tools/ffuf
FFUF
FFUF (Fuzz Faster U Fool) is a fuzzing tool designed to find hidden directories, files, and vulnerabilities in web applications. It works by sending HTTP requests with different word combinations from a dictionary, allowing it to discover paths or access points not visible to the public.
Although there are many tools available for fuzzing, FFUF is one of my favorites due to its ease of use and the variety of options it offers.
Usage
Basic Usage
FFUF is used by applying different options to a target, which should be a URL.
# Basic command structure
ffuf [options] -u URL
# Basic attack: specify wordlist (DICT) and target (URL) for fuzzing
ffuf -w DICT -u URLThe FUZZ Variable
In FFUF, the FUZZ variable acts as a placeholder that indicates where the words from the dictionary will be replaced in the target URL. For example, in the following command:
ffuf -w paths.txt -u http://www.example.com/FUZZFFUF will take each word from paths.txt and insert it in place of FUZZ in the URL. This allows for automated searching of specific directories or files on the website, making it easier to identify hidden paths or vulnerabilities.
Options
General Options
Options that affect the overall behavior of FFUF, such as customizing output, configuring the number of threads, and selecting a specific wordlist.
wordlist
-c
Enable colored output.
color
-w WORDLIST
Specify the path to the wordlist.
threads
-t NUMBER
Set the number of concurrent threads (defaukt: 40)
output file
-o FILENAME
Specify the file to save the output.
output format
-of FORMAT
Specify the output format (e.g., json, csv, html).
verbose
-v
Enable verbose output for detailed logging.
quiet
-q
Suppress all output except for errors.
recursion
-recursion
Enables recursive attacks on discovered paths.
Request Options
Settings to customize HTTP requests, including headers, cookies, and the User-Agent. These are useful for applications that require authentication or have redirects.
user-agent
-ua "USERAGENT"
Set a custom User-Agent header.
header
-h "HEADERS"
Add custom headers to the request.
cookie
-b "COOKIE"
Provide a session cookie for authenticated requests.
follow-redirects
-r
Follow HTTP redirects.
Time Options
Control the timing behavior, allowing you to set timeouts, limits on the duration of the task, and delays between requests.
timeout
-timeout SECONDS
Set the timeout for each request.
maxtime
-maxtime SECONDS
Set the maximum duration for the entire fuzzing task.
maxtime-job
-maxtime-job SECONDS
Set a time limit for individual jobs within the fuzzing task.
delay
-p SECONDS
Introduce a delay between each request to improve results.
rate
-rate REQUESTS
Set the request rate (requests per second) for the attack.
Error Options
Manage errors during fuzzing, enabling the attack to stop if certain error thresholds are reached, preventing unnecessary requests.
Spurious Error
-se
Indicates if the next request is a spurious error.
Stop on Failure
-sf
Stops the attack if more than 95% of requests fail.
Stop on All
-sa
Combines both spurious error and failure stop conditions.
Matchers
Options for filtering and classifying responses, helping to identify those that meet specific criteria, such as HTTP status codes or size patterns.
status code
-mc
Searches for specific HTTP status codes.
words
-mw
Searches for words in the response body.
regex
-mr
Uses regular expressions for matching.
size
-ms
Searches for responses by size in bytes.
lines
-ml
Searches for the number of lines in the response.
Filters
Used to exclude unwanted responses based on specific criteria, allowing the user to focus on relevant data and reduce noise.
status code
-fc
Excludes responses based on status codes.
words
-fw
Excludes responses containing certain words.
regex
-fr
Excludes responses matching regular expressions.
size
-fs
Excludes responses based on size.
lines
-fl
Excludes responses based on line count.
Examples
Last updated