ffuf and Burp Suite are two of my favorite tools for web application penetration testing and bug hunting. ffuf is a very fast web application fuzzer written in Go that is pretty popular among pen testers and bug bounty hunters. Not only it is fast, but it also has tons of great functionality that can help to integrate it with other tools like Burp Suite.
If you are reading this article, you may have a passion for hacking web applications or bug bounties. You may already know what Burp (or Burp Suite) is; however, here is a quick 2-second introduction. Burp is a very popular web application proxy, scanner, and overall awesome web penetration testing tool with tons of plugins. There are three versions of Burp: community edition (free), professional, and enterprise. I am using the community edition in the following examples.
I am using the learning environment that I created called WebSploit Labs for the next demonstrations. WebSploit is basically Kali Linux + several additional tools and tons of Docker containers running intentionally vulnerable applications. WebSploit also has over 8,000 cybersecurity resources (a clone of my pretty popular GitHub repository).
The following is a very basic example of running ffuf to enumerate and discover different directories in one of the intentionally vulnerable web applications (running on port 8888). The following is the explanation of the command syntax. I am using the wordlist that comes with dirbuster in Kali (directory-list-2.3-medium.txt).
Note: A wordlist is just that — a list of words that are used to guess a password, a directory, API method, etc. In this case, we are guessing what directories may be in the web root folder of the application.
The following is the fuzzer discovering several directories.
The -o option allows you to send the output to a JSON file (omar-out.json in the example below). The -replay-proxy is the cool option that allows you to send the paths of the directories found into Burp. Why is this useful? Well, the free version of Burp does not come with an automated scanner, spider, or fuzzer. This method, at least, allows you to send all the successful results right into Burp for further analysis.
The following are the results in Burp:
The following is the first few lines of the contents of the output file (omar-out.json):
You can find additional details of all the different supported options at the ffuf man page (man ffuf). I just wanted to introduce the concept of “integrating” both tools (ffuf and Burp) to perform reconnaissance and further analysis.