Attacking Web Applications With Ffuf

  • Ffuf is a reliable tool for web applications fuzzing.

  • Some things you might want to fuzz.

    • Directories

    • Pages

    • Sub-domains

    • Parameters

    • Values

  • To get rid of the credits that are in the secLists wordlists you can use the -ic flag.

  • Ffuf has the option to scan recursively (-recursion), meaning that it automatically starts another scan under any newly identified directories that may have on their pages until it has fuzzed the main website and all of its subdirectories. Since it would take a lot of time, it's recommended to set a depth limit (-recursion-depth).

  • Take note that if the website isn't publicly hosted then you need to add it to your hosts file (Both main site and other discovered subdomains) (Code provided below)

  • Also take note of VHosts which can affect your subdomain fuzzing result. VHost is basically a sub-domain served on the same server and has the same IP.

  • Code:

#Example Fuzzing Directories
ffuf -w <Word-List>:FUZZ -u http://<Server-IP>:<Port-Number>/FUZZ

#Example Extension Fuzzing
ffuf -w <Word-List>:FUZZ -u http://<Server-IP>:<Port-Number>/index.FUZZ

#Example Fuzzing Pages
ffuf -w <Word-List>:FUZZ -u http://<Server-IP>:<Port-Number>/FUZZ.

#Example Recursive (-v to output full URLs.) (-e to set the extension)
ffuf -w <Word-List>:FUZZ -u http://<Server-IP>:<Port-Number>/FUZZ -recursion -recursion-depth  -e  -v

#Example Fuzzing Subdomains
ffuf -w <Word-List>:FUZZ -u http://FUZZ.<Server-IP>:<Port-Number>/

#Fuzzing VHosts, this will generate 200 for all the requests so you need to filter the results by identifying first the unique value of the incorrect result to filter on it. 
ffuf -w <Word-List>:FUZZ -u http://<Server-IP>:<Port-Number>/ -H 'Host: FUZZ.<Server-IP>:<Port-Number> -fs '

#Example Fuzzing Parameters for type GET. Same with the VHosts you will get many false negatives so make sure to filter after identifying the incorrect result to filter on. 

ffuf -w <Word-List>:FUZZ -u http://FUZZ.<Server-IP>:<Port-Number><Endpoint>?FUZZ= -fs <Size-To-Filter>

#Example Fuzzing Parameters for type POST.
ffuf -w <Word-List>:FUZZ -u http://FUZZ.<Server-IP>:<Port-Number><Endpoint> -X POST -d 'FUZZ=<Value>' -H 'Content-Type: application/x-www-form-urlencoded' -fs <Size-To-Filter>

#Code to add entities to the hosts file.
sudo sh -c 'echo "<Server-IP> <URL>" >> /etc/hosts'
PreviousUsing Web ProxiesNextLogin Bruteforcing

Last updated