2022-03-23 18:18:54 +00:00
![ffuf mascot ](_img/ffuf_run_logo_600.png )
2018-11-08 09:26:32 +00:00
# ffuf - Fuzz Faster U Fool
2019-06-26 19:44:52 +00:00
A fast web fuzzer written in Go.
2018-11-09 13:49:54 +00:00
2021-02-24 20:33:06 +00:00
- [Installation ](https://github.com/ffuf/ffuf#installation )
- [Example usage ](https://github.com/ffuf/ffuf#example-usage )
- [Content discovery ](https://github.com/ffuf/ffuf#typical-directory-discovery )
- [Vhost discovery ](https://github.com/ffuf/ffuf#virtual-host-discovery-without-dns-records )
- [Parameter fuzzing ](https://github.com/ffuf/ffuf#get-parameter-fuzzing )
- [POST data fuzzing ](https://github.com/ffuf/ffuf#post-data-fuzzing )
- [Using external mutator ](https://github.com/ffuf/ffuf#using-external-mutator-to-produce-test-cases )
- [Configuration files ](https://github.com/ffuf/ffuf#configuration-files )
- [Help ](https://github.com/ffuf/ffuf#usage )
2021-04-18 09:54:17 +00:00
- [Interactive mode ](https://github.com/ffuf/ffuf#interactive-mode )
2021-02-24 20:33:06 +00:00
2021-02-23 16:06:43 +00:00
2019-12-30 11:07:28 +00:00
## Installation
2018-11-09 13:49:54 +00:00
2019-12-30 11:07:28 +00:00
- [Download ](https://github.com/ffuf/ffuf/releases/latest ) a prebuilt binary from [releases page ](https://github.com/ffuf/ffuf/releases/latest ), unpack and run!
2023-02-02 14:27:47 +00:00
_or_
2023-02-04 13:06:35 +00:00
- If you are on macOS with [homebrew ](https://brew.sh ), ffuf can be installed with: `brew install ffuf`
2020-09-27 16:24:06 +00:00
_or_
2022-01-22 20:29:25 +00:00
- If you have recent go compiler installed: `go install github.com/ffuf/ffuf@latest` (the same command works for updating)
2020-09-27 16:24:06 +00:00
_or_
2022-01-22 17:53:36 +00:00
- `git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build`
2018-11-09 13:49:54 +00:00
2022-01-22 20:29:25 +00:00
Ffuf depends on Go 1.16 or greater.
2018-11-09 13:49:54 +00:00
2019-12-30 11:07:28 +00:00
## Example usage
2018-11-09 13:49:54 +00:00
2020-09-24 09:54:02 +00:00
The usage examples below show just the simplest tasks you can accomplish using `ffuf` .
2023-02-04 13:06:35 +00:00
More elaborate documentation that goes through many features with a lot of examples is
available in the ffuf wiki at [https://github.com/ffuf/ffuf/wiki ](https://github.com/ffuf/ffuf/wiki )
2020-09-24 09:54:02 +00:00
For more extensive documentation, with real life usage examples and tips, be sure to check out the awesome guide:
"[Everything you need to know about FFUF](https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html)" by
Michael Skelton ([@codingo](https://github.com/codingo)).
2022-01-22 17:55:11 +00:00
You can also practise your ffuf scans against a live host with different lessons and use cases either locally by using the docker container https://github.com/adamtlangley/ffufme or against the live hosted version at http://ffuf.me created by Adam Langley [@adamtlangley ](https://twitter.com/adamtlangley ).
2020-09-24 09:54:02 +00:00
2018-11-09 13:49:54 +00:00
### Typical directory discovery
2018-11-12 10:53:14 +00:00
[![asciicast ](https://asciinema.org/a/211350.png )](https://asciinema.org/a/211350)
2018-11-09 13:49:54 +00:00
By using the FUZZ keyword at the end of URL (`-u`):
```
ffuf -w /path/to/wordlist -u https://target/FUZZ
```
### Virtual host discovery (without DNS records)
2018-11-12 10:53:14 +00:00
[![asciicast ](https://asciinema.org/a/211360.png )](https://asciinema.org/a/211360)
2018-11-09 13:49:54 +00:00
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header:
```
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
```
### GET parameter fuzzing
2023-02-03 07:08:29 +00:00
GET parameter name fuzzing is very similar to directory discovery, and works by defining the `FUZZ` keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.
