FFUF: A Burp Suite Intruder Alternative

Published in

MII Cyber Security Consulting Services

6 min readMar 31, 2024

FFUF Logo (Source : https://github.com/ffuf/ffuf)

Burp Suite Intruder

Burp Suite Intruder is a tool used for testing the security of web applications. It’s a part of the Burp Suite toolkit developed by PortSwigger, designed to automate attacks against web apps. Pentesters often use Intruder for fuzzing and brute force attacks.

Burp Suite Intruder Limitations

Intruder in the Burp Suite Community Edition has limitations; it is time-throttled. The performance gap between the Intruder in the Community Edition and the Professional Edition is significant. Specifically, Intruder in the Community Edition is noticeably slower compared to the Professional Edition. In my opinion, the Intruder feature in Burp Suite Community Edition is not recommended for real-case pentesting due to its performance limitations. Fortunately, there are numerous alternatives available for conducting fuzzing or brute force attacks that may offer better performance and reliability. This article is written for readers who do not have a Burp Suite Professional license. But, even if you do have one, feel free to give it a read.

Fuzz Faster U Fool

FFUF Mascot (Source : https://github.com/ffuf/ffuf)

“Fuzz Faster you Fool,” abbreviated as ffuf, is an open-source web fuzzing tool written in Go known for its impressive speed. While ffuf is often compared to tools like dirb and dirbuster, such comparisons may not be entirely fair. This is because ffuf excels mainly due to its speed and flexibility. Therefore, a more appropriate comparison would be between ffuf and Burp Suite Intruder. In this article, we do not delve into the installation process of ffuf. Instead, you can refer directly to its GitHub page for a comprehensive installation guide.

Two methods to use FFUF

Before we discuss the complex usage of ffuf as an alternative to Burp Suite Intruder, let’s start by learning two methods to use ffuf.

Method 1 : Specifying all request parameters through command-line flags.

You have the ability to define various HTTP request parameters such as directory/file paths, GET parameters, POST data, and headers through command-line flags.

When specifying directories/files and GET parameters, simply include “FUZZ” within the URL using the ‘-u’ flag at the desired location.
Example :

ffuf -w /path/to/wordlist.txt -u http://example.target/FUZZ

ffuf -w /path/to/wordlist.txt -u http://example.target/search\?q\=FUZZ

For POST data fuzzing, utilize the ‘-d’ flag and insert “FUZZ” where you wish to perform the fuzzing.
Example :

ffuf -w /path/to/wordlist.txt -u http://example.target/login -X POST -d "username=admin\&password=FUZZ"

Likewise, for headers fuzzing, use the ‘-H’ flag and place “FUZZ” accordingly.

ffuf -w /path/to/wordlist.txt -u http://127.0.0.1/ -H "Host: FUZZ"

Method 2 : Passing raw HTTP requests stored in a file.

You can use the ‘-request’ flag to include a raw HTTP request file. This makes things easier because you won’t need to use as many different options when running the command for fuzzing. It’s particularly handy when dealing with complicated HTTP requests.

First, intercept or capture the raw HTTP request using Burp Suite or your preferred method. Save the raw HTTP request to a file, such as ‘request.txt’. Then, open the ‘request.txt’ file and insert ‘FUZZ’ wherever you wish to perform fuzzing. This could be within the directory/filename, headers, post data, or any other location you choose.

POST /login HTTP/1.1
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: */*
Host: example.target
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Length: 69

{
    "email":"user@email.com",
    "password":"FUZZ"
}

ffuf -w /path/to/wordlist.txt -u http://example.target -X POST -request /path/to/request.txt

In the example provided, “FUZZ” was inserted into the JSON post data under the ‘password’ key. It’s important to note that you can use multiple instances of “FUZZ” to target several positions within the request. This functionality mimics the “Battering Ram” attack type found in Burp Suite Intruder.

Pitchfork and Cluster Bomb Attack

As you may be aware, Burp Suite Intruder provides four attack types: Sniper, Battering Ram, Pitchfork, and Cluster Bomb. Previously, we explored two methods of using ffuf. Implicitly, we already covered how to perform Sniper and Battering Ram attacks. Sniper and Battering Ram are similar in their use of a single wordlist, with Sniper targeting only one position and Battering Ram targeting multiple positions.

