BOOK THIS SPACE FOR AD
ARTICLE ADExplore how to fuzz files, directories, and parameters with using ffuf.
Ffuf (Fuzz Faster U Fool) is a versatile and powerful tool for fuzzing web applications, helping you discover hidden files, directories, subdomains, and more. This guide provides detailed examples for using ffuf in various scenarios.
You can find a shorter cheat sheet version of this article here.
Fuzzing files and paths is a fundamental technique in web security testing, enabling the discovery of hidden files, directories, and endpoints that are not publicly listed. By using a wordlist, you can automate the process of probing a web server for these hidden resources, uncovering potentially interesting files.
Basic File/Path Fuzzing
To fuzz files and paths, using a wordlist:
ffuf -w wordlist.txt -u https://host.name:PORT/FUZZThis command will try each entry in `wordlist.txt` as a replacement for `FUZZ` in the URL, testing for potential files and directories. For example, if your wordlist contains `admin`, `login`, and `test`, ffuf will test URLs like `https://host.name:PORT/admin`, `https://host.name:PORT/login`, and `https://host.name:PORT/test`.
Fuzzing Extensions
To find files with different extensions:
ffuf -w wordlist.txt -u https://host.name/indexFUZZThis command appends each wordlist entry to `index`, allowing you to discover files with various extensions. For instance, if the wordlist includes `.php`, `.html`, and `.js`, ffuf will test `https://host.name/index.php`, `https://host.name/index.html`, and `https://host.name/index.js`.
Fuzzing File Name with Different Extension
To find specific file names with given extension:
ffuf -w wordlist.txt -u https://host.name/blog/FUZZ.phpThis will replace `FUZZ` with each word in the wordlist and append `.php`, helping you locate specific PHP files like `https://host.name/blog/admin.php` or `https://host.name/blog/login.php`.
You can create a wordlist of files without the extension and use it across targets using different technologies — `.php`, `.asp`, `.js` etc.
Recursive Fuzzing
To perform recursive fuzzing with a specified depth:
ffuf -recursion -recursion-depth 3 -w wordlist.txt -u https://host.name/FUZZThis command recursively searches up to 3 levels deep, increasing the chances of discovering deeply nested files and directories. For example, it might find `https://host.name/admin`, then `https://host.name/admin/config`, and further into `https://host.name/admin/config/settings`. By default recursive fuzzing is disabled.
Setting Cookies
To include cookies in your fuzzing requests:
ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u https://host.name/FUZZThis is useful for authenticated fuzzing where cookies are required for access. For example, if you need to authenticate with `SESSIONID=12345` and `USER=admin`, you can include these cookies in your fuzzing attempts.
Subdomain and virtual host (VHost) fuzzing is an essential practice for uncovering additional entry points into a target domain. By identifying subdomains and VHosts, you can discover additional services, applications, and potential vulnerabilities that may not be immediately visible.
Subdomain Fuzzing
To discover subdomains:
ffuf -w wordlist.txt -u https://FUZZ.host.name/This replaces `FUZZ` with each wordlist entry, helping identify subdomains under `host.name`. If your wordlist contains `api`, `mail`, and `dev`, ffuf will test `https://api.host.name/`, `https://mail.host.name/`, and `https://dev.host.name/`.
Virtual Hosts (VHosts) Fuzzing
To fuzz virtual hosts:
ffuf -w wordlist.txt -u http://host.name/ -H 'Host: FUZZ.host.name'This command changes the `Host` header, testing for virtual host-based sites. For example, testing `api`, `staging`, and `beta` as virtual hosts could reveal `http://api.host.name/`, `http://staging.host.name/`, and `http://beta.host.name/`.
Fuzzing HTTP parameters is a crucial aspect of web application security testing. By probing different parameter names and values, you can discover new parameters and uncover hidden functionalities — entry points with potential vulnerabilities.
Fuzzing Parameter Names — GET
To fuzz GET parameter names:
ffuf -w wordlist.txt -u http://host.name/index.php?FUZZ=keyThis helps find parameter names that might accept a specific key. If your wordlist includes `id`, `user`, and `token`, ffuf will test `http://host.name/index.php?id=key`, `http://host.name/index.php?user=key`, and `http://host.name/index.php?token=key`.
Fuzzing Parameter Names — POST
To fuzz POST parameter names:
ffuf -w wordlist.txt -u https://host.name/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'This sends POST requests to discover parameter names. For instance, it will test parameters like `username`, `password`, and `email` in the POST data.
