2018-11-12 11:49:57 +00:00
```
2019-06-26 19:44:52 +00:00
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
2018-11-12 11:49:57 +00:00
```
2018-11-08 09:26:32 +00:00
# ffuf - Fuzz Faster U Fool
2019-06-26 19:44:52 +00:00
A fast web fuzzer written in Go.
2018-11-09 13:49:54 +00:00
Heavily inspired by the great projects [gobuster ](https://github.com/OJ/gobuster ) and [wfuzz ](https://github.com/xmendez/wfuzz ).
## Features
2019-11-08 14:18:27 +00:00
- Fast!
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
- Silent mode (`-s`) for clean output that's easy to use in pipes to other processes.
- Modularized architecture that allows integration with existing toolchains with reasonable effort
- Easy-to-add filters and matchers (they are interoperable)
2018-11-09 13:49:54 +00:00
## Example cases
### Typical directory discovery
2018-11-12 10:53:14 +00:00
[![asciicast ](https://asciinema.org/a/211350.png )](https://asciinema.org/a/211350)
2018-11-09 13:49:54 +00:00
By using the FUZZ keyword at the end of URL (`-u`):
```
ffuf -w /path/to/wordlist -u https://target/FUZZ
```
### Virtual host discovery (without DNS records)
2018-11-12 10:53:14 +00:00
[![asciicast ](https://asciinema.org/a/211360.png )](https://asciinema.org/a/211360)
2018-11-09 13:49:54 +00:00
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header:
```
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
```
### GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery, and works by defining the `FUZZ` keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
```
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
```
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
```
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
```
### POST data fuzzing
This is a very straightforward operation, again by using the `FUZZ` keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
```
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401
```
2018-11-08 09:26:32 +00:00
2019-06-16 21:42:42 +00:00
### Using external mutator to produce test cases
For this example, we'll fuzz JSON data that's sent over POST. [Radamsa ](https://gitlab.com/akihe/radamsa ) is used as the mutator.
When `--input-cmd` is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable `$FFUF_NUM` . We'll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code `400 - Bad request` :
```
ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400
```
It of course isn't very efficient to call the mutator for each payload, so we can also pre-generate the payloads, still using [Radamsa ](https://gitlab.com/akihe/radamsa ) as an example:
```
# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt
# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf
ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400
```
2018-11-08 09:26:32 +00:00
## Usage
2018-11-09 13:49:54 +00:00
To define the test case for ffuf, use the keyword `FUZZ` anywhere in the URL (`-u`), headers (`-H`), or POST data (`-d`).
2019-06-16 21:42:42 +00:00
2018-11-08 09:26:32 +00:00
```
2019-11-10 21:30:54 +00:00
Usage of ./ffuf:
2019-04-10 18:50:38 +00:00
-D DirSearch style wordlist compatibility mode. Used in conjunction with -e flag. Replaces %EXT% in wordlist entry with each of the extensions provided by -e.
2018-11-12 21:24:37 +00:00
-H "Name: Value"
Header "Name: Value", separated by colon. Multiple -H flags are accepted.
2018-12-05 22:57:42 +00:00
-V Show version information.
2018-11-08 09:26:32 +00:00
-X string
2019-03-29 23:45:47 +00:00
HTTP method to use (default "GET")
2019-04-27 07:47:24 +00:00
-ac
Automatically calibrate filtering options
2019-11-10 21:30:54 +00:00
-acc value
Custom auto-calibration string. Can be used multiple times. Implies -ac
2019-06-26 19:44:52 +00:00
-b "NAME1=VALUE1; NAME2=VALUE2"
Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
Results unpredictable when combined with -H "Cookie: ..."
2018-11-09 13:49:54 +00:00
-c Colorize output.
2019-06-16 21:42:42 +00:00
-compressed
Dummy flag for copy as curl functionality (ignored) (default true)
2019-11-10 21:30:54 +00:00
-cookie value
Cookie data (alias of -b)
2018-11-09 13:49:54 +00:00
-d string
2019-06-16 21:42:42 +00:00
POST data
-data string
POST data (alias of -d)
2019-11-10 21:30:54 +00:00
-data-ascii string
POST data (alias of -d)
-data-binary string
POST data (alias of -d)
-debug-log string
Write all of the internal logging to the specified file.
2019-04-10 18:50:38 +00:00
-e string
Comma separated list of extensions to apply. Each extension provided will extend the wordlist entry once.
