Fuzz Faster with FFUF
A fast web fuzzer written in Go.
FFUF is one of the latest and by far the fastest fuzzing open source tool out there.But before we begin, let’s first try to understand what fuzzing really is.
Fuzzing is the automatic process of giving random input to an application to look for any errors or any unexpected behavior. But finding hidden directories and files on a web server can also be categorized under fuzzing.
The tool is versatile and can be used for a variety of purposes. Some of its use cases are:
- General Directory discovery with option to fuzz at any place in the URL.
- VHOST discovery without DNS Records
- Fuzzing using various HTTP methods.
We’ll talk about the installation and then move on to the usage of the tool.
- The tool can be easily installed by downloading the compatible binary in the form of a tar.gz file from the Releases page of ffuf on Github.
- It can also be installed by using the go get command.
go get github.com/ffuf/ffuf
Golang compiler is needed to use this method which can be easily installed using apt-get in Linux.
apt-get install golang
Don’t forget to add the go/bin directory in PATH variable to use the tool from any directory.
Ffuf offers many options for fuzzing.
The position to be fuzzed should be indicated by the FUZZ word in the ffuf command.
Directory and File Discovery
The directories on the website can be discovered with the following command which gives ffuf a word-list with -w flag and URL with -u command which contains the word FUZZ, that signifies the position to be fuzzed.
ffuf -w wordlist.txt -u http://website.com/FUZZ
For file discovery, the same command can be used and for using specific extensions with the word-list’s entries, the -e flag can be used.
ffuf -w wordlist.txt -u http://website.com/FUZZ -e .aspx,.html,.php,.txt
Ffuf also gives option to get output only of responses with specific status code, amount of lines, response size, amount of words as well as the response which matches a regex pattern.
A few examples of flags for the same are:
- -mc : to specify Status code.
- -ml: to specify amount of lines in response
- -mr: to specify regex pattern
- -ms: to specify response size
- -mw: to specify amount of words in response
Here are a few demonstrations to make it clearer and easier to understand.
For getting output of responses with status code 200 and 302 only, use:
ffuf -w wordlist.txt -w http://website.com/FUZZ -e .aspx,.html -mc 200,302
The URL parameters which end with FUZZ are also supported with the feature of recursion which when activated using -recursion flag would try to fuzz the given URL and then fuzz furthermore inside the directories it found in the primary fuzz.
The depth of recursion can also be specified by -recursion-depth flag.
The -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds.
ffuf -w wordlist.txt -u http://website.com/FUZZ -maxtime 60
The above command will work for 60 seconds and then kill itself even if the word-list is not finished.
-maxtime-job is used with -recursion flag and is used to specify the time (in seconds) for each new job that would be created for each directory found.
The number of default threads on which ffuf works are 40 and can be changed with the -t flag in the command.
This tool is able to find subdomains without DNS records at blazing fast speeds.
The tool utilizes the Host header in an HTTP request to look for subdomains. The -H flag is used to specify HTTP request headers. Please note that multiple -H flags are allowed.
ffuf -w subdomains.txt -u http://website.com/ -H “Host: FUZZ.website.com”
If the tool gives many subdomains as output and most of them are not present in reality, then the filter options offered by the tool can be used.
Note either the most common size, words or lines for the false positive responses and then specify them in a filter. Use:
-fw : to filter by the amount of words
-fl : to filter by the number of lines
-fs : to filter by the size of the response
-fc : to filter by the status code
-fr : to filter by the regex pattern
As in the above image there are many false positives and most of them have size:12454, words:3913, lines:421.
So we can filter these responses with the filter flags.
ffuf -w sublists.txt -u http://website.com/ -H “Host: FUZZ.website.com” -fw 3913
The tool also allows us to fuzz at any place from URL to HTTP Headers.
To fuzz a URL with a particular HTTP method just add the -X flag and specify the method.
For example, for fuzzing a URL with the POST method, use:
ffuf -w wordlist.txt -u http://website.com/FUZZ -X POST
Since ffuf offers fuzzing at any place, we can also fuzz the data to be sent in the POST request.
ffuf -w wordlist.txt -X POST -d “username=admin\&password=FUZZ” -u http://website.com/FUZZ
Here, the -d flag is used to specify the data to be sent with POST request.
The tool can also be used like this.
ffuf -w wordlist.txt -u http://website.com/FUZZ/backup.zip
The tool can also be used to brute force login pages by using the -mode flag and choosing the type of attack from clusterbomb and pitchfork. Both modes will accept two word-lists — one for username and one for password.
- In clusterbomb mode every word in username’s word-list will be used with every word in password’s word-list in combination. Like if there are 4 words in list 1 and 5 in list 2 then there would be a total 20 requests.
- In pitchfork mode, a word at first position in username list will be used with word at first position in password list, likewise a word at second position in username list will be used with word at second position in password list. If the number of words in both lists are not same then the attack will stop as soon as the list with lesser number of words gets exhausted.
The -request flag can be used to specify a file with raw HTTP Request and that would be used to FUZZ accordingly.
To brute force a login form with a clusterbomb attack, with HTTP request,
ffuf -request req.txt -request-proto http -mode clusterbomb -w usernames.txt:HFUZZ -w passwords.txt:WFUZZ
In the request file, HFUZZ is placed at login_username and is fed with usernames.txt. Similarly WFUZZ is placed at login_password and is fed with passwords.txt.
And yes the -c flag can be used to get a little colorful output.
This tool is an edge over all other tools in terms of speed because it is written in golang.
People are confused between wfuzz and ffuf as both of them give similar features but ffuf surpasses wfuzz in terms of speed as wfuzz is written in python.
Note: This article is only for educational purposes. You are yourself responsible for the use of the tool.
Author: Aditya Verma