ffuf tool common use cases
FFUF tool is commonly used for the following purposes:
- Discovering hidden files and directories: Fuzzing can be used to discover files and directories that are not linked from the web application’s user interface, but are still accessible through the web server. This can help identify potentially sensitive information that has been left accessible by mistake.
- Testing for injection vulnerabilities: Injection vulnerabilities allow attackers to execute arbitrary code or commands on the server by injecting malicious input into the application. Fuzzing can help identify such vulnerabilities by sending a large number of random or malicious payloads and analyzing the application’s response.
- Brute-forcing login pages: FFUF can be used to perform brute-force attacks on login pages, trying a large number of username and password combinations in an attempt to find valid credentials.
- Testing the robustness of the application: Fuzzing can help identify areas of the application that may be prone to crashes or other failures when presented with invalid or unexpected input.
- Identifying potential vulnerabilities: Fuzzing can help identify potential vulnerabilities in the application that can be exploited by attackers.
Install ffuf tool using go
git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
apt install golang-go
|ffuf -w /SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:||fuzzing for web directories|
|ffuf -w /SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:||Page Fuzzing|
|ffuf -w /SecLists/Discovery/Web-Content/directory-list-2.3-small.txt::FUZZ -u http://192.168.5.14/blog/FUZZ -recursion -recursion-depth 1 -e .php -v||Recursive Scanning|
|ffuf -w /SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.example.com/||Sub-domain Fuzzing|
|ffuf -w /SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://example.com -H ‘Host: FUZZ.example.com’||Vhost Fuzzing, specify a header for public and non public sub domain|
|check sub domain response size, for example filler out responds side equal to 500|
|ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.11.11.22/login.php?FUZZ=admin||fuzz for parameters, replace the parameter name to fuzz .|
|ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.11.11.22/instructions.php?help=FUZZ||Fuzzing for parameter values|
|ffuf -w parameters.txt -X POST -d “FUZZ=4” -u “https://example.com/search.php”||use ffuf with POST to fuzz parameters|
For non public sub domains, edit etc/hosts file with the main domain
sudo sh -c 'echo "18.104.22.168 livehack101.com" >> /etc/hosts'