FFUF — Everything You Need To Know

November 16, 2023January 12, 2024 Kiran Dawadi 0 Comments

FFUF, short for “Fuzz Faster you Fool” is an open-source web fuzzing tool written in Go programming language, intended for discovering elements and content within web applications, or web servers and can be found at https://github.com/ffuf/ffuf.

The tool is versatile and can be used for a variety of purposes. Some of its use cases are:

General Directory discovery with the option to fuzz at any place in the URL.
VHOST discovery without DNS Records
Fuzzing using various HTTP methods.

Contents hide

1. What is Fuzzing?

2. Installation

2.1. Installation from Source

2.2. Installation from APT Repositories

3. Basic Usage

3.1. Directory Bruteforcing

3.2. Recursive Scanning

3.3. Extensions

3.4. Fuzzing Multiple Locations

3.5. Subdomains hunting

4. Matchers and Filters

5. Requests Rate-Limiting

6. Filter Auto-Calibration

7. HTTP Options

8. Input and Output Options

8.1. Raw HTTP request as the input

8.2. Write output to a file

9. Replay-Proxy

What is Fuzzing?

Fuzzing is the automatic process of giving random input to an application to look for any errors or any unexpected behavior. But finding hidden directories and files on a web server can also be categorized under fuzzing.

Let’s talk about its installation then we will dive into the key features along with the examples.

Installation

Installation from Source

If you wish to install the latest stable build from the main branch of the ffuf project, you can do so with:

go get github.com/ffuf/ffuf

After installing, ffuf will be available in ~/go/bin/ffuf.

Installation from APT Repositories

You’ll also find FFUF in the apt repositories, allowing you to install by running:

sudo apt-get install ffuf

Basic Usage

The usage examples below show just the simplest tasks you can accomplish using ffuf.

Directory Bruteforcing

At its core, one of the main functions that people use FFUF for is directory brute-forcing. With that in mind, let’s fuzz! It will simply replace the value of FUZZ with the values in your wordlist.

{kiran@parrot} ~$ ffuf -c -w /usr/share/wordlists/dirb/small.txt -u https://ffuf.io.fi/FUZZ

       /'___\  /'___\           /'___\       
      /\ \__/ /\ \__/  __  __  /\ \__/        
      \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\       
       \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/       
        \ \_\   \ \_\  \ \____/  \ \_\        
         \/_/    \/_/   \/___/    \/_/        

      v1.3.0-dev
________________________________________________

:: Method           : GET
:: URL              : https://ffuf.io.fi/FUZZ
:: Wordlist         : FUZZ: /usr/share/wordlists/dirb/small.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

secure                  [Status: 301, Size: 185, Words: 6, Lines: 8]
:: Progress: [959/959] :: Job [1/1] :: 163 req/sec :: Duration: [0:00:10] :: Errors: 0 ::

Note that a result ‘secure’ has come up with a 301(redirect) response code. As none of the other endpoints responded, we will investigate this directory further.
Note that the -c flag means to colorize the output. The default was false.

Recursive Scanning

We can add recursion levels to our directory scanning to mention how much deep the scan should be performed. This is usually associated with the recursion-depth flag that tells FFUF how many times to perform this action (for example, if we find another layer under admin, should we proceed to another layer or stop?).

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -recursion -recursion-depth 2

Extensions

Often we may also want to look at files with extensions rather than only scanning for the directories. This can be invaluable for finding bugs when there’s a zip file or backup file of the same name.

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -e .bak, .zip

Fuzzing Multiple Locations

FFUF easily allows us to fuzz at multiple locations of the URL. This is done by assigning W1 to the directories wordlist and W2 to the domains wordlist, then using these two parameters in the URL replacing the FUZZ parameter.

ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2

Subdomains hunting

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -H "Host: FUZZ.ffuf.io.fi"

We can then filter out the results to match only 200 response code.

Matchers and Filters

Using matchers, FFUF will only output those results that match the conditions specified i.e it will remove all responses that do not match the matcher. You should use this option if you know what you want to keep.

Matching certain HTTP status codes only. (200 and 301 in this case.)

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mc 200,301

Matching according to the amount of lines in response

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ml 50

Matching according to HTTP response size

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ms 350

Matching according to the words count in response

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mw 200

Matching the regular expressions is also a beast feature of FFUF.

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -mr "root:"

As useful as matches are, filters being the inverse of matches can be just as, if not more useful. It will remove all the responses which match the filter. This is useful when you know what you want to remove (eg: if you have a default error page).

The filter flags and their usage are similar to the matchers i.e, -fc in place for -mc, -fr in place for -mr and likewise.

Requests Rate-Limiting

With the production servers and real-life bug hunting, you could easily end up overwhelming the servers with the enormous requests rate of FFUF. Thus we need request throttling and delays.

The p flag specifies the seconds of delay between requests.

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -p 0.1

We can also control the rate of requests i.e, maximum number of requests that can be sent per second.

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -rate 10

Filter Auto-Calibration

This is really a useful feature integrated in FFUF that helps a lot in eliminating false positives.

The automatic calibration (ac) flag tells FFUF to send a number of pre-flight checks before brute forcing begins and to quantify common elements of those requests for further filtering. For example, FFUF may send random strings, and if each of those responses were a 200 response code, with a common content length, then that content length would be automatically filtered from future results.

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -ac

Another method is custom auto-calibration filtering in which instead of sending random pre-flight checks, we send a custom keyword to test (eg: “www”) and capture its content length and response code. Thus the only responses which have a different content length than the above will be highlighted in the output.

ffuf -w vhostnames.txt -u https://target -H "Host: FUZZ.target" -acc "www"

HTTP Options

Cookie-based Authentication

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -b "sessionId=cookie_val"

GET parameter fuzzing

ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi?FUZZ=test_value

POST data fuzzing

ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php

JSON POST data fuzzing

ffuf -w wordlist.txt -X  PUT -u http://test.site/api/users/6 -H "Content-Type: application/json" -d "{'FUZZ':'test_val'}"

Input and Output Options

Raw HTTP request as the input

One of the easiest ways to work with complex queries is to simply save the request you’re working with from your intercepting proxy (such as Burp Suite), set your fuzzing paths, and then import it into FFUF for usage. You can do this with the request flag in FFUF, as explained below.

First of all, save the raw request from Burp suite to a file let’s say request.txt.

Now we will add fuzzing points inside this request file. I will be brute-forcing the directories in this scene.

We can then open our request in FFUF, and instead of passing cookie information as an argument, we can use request flag to pass all the required infos to FFUF. In this case, this would look like the following:

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -u http://site.com

Write output to a file

We can save the output in a variety of formats with the help of -of flag. The available formats are json, ejson, html, md, csv, ecsv (or, ‘all’ for all formats) (default: json).

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -of csv

Replay-Proxy

FFUF has a command within it, replay-proxy to dictate. This will reroute successful commands (ones that hit your matches, and not your filters) to Burp Suite proxy for further investigation. Notably, this does mean that you’re doubling your requests, and this should be used in situations where it makes sense to do so.

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -replay-proxy http://127.0.0.1:8080

If you need to send all the traffic regardless successful or not, then you can instead use –x which will replay all requests via the Burp Suite project.

ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -x http://127.0.0.1:8080

There are still various features that I haven’t mentioned in this post. Details on everything can be found on their GitHub repository https://github.com/ffuf/ffuf.

Kiran Dawadi

Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.