Fuzzing Parameter Values — POST
To fuzz values of a specific POST parameter:
ffuf -w ids.txt -u https://host.name/index.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'This helps identify valid parameter values. For example, if `ids.txt` contains `123`, `456`, and `789`, ffuf will test values like `id=123`, `id=456`, and `id=789`.
Managing the rate of requests is essential when fuzzing web applications to avoid overloading the server or triggering WAF. Rate limiting helps control the number of requests sent per second or the number of threads used during fuzzing. In this section, we’ll look at how to use ffuf to set rate limits and configure the number of threads, ensuring your testing is efficient and respectful of the target server’s resources. By fine-tuning these parameters, you can perform thorough and responsible fuzzing without causing unnecessary disruption.
Limiting Request Rate
To set a rate limit of 50 requests per second:
ffuf -rate 50 -w wordlist.txt -u https://host.name/FUZZThis ensures that your fuzzing doesn’t overwhelm the target server, helping maintain stability and avoiding potential bans.
Setting Number of Threads
To specify the number of threads:
ffuf -t 5 -w wordlist.txt -u https://host.name/FUZZThis controls the concurrency of your fuzzing requests, balancing speed and server load.
Filters are an essential feature in ffuf that allow you to narrow down your fuzzing results to those most relevant to your testing objectives. By applying filters, you can exclude unwanted responses based on various criteria such as HTTP status codes, response size, number of lines, and word count. This helps in identifying significant findings more quickly and efficiently.
Filtering by HTTP Codes
To exclude `301` and `302` HTTP codes:
ffuf -fc 301,302 -w wordlist.txt -u https://host.name/FUZZThis filters out results with these status codes, focusing on other responses that might be more interesting, such as `200` OK or `500` Internal Server Error.
Filtering by Response Size
To filter responses of a specific size (e.g., 2003 bytes):
ffuf -fs 2003 -w wordlist.txt -u https://host.name/FUZZThis helps in identifying content of specific sizes, which might indicate certain types of files or responses.
Filtering by Lines and Word Count
To filter by the number of lines:
ffuf -fl 5 -w wordlist.txt -u https://host.name/FUZZTo filter by word count:
ffuf -fw 10 -w wordlist.txt -u https://host.name/FUZZThese filters refine your results based on response structure, allowing you to focus on responses that match specific patterns.
Automatic Calibration
To automatically calibrate filtering options:
ffuf -ac -w wordlist.txt -u https://host.name/FUZZThis helps ffuf determine appropriate filters based on initial responses, improving the accuracy of your fuzzing results.
Apart from basic fuzzing capabilities, ffuf offers a range of advanced features to enhance your testing workflow. These options allow you to customize requests, handle proxies, set headers, and impose time constraints, optimizing your fuzzing process for diverse testing scenarios.
Ignoring Wordlist Comments
To ignore comments in the wordlist:
ffuf -ic -w wordlist.txt -u https://host.name/FUZZThis treats all lines as potential fuzzing targets, even those starting with `#`.
Using Proxies
When direct access to the target is not feasible, or when inspection of ffuf requests is necessary, it can be utilized through a proxy server.
For HTTP proxy:
ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZFor SOCKS proxy:
ffuf -x socks5://127.0.0.1:1080 -w wordlist.txt -u https://host.name/FUZZFor replay proxy:
ffuf -replay-proxy http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZWith this option ffuf will repeat each matched request using given proxy. This is useful to inspect ffuf findings in other tools such as Burp Suite.
Setting HTTP Headers
Ffuf provides capability to manipulate headers, enabling users to tailor requests to specific requirements. This is useful to mimic different user agents, content types, or to tag your traffic with custom headers (which is often required by bug bounty programs). Below are some examples of configuring HTTP headers in ffuf.
To change the user agent:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"To set `Content-Type` header for POST requests:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "Content-Type: application/json" -X POSTTo set custom header:
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "X-Bug-Bounty: <bb-username>"Time Limits
Ffuf allows to set time limits both globally and per job, allowing users to control the duration of their fuzzing sessions precisely.
To set a maximum time limit for the fuzzing process:
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime 60To set a time limit per job:
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime-job 60These limits prevent long-running fuzzing jobs from taking too much time, helping you manage your testing schedule effectively.
Ffuf is an essential tool for web security testing, offering a wide range of options to customize and optimize your fuzzing tasks. By leveraging these commands and options, you can effectively discover hidden vulnerabilities and improve the security posture of web applications.