2018-11-08 09:26:32 +00:00
-fc string
2019-06-27 15:26:20 +00:00
Filter HTTP status codes from response. Comma separated list of codes and ranges
2019-11-10 21:30:54 +00:00
-fl string
Filter by amount of lines in response. Comma separated list of line counts and ranges
2018-11-12 21:24:37 +00:00
-fr string
Filter regexp
2018-11-08 09:26:32 +00:00
-fs string
2019-06-27 15:26:20 +00:00
Filter HTTP response size. Comma separated list of sizes and ranges
2018-11-12 21:24:37 +00:00
-fw string
2019-06-27 15:26:20 +00:00
Filter by amount of words in response. Comma separated list of word counts and ranges
2019-11-10 21:30:54 +00:00
-i Dummy flag for copy as curl functionality (ignored) (default true)
-input-cmd value
2019-06-16 21:42:42 +00:00
Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num int
Number of inputs to test. Used in conjunction with --input-cmd. (default 100)
2019-04-06 15:54:27 +00:00
-k TLS identity verification
2018-11-08 09:26:32 +00:00
-mc string
2019-04-13 13:02:00 +00:00
Match HTTP status codes from respose, use "all" to match every response code. (default "200,204,301,302,307,401,403")
2019-11-10 21:30:54 +00:00
-ml string
Match amount of lines in response
2019-11-15 22:40:04 +00:00
-mode string
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default "clusterbomb")
2018-11-12 21:24:37 +00:00
-mr string
Match regexp
2018-11-08 09:26:32 +00:00
-ms string
Match HTTP response size
2018-11-12 21:24:37 +00:00
-mw string
Match amount of words in response
2019-03-29 23:45:47 +00:00
-o string
Write output to file
-of string
2019-11-15 23:48:00 +00:00
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default "json")
2018-12-05 22:57:42 +00:00
-p delay
Seconds of delay between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
2019-04-03 10:02:08 +00:00
-r Follow redirects
2018-11-08 09:26:32 +00:00
-s Do not print additional information (silent mode)
2019-04-03 20:11:49 +00:00
-sa
Stop on all error cases. Implies -sf and -se
-se
Stop on spurious errors
2019-03-29 23:45:47 +00:00
-sf
2019-04-27 07:47:24 +00:00
Stop when > 95% of responses return 403 Forbidden
2018-11-08 09:26:32 +00:00
-t int
2018-11-12 21:24:37 +00:00
Number of concurrent threads. (default 40)
2019-04-27 07:47:24 +00:00
-timeout int
HTTP request timeout in seconds. (default 10)
2018-11-08 09:26:32 +00:00
-u string
Target URL
2019-11-16 14:32:11 +00:00
-v Verbose output, printing full URL and redirect location (if any) with the results.
2019-11-10 21:30:54 +00:00
-w value
Wordlist file path and (optional) custom fuzz keyword, using colon as delimiter. Use file path '-' to read from standard input. Can be supplied multiple times. Format: '/path/to/wordlist:KEYWORD'
2019-01-21 20:43:04 +00:00
-x string
HTTP Proxy URL
2018-11-08 09:26:32 +00:00
```
2019-04-03 10:02:08 +00:00
2018-11-08 09:26:32 +00:00
eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist`
## Installation
2019-10-14 08:29:37 +00:00
- [Download ](https://github.com/ffuf/ffuf/releases/latest ) a prebuilt binary from [releases page ](https://github.com/ffuf/ffuf/releases/latest ), unpack and run!
or
- If you have go compiler installed: `go get github.com/ffuf/ffuf`
2018-11-09 13:49:54 +00:00
2018-11-14 22:18:43 +00:00
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
2019-03-29 23:45:47 +00:00
## Changelog
2019-04-13 13:28:47 +00:00
- master
2019-11-16 16:19:07 +00:00
- New
- Changed
2019-11-16 20:22:14 +00:00
- Limit the use of `-e` (extensions) to a single keyword: FUZZ
2019-11-16 16:19:07 +00:00
- v0.12
2019-11-10 22:03:01 +00:00
- New
2019-11-15 22:40:04 +00:00
- Added a new flag to select a multi wordlist operation mode: `--mode` , possible values: `clusterbomb` and `pitchfork` .
2019-11-15 23:48:00 +00:00
- Added a new output file format eJSON, for always base64 encoding the input data.
2019-11-16 13:47:57 +00:00
- Redirect location is always shown in the output files (when using `-o` )
- Full URL is always shown in the output files (when using `-o` )
- HTML output format got [DataTables ](https://datatables.net/ ) support allowing realtime searches, sorting by column etc.
