How to Use the Command 'ffuf' (with Examples)
ffuf
is a powerful and fast web fuzzer written in Go, designed to help penetration testers and security researchers discover hidden directories, files, and vulnerabilities on web servers. The tool uses the FUZZ
keyword as a placeholder, replacing it with every entry in a specified wordlist to systematically probe the target for potential weak spots. It supports a range of functionalities, including directory enumeration, subdomain checking, and HTTP header manipulation, making it highly versatile for a variety of scenarios in web security testing.
Use Case 1: Enumerate Directories
Code:
ffuf -c -w path/to/wordlist.txt -u http://target/FUZZ
Motivation:
In web applications, directories can often contain sensitive files or endpoints that are not linked or are intentionally hidden. By systematically attempting access to directories using a wordlist, penetration testers can uncover hidden or mistakenly exposed paths that might reveal sensitive information or provide unauthorized access.
Explanation:
-c
: This option stands for ‘colored output’, which improves readability by using colors to highlight different parts of the response, such as status codes and extracted strings.-w path/to/wordlist.txt
: Specifies the path to the wordlist file containing potential directory names that will replace theFUZZ
placeholder.-u http://target/FUZZ
: The target URL whereFUZZ
is replaced by each word from the wordlist to attempt directory access.
Example Output:
/admin [Status: 301, Size: 308, Words: 20, Lines: 10]
/login [Status: 200, Size: 1024, Words: 60, Lines: 40]
/hidden [Status: 403, Size: 32, Words: 2, Lines: 1]
Use Case 2: Enumerate Webservers of Subdomains
Code:
ffuf -w path/to/subdomains.txt -u http://FUZZ.target.com
Motivation:
Enumerating subdomains can be critical in identifying additional entry points into an application. Often, subdomains host different services, some of which may lack the stringent security measures present on the main site.
Explanation:
-w path/to/subdomains.txt
: Specifies the wordlist containing possible subdomain names.-u http://FUZZ.target.com
: The URL structure where each subdomain name from the wordlist will be tested by replacingFUZZ
.
Example Output:
dev.target.com [Status: 200, Size: 2048, Words: 200, Lines: 54]
staging.target.com [Status: 403, Size: 512, Words: 40, Lines: 15]
private.target.com [Status: 200, Size: 1500, Words: 150, Lines: 50]
Use Case 3: Fuzz with Specified Threads and Proxy Traffic
Code:
ffuf -o -w path/to/wordlist.txt -u http://target/FUZZ -t 500 -x http://127.0.0.1:8080
Motivation:
High-speed fuzzing with multiple threads can discover vulnerabilities more efficiently. Additionally, routing requests through a proxy allows for deeper interception and analysis, which is invaluable for testing scenarios where response details need to be scrutinized.
Explanation:
-o
: Directs ffuf to save the output to a file, which is useful for data analysis after a scan.-w path/to/wordlist.txt
: Indicates the wordlist to be used for fuzzing.-u http://target/FUZZ
: The base target URL for fuzzing.-t 500
: Sets the number of threads to 500, which increases the fuzzing speed significantly.-x http://127.0.0.1:8080
: Configures the proxy setting, so requests are routed via the local machine address, suitable for proxy tools like Burp Suite or mitmproxy.
Example Output:
Results saved to file: ffuf_output.txt
/admin/ [Status: 301, Size: 308, Words: 20, Lines: 10]
/dashboard/ [Status: 200, Size: 1124, Words: 89, Lines: 43]
Use Case 4: Fuzz a Specific Header
Code:
ffuf -w path/to/wordlist.txt -u http://target.com -H "Host: FUZZ" -mc 200
Motivation:
HTTP headers can contain information essential for the correct functioning of web applications or services. By fuzzing these headers, testers can identify vulnerabilities or misconfigurations that might lead to unauthorized access or information leakage.
Explanation:
-w path/to/wordlist.txt
: The wordlist used for fuzzing potential header values.-u http://target.com
: The base URL for the HTTP requests.-H "Host: FUZZ"
: Specifies that theHost
header will use theFUZZ
wordlist entries.-mc 200
: Filters results to show only responses with a 200 HTTP status code, indicating successful access.
Example Output:
Resolving host: sub1 [Status: 200, Size: 1344, Words: 90, Lines: 56]
Resolving host: sub2 [Status: 200, Size: 1320, Words: 82, Lines: 52]
Use Case 5: Fuzz with Specified HTTP Method and Data
Code:
ffuf -w path/to/postdata.txt -X POST -d "username=admin&password=FUZZ" -u http://target/login.php -fc 401,403
Motivation:
Testing login forms requires an understanding of how incorrect or different inputs are handled. This command allows for effective brute-force checks or bypass attempts on authentication systems by replacing parts of the POST data.
Explanation:
-w path/to/postdata.txt
: Indicates the wordlist for potential passwords or data inputs.-X POST
: Specifies the HTTP method to use, which is POST in this case, common for form submissions.-d "username=admin&password=FUZZ"
: Sets up POST data with theFUZZ
placeholder in the password field.-u http://target/login.php
: URL pointing to the login endpoint.-fc 401,403
: Filters out HTTP status codes 401 and 403 from the results, usually indicating unauthorized access attempts.
Example Output:
Correct login detected with password: welcome123 [Status: 200, Size: 1024, Words: 95, Lines: 45]
Use Case 6: Fuzz Multiple Positions with Multiple Wordlists
Code:
ffuf -w path/to/keys:KEY -w path/to/values:VALUE -mode pitchfork|clusterbomb -u http://target.com/id?KEY=VALUE
Motivation:
Fuzzing multiple positions simultaneously allows testers to evaluate complex input interactions. This can be especially useful when both keys and values in query parameters need to be tested for vulnerabilities like SQL injection or cross-site scripting.
Explanation:
-w path/to/keys:KEY
: Specifies the wordlist for potential keys in the URL query parameters.-w path/to/values:VALUE
: Specifies the wordlist for potential values.-mode pitchfork|clusterbomb
: Determines how the inputs are combined;pitchfork
uses entries in parallel, whereasclusterbomb
tests all combinations.-u http://target.com/id?KEY=VALUE
: The target URL with bothKEY
andVALUE
placeholders for fuzzing.
Example Output:
Detected successful payload with KEY: session and VALUE: admin [Status: 200, Size: 1400, Words: 200, Lines: 64]
Use Case 7: Proxy Requests Through an HTTP MITM Proxy
Code:
ffuf -w path/to/wordlist -x http://127.0.0.1:8080 -u http://target.com/FUZZ
Motivation:
Proxied requests allow researchers to capture, inspect, and manipulate traffic as it traverses the network. This can help in identifying vulnerabilities during fuzzing, which might not be apparent from HTTP responses alone.
Explanation:
-w path/to/wordlist
: The wordlist used for fuzzing.-x http://127.0.0.1:8080
: Sets the proxy through which requests are sent, enabling a MITM (Man-In-The-Middle) for inspection.-u http://target.com/FUZZ
: The URL structure used for fuzzing, withFUZZ
as the changing parameter.
Example Output:
Captured request for: /test [Status: 301, Size: 288, Words: 18, Lines: 10]
Conclusion
ffuf
is an essential tool for security professionals seeking to explore the security measures of web applications by automating complex tasks like directory enumeration and subdomain discovery. By understanding and utilizing its different options, testers can tailor their assessments to uncover hidden vulnerabilities, misconfigured services, and secure their web presence effectively. These examples illustrate various scenarios where ffuf
can be employed strategically to achieve robust penetration testing results.