pkg | ||
.goreleaser.yml | ||
LICENSE | ||
main.go | ||
README.md |
ffuf - Fuzz Faster U Fool
A fast web fuzzer written in Go.
Heavily inspired by the great projects gobuster and wfuzz.
Features
- Fast!
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
- Silent mode (
-s
) for clean output that's easy to use in pipes to other processes. - Modularized architecture that allows integration with existing toolchains with reasonable effort
- Easy-to-add filters and matchers (they are interoperable)
Example cases
Typical directory discovery
By using the FUZZ keyword at the end of URL (-u
):
ffuf -w /path/to/wordlist -u https://target/FUZZ
Virtual host discovery (without DNS records)
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242
)while fuzzing the Host - header:
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ
keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
POST data fuzzing
This is a very straightforward operation, again by using the FUZZ
keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401
Usage
To define the test case for ffuf, use the keyword FUZZ
anywhere in the URL (-u
), headers (-H
), or POST data (-d
).
Usage of ./ffuf:
-H value
Header name and value, separated by colon. Multiple -H flags are accepted.
-X string
HTTP method to use. (default "GET")
-c Colorize output.
-d string
POST data.
-fc string
Filter HTTP status codes from response
-fs string
Filter HTTP response size
-k Skip TLS identity verification (insecure)
-mc string
Match HTTP status codes from respose (default "200,204,301,302,307,401")
-ms string
Match HTTP response size
-s Do not print additional information (silent mode)
-t int
Number of concurrent threads. (default 20)
-u string
Target URL
-w string
Wordlist path
eg. ffuf -u https://example.org/FUZZ -w /path/to/wordlist
Installation
- Download a prebuilt binary from releases page, unpack and run! or
- If you have go compiler installed:
go get github.com/ffuf/ffuf
TODO
- Tests!
- Filters: word count, regex
- Option to follow redirects
- Optional scope for redirects
- Client / server architecture to queue jobs and fetch the results later
- Fuzzing multiple values at the same time
- Output module for file writing in different formats: csv, json
- Output module to push the results to an HTTP API