2018-11-09 13:49:54 +00:00
```
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
```
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
```
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
```
### POST data fuzzing
This is a very straightforward operation, again by using the `FUZZ` keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
```
2019-12-08 11:48:53 +00:00
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
2018-11-09 13:49:54 +00:00
```
2018-11-08 09:26:32 +00:00
2020-02-27 13:19:07 +00:00
### Maximum execution time
If you don't want ffuf to run indefinitely, you can use the `-maxtime` . This stops __the entire__ process after a given time (in seconds).
```
ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60
```
When working with recursion, you can control the maxtime __per job__ using `-maxtime-job` . This will stop the current job after a given time (in seconds) and continue with the next one. New jobs are created when the recursion functionality detects a subdirectory.
```
ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2
```
It is also possible to combine both flags limiting the per job maximum execution time as well as the overall execution time. If you do not use recursion then both flags behave equally.
2019-06-16 21:42:42 +00:00
### Using external mutator to produce test cases
For this example, we'll fuzz JSON data that's sent over POST. [Radamsa ](https://gitlab.com/akihe/radamsa ) is used as the mutator.
When `--input-cmd` is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable `$FFUF_NUM` . We'll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code `400 - Bad request` :
```
2020-10-01 13:58:09 +00:00
ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400
2019-06-16 21:42:42 +00:00
```
It of course isn't very efficient to call the mutator for each payload, so we can also pre-generate the payloads, still using [Radamsa ](https://gitlab.com/akihe/radamsa ) as an example:
```
# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt
# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf
ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400
```
2020-09-27 16:24:06 +00:00
### Configuration files
2023-02-04 13:06:35 +00:00
When running ffuf, it first checks if a default configuration file exists. Default path for a `ffufrc` file is
`$XDG_CONFIG_HOME/ffuf/ffufrc` . You can configure one or multiple options in this file, and they will be applied on
every subsequent ffuf job. An example of ffufrc file can be found
[here ](https://github.com/ffuf/ffuf/blob/master/ffufrc.example ).
A more detailed description about configuration file locations can be found in the wiki:
[https://github.com/ffuf/ffuf/wiki/Configuration ](https://github.com/ffuf/ffuf/wiki/Configuration )
2020-09-27 16:24:06 +00:00
2023-02-04 13:06:35 +00:00
The configuration options provided on the command line override the ones loaded from the default `ffufrc` file.
2020-09-27 16:24:06 +00:00
Note: this does not apply for CLI flags that can be provided more than once. One of such examples is `-H` (header) flag.
In this case, the `-H` values provided on the command line will be _appended_ to the ones from the config file instead.
Additionally, in case you wish to use bunch of configuration files for different use cases, you can do this by defining
the configuration file path using `-config` command line flag that takes the file path to the configuration file as its
parameter.
2022-03-25 16:20:42 +00:00
< p align = "center" >
< img width = "250" src = "_img/ffuf_juggling_250.png" >
< / p >
2018-11-08 09:26:32 +00:00
## Usage
2018-11-09 13:49:54 +00:00
To define the test case for ffuf, use the keyword `FUZZ` anywhere in the URL (`-u`), headers (`-H`), or POST data (`-d`).
