mirror of
https://github.com/ffuf/ffuf
synced 2024-09-20 14:01:54 +00:00
101 lines
3.3 KiB
Markdown
101 lines
3.3 KiB
Markdown
# ffuf - Fuzz Faster U Fool
|
|
|
|
A fast web fuzzer written in Go.
|
|
|
|
Heavily inspired by the great projects [gobuster](https://github.com/OJ/gobuster) and [wfuzz](https://github.com/xmendez/wfuzz).
|
|
|
|
## Features
|
|
|
|
- Fast!
|
|
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
|
|
- Silent mode (`-s`) for clean output that's easy to use in pipes to other processes.
|
|
- Modularized architecture that allows integration with existing toolchains with reasonable effort
|
|
- Easy-to-add filters and matchers (they are interoperable)
|
|
|
|
## Example cases
|
|
|
|
### Typical directory discovery
|
|
|
|
By using the FUZZ keyword at the end of URL (`-u`):
|
|
|
|
```
|
|
ffuf -w /path/to/wordlist -u https://target/FUZZ
|
|
```
|
|
|
|
### Virtual host discovery (without DNS records)
|
|
|
|
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header:
|
|
|
|
```
|
|
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
|
|
```
|
|
|
|
### GET parameter fuzzing
|
|
|
|
GET parameter name fuzzing is very similar to directory discovery, and works by defining the `FUZZ` keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.
|
|
|
|
```
|
|
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
|
|
```
|
|
|
|
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
|
|
|
|
```
|
|
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
|
|
```
|
|
|
|
### POST data fuzzing
|
|
|
|
This is a very straightforward operation, again by using the `FUZZ` keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
|
|
|
|
```
|
|
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401
|
|
```
|
|
|
|
## Usage
|
|
|
|
To define the test case for ffuf, use the keyword `FUZZ` anywhere in the URL (`-u`), headers (`-H`), or POST data (`-d`).
|
|
|
|
```
|
|
Usage of ./ffuf:
|
|
-H value
|
|
Header name and value, separated by colon. Multiple -H flags are accepted.
|
|
-X string
|
|
HTTP method to use. (default "GET")
|
|
-c Colorize output.
|
|
-d string
|
|
POST data.
|
|
-fc string
|
|
Filter HTTP status codes from response
|
|
-fs string
|
|
Filter HTTP response size
|
|
-k Skip TLS identity verification (insecure)
|
|
-mc string
|
|
Match HTTP status codes from respose (default "200,204,301,302,307,401")
|
|
-ms string
|
|
Match HTTP response size
|
|
-s Do not print additional information (silent mode)
|
|
-t int
|
|
Number of concurrent threads. (default 20)
|
|
-u string
|
|
Target URL
|
|
-w string
|
|
Wordlist path
|
|
```
|
|
eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist`
|
|
|
|
## Installation
|
|
|
|
- [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run!
|
|
or
|
|
- If you have go compiler installed: `go get github.com/ffuf/ffuf`
|
|
|
|
## TODO
|
|
- Tests!
|
|
- Filters: word count, regex
|
|
- Option to follow redirects
|
|
- Optional scope for redirects
|
|
- Client / server architecture to queue jobs and fetch the results later
|
|
- Fuzzing multiple values at the same time
|
|
- Output module for file writing in different formats: csv, json
|
|
- Output module to push the results to an HTTP API
|