ffuf v1.5 releases: Fast web fuzzer written in Go
ffuf – Fuzz Faster U Fool
A fast web fuzzer written in Go.
Heavily inspired by the great projects gobuster and wfuzz.
Features
- Fast!
- Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values
- Silent mode (-s) for clean output that’s easy to use in pipes to other processes.
- Modularized architecture that allows integration with existing toolchains with reasonable effort
- Easy-to-add filters and matchers (they are interoperable)
Changelog v1.5
5c489ae Prepare for 1.5.0 release (#23)
1db80d4 Do autocalibration for full path (#22)
21a19a1 Choose between ‘and’ and ‘or’ matching and filtering (#20)
9fa0a5d Ac rewrite
Installation
- Download a prebuilt binary from releases page, unpack and run! or
- If you have Go compiler installed: go get github.com/ffuf/ffuf
Usage
To define the test case for ffuf, use the keyword FUZZ anywhere in the URL (-u), headers (-H), or POST data (-d).
Example
Typical directory discovery
By using the FUZZ keyword at the end of URL (-u):
ffuf -w /path/to/wordlist -u https://target/FUZZ
Virtual host discovery (without DNS records)
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242) while fuzzing the Host – header:
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
GET parameter fuzzing
GET parameter name fuzzing is very similar to directory discovery and works by defining the FUZZ keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
If the parameter name is known, the values can be fuzzed in the same way. This example assumes a wrong parameter value returning HTTP response code 401.
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
POST data fuzzing
This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We’re again filtering out the 401 responses.
Copyright (c) 2018 Joona Hoikkala
Source: https://github.com/ffuf/