2019-06-16 21:42:42 +00:00
2018-11-08 09:26:32 +00:00
```
2023-02-04 13:06:35 +00:00
Fuzz Faster U Fool - v2.0.0
2020-01-29 22:28:28 +00:00
HTTP OPTIONS:
2021-04-18 09:54:17 +00:00
-H Header `"Name: Value"` , separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-d POST data
2023-02-02 16:16:17 +00:00
-http2 Use HTTP2 protocol (default: false)
2021-04-18 09:54:17 +00:00
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
2021-05-13 20:46:29 +00:00
-sni Target TLS SNI, does not support FUZZ keyword
2021-04-18 09:54:17 +00:00
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
2020-01-29 22:28:28 +00:00
GENERAL OPTIONS:
2021-04-26 20:04:12 +00:00
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
2023-02-02 16:16:17 +00:00
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Autocalibration strategy: "basic" or "advanced" (default: basic)
2021-04-26 20:04:12 +00:00
-c Colorize output. (default: false)
-config Load configuration from a file
2023-02-02 16:16:17 +00:00
-json JSON output, printing newline-delimited JSON records (default: false)
2021-04-26 20:04:12 +00:00
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
2023-02-04 13:06:35 +00:00
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
2021-04-26 20:04:12 +00:00
-se Stop on spurious errors (default: false)
2023-02-04 13:06:35 +00:00
-search Search for a FFUFHASH payload from ffuf history
2021-04-26 20:04:12 +00:00
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
2020-01-29 22:28:28 +00:00
MATCHER OPTIONS:
2022-01-22 16:58:07 +00:00
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405,500)
2021-04-26 20:04:12 +00:00
-ml Match amount of lines in response
2023-02-02 16:16:17 +00:00
-mmode Matcher set operator. Either of: and, or (default: or)
2021-04-26 20:04:12 +00:00
-mr Match regexp
-ms Match HTTP response size
2023-02-04 13:06:35 +00:00
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or < 100
2021-04-26 20:04:12 +00:00
-mw Match amount of words in response
2020-01-29 22:28:28 +00:00
FILTER OPTIONS:
2021-04-26 20:04:12 +00:00
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
2023-02-02 16:16:17 +00:00
-fmode Filter set operator. Either of: and, or (default: or)
2021-04-26 20:04:12 +00:00
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
2023-02-04 13:06:35 +00:00
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or < 100
2021-04-26 20:04:12 +00:00
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
2020-01-29 22:28:28 +00:00
INPUT OPTIONS:
2021-04-26 20:04:12 +00:00
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
2022-03-06 14:14:45 +00:00
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
2021-04-26 20:04:12 +00:00
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
2020-01-29 22:28:28 +00:00
OUTPUT OPTIONS:
2021-04-26 20:04:12 +00:00
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don't create the output file if we don't have results (default: false)
2020-01-29 22:28:28 +00:00
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz POST JSON data. Match all responses not containing text "error".
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
-d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
More information and examples: https://github.com/ffuf/ffuf
```
2018-11-08 09:26:32 +00:00
2021-04-18 09:54:17 +00:00
### Interactive mode
By pressing `ENTER` during ffuf execution, the process is paused and user is dropped to a shell-like interactive mode:
```
entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help
available commands:
2023-02-04 13:06:35 +00:00
afc [value] - append to status code filter
fc [value] - (re)configure status code filter
afl [value] - append to line count filter
fl [value] - (re)configure line count filter
afw [value] - append to word count filter
fw [value] - (re)configure word count filter
afs [value] - append to size filter
fs [value] - (re)configure size filter
aft [value] - append to time filter
ft [value] - (re)configure time filter
rate [value] - adjust rate of requests per second (active: 0)
queueshow - show job queue
queuedel [number] - delete a job in the queue
queueskip - advance to the next queued job
restart - restart and resume the current ffuf job
resume - resume current ffuf job (or: ENTER)
show - show results for the current job
savejson [filename] - save current matches to a file
help - you are looking at it
2021-04-18 09:54:17 +00:00
>
```
in this mode, filters can be reconfigured, queue managed and the current state saved to disk.
When (re)configuring the filters, they get applied posthumously and all the false positive matches from memory that
would have been filtered out by the newly added filters get deleted.
The new state of matches can be printed out with a command `show` that will print out all the matches as like they
would have been found by `ffuf` .
As "negative" matches are not stored to memory, relaxing the filters cannot unfortunately bring back the lost matches.
For this kind of scenario, the user is able to use the command `restart` , which resets the state and starts the current
job from the beginning.
2022-03-25 16:20:42 +00:00
< p align = "center" >
< img width = "250" src = "_img/ffuf_waving_250.png" >
< / p >
2019-12-30 11:07:28 +00:00
## License
2018-11-14 22:18:43 +00:00
2019-12-30 11:07:28 +00:00
ffuf is released under MIT license. See [LICENSE ](https://github.com/ffuf/ffuf/blob/master/LICENSE ).