Now, let’s delve into Pitchfork and Cluster Bomb attack types. Both methods involve utilizing multiple wordlists. However, Pitchfork executes each payload simultaneously, while Cluster Bomb iterates through all possible combinations of the payloads. Because these attack types are pretty complex, we’ll go with the second method of using FFUF, which means passing raw HTTP requests stored in a file.

POST /login HTTP/1.1
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: */*
Host: example.target
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Length: 69

{
    "email":"FUZZMAIL",
    "password":"FUZZPASS"
}

In the raw HTTP request, we’ll fuzz the email field using ‘FUZZMAIL’ and the password field using ‘FUZZPASS’. You can actually customize these variable names as needed. For example, if you have ‘email.txt’ and ‘password.txt’ wordlists, you can specify each wordlist to its corresponding variable by adding “:VARIABLE_NAME” after the wordlist path in the ‘-w’ flag.

Executing pitchfork attack

ffuf -w /path/to/email.txt:FUZZMAIL,/path/to/password.txt:FUZZPASS -mode pitchfork -u http://example.target -X POST -request /path/to/request.txt

Executing cluster bomb attack

ffuf -w /path/to/email.txt:FUZZMAIL,/path/to/password.txt:FUZZPASS -mode clusterbomb -u http://example.target -X POST -request /path/to/request.txt

Tips

While this article has covered several ways to use FFUF, there are still numerous tips and techniques left unexplored. Here are some additional tips along with brief explanations.

Input and Output options

In this article, we consistently utilized the ‘-w’ flag for input, specifying wordlists as files, and omitted any output options, resulting in standard output. However, there are numerous other input and output options available for exploration.

INPUT OPTIONS:
  -D                  DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
  -e                  Comma separated list of extensions. Extends FUZZ keyword.
  -enc                Encoders for keywords, eg. 'FUZZ:urlencode b64encode'
  -ic                 Ignore wordlist comments (default: false)
  -input-cmd          Command producing the input. --input-num is required when using this input method. Overrides -w.
  -input-num          Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
  -input-shell        Shell to be used for running command
  -mode               Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
  -request            File containing the raw http request
  -request-proto      Protocol to use along with raw request (default: https)
  -w                  Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:
  -debug-log          Write all of the internal logging to the specified file.
  -o                  Write output to file
  -od                 Directory path to store matched results to.
  -of                 Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
  -or                 Don't create the output file if we don't have results (default: false)

Filter and matcher options

If you’re not familiar, you can utilize the filter option to disregard certain results and the matcher option to exclusively display results that meet specific conditions.

MATCHER OPTIONS:
  -mc                 Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)
  -ml                 Match amount of lines in response
  -mmode              Matcher set operator. Either of: and, or (default: or)
  -mr                 Match regexp
  -ms                 Match HTTP response size
  -mt                 Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -mw                 Match amount of words in response

FILTER OPTIONS:
  -fc                 Filter HTTP status codes from response. Comma separated list of codes and ranges
  -fl                 Filter by amount of lines in response. Comma separated list of line counts and ranges
  -fmode              Filter set operator. Either of: and, or (default: or)
  -fr                 Filter regexp
  -fs                 Filter HTTP response size. Comma separated list of sizes and ranges
  -ft                 Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -fw                 Filter by amount of words in response. Comma separated list of word counts and ranges

Use Burp Suite’s proxy to capture every request

To capture all FFUF requests using Burp Suite’s proxy, simply add ‘-x http://127.0.0.1:8080' to the FFUF command. Burp Suite’s proxy typically uses port 8080 by default, but you can adjust it if you’ve customized it.

ffuf ... [your options] ... -x http://127.0.0.1:8080

Conclusions

In conclusion, we’ve explored how FFUF can serve as an alternative to Burp Suite Intruder, capable of executing all four of its attack types. It’s worth noting that FFUF offers numerous additional functionalities beyond what was covered in this article, thanks to its remarkable flexibility. If you haven’t already tried FFUF, I highly recommend giving it a go.