Fuzzing: ffuf Tool

Install ffuf

$ sudo apt install ffuf

$ ffuf -h

$ go install github.com/ffuf/ffuf@latest

$ ~/go/bin/ffuf -h

$ ffuf -u https://codingo.io/FUZZ/ -w ./wordlist

$ ffuf -u https://codingo.io/FUZZ -w ./wordlist.txt -recursion

Do not add "/" after FUZZ keyword.

$ ffuf -u http://codingo.io/FUZZ -w ./wrodlist.txt -recursion -e .bak

$ ffuf -u http://codingo.io/W1 -w ./wordlist.txt:W1 -e .bak

W1 could be set to anything of your choosing.

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -s

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -s | tee ./outfile.txt

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo

Supported formats include json, ejson, html, md, csv, and ecsv

$ ffuf -h

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo -b "NAME1=VALUE1; NAME2=VALUE2"

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -of html -o ./codingo -H "NAME1=VALUE1; NAME2=VALUE2"

Setting custom headers to identify yourself can also be a requirement on some pentest engagements, or bug bounty programs.

This can be bound to any available port, and can be consumend by any tool, not just FFUF

Burp Suite Macros and Burp Suite Extension support is a major strength of tunneling a request in this manner.

$ ffuf -u https://W2.io/W1 -w ./wordlist.txt:W1 -w ./domains.txt:W2

Save the request from Burp Suite

vim /tmp/request

add GET /FUZZ at the request file

$ ffuf -request /tmp/request -w ./wordlist.txt

No need set -u or a URL

To use pitchfork mode, simply use the flag "-mode pitchfork"

$ ffuf -u https://codingo.io/FUZZ -w ./wordlist.txt --replay-proxy http://127.0.0.1:8080

$ ffuf -u http://codingo.io/FUZZ -w ./wordlist.txt -replay-proxy http://127.0.0.1:8888

Last updated 7 months ago