ffuf/README.md

148 lines
4.7 KiB
Markdown
Raw Normal View History

2018-11-12 11:49:57 +00:00
```
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
```
2018-11-08 09:26:32 +00:00
# ffuf - Fuzz Faster U Fool
2018-11-09 13:49:54 +00:00
A fast web fuzzer written in Go.
Heavily inspired by the great projects [gobuster](https://github.com/OJ/gobuster) and [wfuzz](https://github.com/xmendez/wfuzz).
## Features
- Fast!
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
- Silent mode (`-s`) for clean output that's easy to use in pipes to other processes.
- Modularized architecture that allows integration with existing toolchains with reasonable effort
- Easy-to-add filters and matchers (they are interoperable)
## Example cases
### Typical directory discovery
[![asciicast](https://asciinema.org/a/211350.png)](https://asciinema.org/a/211350)
2018-11-09 13:49:54 +00:00
By using the FUZZ keyword at the end of URL (`-u`):
```
ffuf -w /path/to/wordlist -u https://target/FUZZ
```
### Virtual host discovery (without DNS records)
[![asciicast](https://asciinema.org/a/211360.png)](https://asciinema.org/a/211360)
2018-11-09 13:49:54 +00:00
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header:
```
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
```
### GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery, and works by defining the `FUZZ` keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
```
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
```
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
```
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
```
### POST data fuzzing
This is a very straightforward operation, again by using the `FUZZ` keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
```
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401
```
2018-11-08 09:26:32 +00:00
## Usage
2018-11-09 13:49:54 +00:00
To define the test case for ffuf, use the keyword `FUZZ` anywhere in the URL (`-u`), headers (`-H`), or POST data (`-d`).
2018-11-08 09:26:32 +00:00
```
2018-11-12 21:24:37 +00:00
-H "Name: Value"
Header "Name: Value", separated by colon. Multiple -H flags are accepted.
2018-12-05 22:57:42 +00:00
-V Show version information.
2018-11-08 09:26:32 +00:00
-X string
2019-03-29 23:45:47 +00:00
HTTP method to use (default "GET")
2018-11-09 13:49:54 +00:00
-c Colorize output.
-d string
POST data.
2018-11-08 09:26:32 +00:00
-fc string
Filter HTTP status codes from response
2018-11-12 21:24:37 +00:00
-fr string
Filter regexp
2018-11-08 09:26:32 +00:00
-fs string
Filter HTTP response size
2018-11-12 21:24:37 +00:00
-fw string
Filter by amount of words in response
2018-11-08 09:26:32 +00:00
-k Skip TLS identity verification (insecure)
-mc string
2018-12-05 22:57:42 +00:00
Match HTTP status codes from respose (default "200,204,301,302,307,401,403")
2018-11-12 21:24:37 +00:00
-mr string
Match regexp
2018-11-08 09:26:32 +00:00
-ms string
Match HTTP response size
2018-11-12 21:24:37 +00:00
-mw string
Match amount of words in response
2019-03-29 23:45:47 +00:00
-o string
Write output to file
-of string
2019-04-03 09:51:42 +00:00
Output file format. Available formats: json, csv, ecsv (default "json")
2018-12-05 22:57:42 +00:00
-p delay
Seconds of delay between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
2019-04-03 10:02:08 +00:00
-r Follow redirects
2018-11-08 09:26:32 +00:00
-s Do not print additional information (silent mode)
2019-03-29 23:45:47 +00:00
-sf
Stop when > 90% of responses return 403 Forbidden
2018-11-08 09:26:32 +00:00
-t int
2018-11-12 21:24:37 +00:00
Number of concurrent threads. (default 40)
2018-11-08 09:26:32 +00:00
-u string
Target URL
-w string
Wordlist path
2019-01-21 20:43:04 +00:00
-x string
HTTP Proxy URL
2018-11-08 09:26:32 +00:00
```
2019-04-03 10:02:08 +00:00
2018-11-08 09:26:32 +00:00
eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist`
## Installation
2018-11-09 13:49:54 +00:00
- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
or
- If you have go compiler installed: `go get github.com/ffuf/ffuf`
The only dependency of ffuf is Go 1.11. No dependencies outside of Go standard library are needed.
2019-03-29 23:45:47 +00:00
## Changelog
2019-04-03 10:02:08 +00:00
- master
- New
- New output file formats: CSV and eCSV (CSV with base64 encoded input field to avoid CSV breakage with payloads containing a comma)
- New CLI flag to follow redirects
2019-03-29 23:45:47 +00:00
- v0.8
- New
- New CLI flag to write output to a file in JSON format
- New CLI flag to stop on spurious 403 responses
- Changed
- Regex matching / filtering now matches the headers alongside of the response body
2018-11-09 13:49:54 +00:00
## TODO
- Tests!
- Optional scope for redirects
- Client / server architecture to queue jobs and fetch the results later
- Fuzzing multiple values at the same time
- Output module to push the results to an HTTP API