Difference between revisions of "Ffuf"

Summary

This Wiki Entry is about the Tool ffuf (Fuzz Faster You Fool). The article will show different commands for the most useful use-cases and can be utilized as a cheatsheet.

Overview

Ffuf is a web fuzzer written in Go. It Is pre-installed in Kali Linux and sponsored by Offensive Security. The tool can be used for different Fuzzing use-cases and it supports recursive Fuzzing.

Installation

If you are using Kali Linux you can use ffuf straight away because it is pre-installed. If you are using another Linux Distribution you can install the tool with

 $sudo apt install ffuf

Cheatsheet

Useful flags

Match & Filter

• -mc : Match response codes
• -mr : Match regex pattern
• -ms : Match reponse size
• -fc : Filter response codes
• -fr : Filter regex pattern
• -fs : Filter reponse size

Input & Output

• -w : Wordlist
• -mode : Operation Mode (Clusterbomb, Pitchfork)
• -request : File with a HTTP request
• -o : Output file
• -of : Output file format

Directory Fuzzing

Page Fuzzing

Subdomain Fuzzing

Vhosts Fuzzing

Parameter Fuzzing

Recursive Fuzzing

 ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 
 1 -e .php -v

• -recursion: to enable recursive Fuzzing
• -recursion-depth: to determine the recursion depth
• -v: to output the full URL for a better overview

Courses

• Sichere Softwareentwicklung (IT-Security 22/23)

References

• https://github.com/ffuf/ffuf#installation
• https://www.kali.org/tools/ffuf/