorization, you can fuzz API endpoints that need valid authentication tokens.

This example fuzzes a protected endpoint with a valid token. You can also fuzz headers themselves:

ffuf -w tokens.txt -H "Authorization: Bearer FUZZ" -u https://example.com/api/resource

This fuzzes different authentication tokens.

Another example - useful for identifying vulnerabilities within headers like X-Forwarded-For or User-Agent.

ffuf -w /path/to/wordlist.txt -u http://example.com -H "X-Forwarded-For: FUZZ"

This command replaces FUZZ with each value from the wordlist within the header, enabling you to discover variations that might bypass security checks or reveal internal details.

Output Options

After completing fuzzing jobs, it’s important to store results for later analysis or automation. Ffuf allows output in various formats such as JSON or CSV, making it easy to process results programmatically.

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -o results.json -of json

This stores the output in JSON format, which can then be fed into other tools or manually parsed.

You can also log in CSV or HTML formats:

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv

To save output in all supported formats, use:

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all

Combining ffuf with Nmap

Another powerful combination is using ffuf with nmap. For instance, you can scan for open ports using nmap and then use ffuf to fuzz discovered HTTP services:

nmap -p- -oG open_ports.txt 192.168.1.1
ffuf -w open_ports.txt -u http://192.168.1.1:FUZZ -o results.html

This allows you to discover services and fuzz them.

Conclusion

In this part of the guide, we explored more advanced features of ffuf, like how to use multiple wordlists, different fuzzing modes, and testing POST requests. These features allow you to dig deeper into web applications to find hidden vulnerabilities. By understanding these options, you can make your fuzzing more targeted and effective.

Ffuf flexibility and power help security testers handle complex applications and get results faster. With these techniques, you can be more precise and efficient, which makes ffuf a valuable tool in web security testing. Keep practicing, and you’ll get better at spotting issues that might otherwise go unnoticed!