ffuf – Fuzz Faster U Fool

A fast web fuzzer written in Go.

Heavily inspired by the great projects gobuster and wfuzz.

Features

• Fast!
• Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
• Silent mode (-s) for clean output that’s easy to use in pipes to other processes.
• Modularized architecture that allows integration with existing toolchains with reasonable effort
• Easy-to-add filters and matchers (they are interoperable)

Changelog v2.1

• 7a2756a Prepare for v2.1.0 release (#724)
• 36124a1 Default to match 2XX (#723)
• e3e4e62 Report if request times out while time matcher / filter is active (#722)
• e80fdc4 [FEATURE] Extensible Auto-calibration strategies (#694)
• a7dea16 allow unused wordlist in config file (#652)
• 8453335 Don’t write a finishing newline in silent mode (#677)
• 02e6a73 Add -raw cli flag (#721)
• 3fdb4e2 Automatic brotli and deflate decompression (#720)
• 6731988 Fix #718 (#719)
• 9f2163a fix csv output file format (#683)
• 6f29907 Fixed Error for HTML Output (#714)
• 96fef62 Fix Issue696 — Divide by 0 Error when setting rate to 0 manually (#700)
• 301968c Add cert authentication to crawl (#713)
• ca2224c Pencode (#717)
• 5fd821c Fix md output format (#672)
• e979f72 bump golang.org/x/net from 0.5.0 to 0.7.0 (#650)
• b8705ef Add additional check for keywords when using sniper mode (#661)
• a3bd865 Support older versions of TLS regardless of Go defaults (#671)
• 627c871 [Fix] Fixed multiline output when using only one fuzz variable (issue #645) (#656)
• b2c1f94 Fix HTML output (#640)

Installation

• Download a prebuilt binary from releases page, unpack and run! or
• If you have Go compiler installed: go get github.com/ffuf/ffuf

Usage

To define the test case for ffuf, use the keyword FUZZ anywhere in the URL (-u), headers (-H), or POST data (-d).

 -H "Name: Value"

    	Header "Name: Value", separated by colon. Multiple -H flags are accepted.

  -V	Show version information.

  -X string

    	HTTP method to use. (default "GET")

  -c	Colorize output.

  -d string

    	POST data.

  -fc string

    	Filter HTTP status codes from response

  -fr string

    	Filter regexp

  -fs string

    	Filter HTTP response size

  -fw string

    	Filter by amount of words in response

  -k	Skip TLS identity verification (insecure)

  -mc string

    	Match HTTP status codes from respose (default "200,204,301,302,307,401,403")

  -mr string

    	Match regexp

  -ms string

    	Match HTTP response size

  -mw string

    	Match amount of words in response

  -p delay

    	Seconds of delay between requests, or a range of random delay. For example "0.1" or "0.1-2.0"

  -s	Do not print additional information (silent mode)

  -t int

    	Number of concurrent threads. (default 40)

  -u string

    	Target URL

  -w string

    	Wordlist path

Example

Typical directory discovery

By using the FUZZ keyword at the end of URL (-u):

ffuf -w /path/to/wordlist -u https://target/FUZZ

Virtual host discovery (without DNS records)

Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242) while fuzzing the Host – header:

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

GET parameter fuzzing

GET parameter name fuzzing is very similar to directory discovery and works by defining the FUZZ keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

If the parameter name is known, the values can be fuzzed in the same way. This example assumes a wrong parameter value returning HTTP response code 401.

ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401

POST data fuzzing

This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We’re again filtering out the 401 responses.

ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401

Copyright (c) 2018 Joona Hoikkala

Source: https://github.com/ffuf/