2019-11-16 14:32:11 +00:00
- New CLI flag `-v` for verbose output. Including full URL, and redirect location.
2019-11-16 15:31:55 +00:00
- SIGTERM monitoring, in order to catch keyboard interrupts an such, to be able to write `-o` files before exiting.
2019-11-10 22:03:01 +00:00
- Changed
2019-11-15 22:40:04 +00:00
- Fixed a bug in the default multi wordlist mode
2019-11-15 23:48:00 +00:00
- Fixed JSON output regression, where all the input data was always encoded in base64
2019-11-16 13:47:57 +00:00
- `--debug-log` no correctly logs connection errors
2019-11-16 14:32:11 +00:00
- Removed `-l` flag in favor of `-v`
2019-11-16 15:31:55 +00:00
- More verbose information in banner shown in startup.
2019-11-10 22:03:01 +00:00
- v0.11
2019-10-14 08:29:37 +00:00
- New
2019-11-09 20:09:12 +00:00
2019-10-14 08:29:37 +00:00
- New CLI flag: -l, shows target location of redirect responses
2019-10-15 12:38:45 +00:00
- New CLI flac: -acc, custom auto-calibration strings
2019-10-20 15:38:11 +00:00
- New CLI flag: -debug-log, writes the debug logging to the specified file.
2019-11-09 20:09:12 +00:00
- New CLI flags -ml and -fl, filters/matches line count in response
2019-11-10 21:30:54 +00:00
- Ability to use multiple wordlists / keywords by defining multiple -w command line flags. The if no keyword is defined, the default is FUZZ to keep backwards compatibility. Example: `-w "wordlists/custom.txt:CUSTOM" -H "RandomHeader: CUSTOM"` .
2019-10-20 15:38:11 +00:00
2019-10-14 08:29:37 +00:00
- Changed
2019-11-09 20:09:12 +00:00
2019-10-14 08:29:37 +00:00
- New CLI flag: -i, dummy flag that does nothing. for compatibility with copy as curl.
- New CLI flag: -b/--cookie, cookie data for compatibility with copy as curl.
2019-11-08 14:18:27 +00:00
- New Output format are available: HTML and Markdown table.
- New CLI flag: -l, shows target location of redirect responses
2019-10-14 08:29:37 +00:00
- Filtering and matching by status code, response size or word count now allow using ranges in addition to single values
2019-10-20 15:38:11 +00:00
- The internal logging information to be discarded, and can be written to a file with the new `-debug-log` flag.
2019-06-16 21:46:43 +00:00
- v0.10
2019-10-14 08:29:37 +00:00
- New
- New CLI flag: -ac to autocalibrate response size and word filters based on few preset URLs.
- New CLI flag: -timeout to specify custom timeouts for all HTTP requests.
- New CLI flag: --data for compatibility with copy as curl functionality of browsers.
- New CLI flag: --compressed, dummy flag that does nothing. for compatibility with copy as curl.
- New CLI flags: --input-cmd, and --input-num to handle input generation using external commands. Mutators for example. Environment variable FFUF_NUM will be updated on every call of the command.
- When --input-cmd is used, display position instead of the payload in results. The output file (of all formats) will include the payload in addition to the position however.
- Changed
- Wordlist can also be read from standard input
- Defining -d or --data implies POST method if -X doesn't set it to something else than GET
2019-04-13 13:28:47 +00:00
2019-04-13 13:24:43 +00:00
- v0.9
2019-10-14 08:29:37 +00:00
- New
- New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
- New CLI flag to follow redirects
- Erroring connections will be retried once
- Error counter in status bar
- New CLI flags: -se (stop on spurious errors) and -sa (stop on all errors, implies -se and -sf)
- New CLI flags: -e to provide a list of extensions to add to wordlist entries, and -D to provide DirSearch wordlist format compatibility.
- Wildcard option for response status code matcher.
2019-03-29 23:45:47 +00:00
- v0.8
2019-10-14 08:29:37 +00:00
- New
- New CLI flag to write output to a file in JSON format
- New CLI flag to stop on spurious 403 responses
- Changed
- Regex matching / filtering now matches the headers alongside of the response body
2019-03-29 23:45:47 +00:00
2018-11-09 13:49:54 +00:00
## TODO
2019-10-14 08:29:37 +00:00
- Tests!
- Optional scope for redirects
- Client / server architecture to queue jobs and fetch the results later
- Fuzzing multiple values at the same time
- Output module to push the results to an HTTP API