Working with Ffuf Tool on Kali Linux OS
Example 1: Typical directory discovery
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://w3wiki.org/FUZZ
In this example, We are fuzzing the directories of w3wiki.org target domain.
Example 2: Virtual host discovery (without DNS records)
ffuf -w /usr/share/wordlists/vhost.txt -u https://w3wiki.org -H “Host: FUZZ” -fs 4242
In this example, We are filtering out VHOST default port 4242 specified in the -fs tag.
Example 3: GET parameter fuzzing
ffuf -w /usr/share/wordlists/parameters.txt -u http://testphp.vulnweb.com/search.php?FUZZ=test_value -fs 4242
In this example, We are using the GET method for fuzzing the directories.
Example 4: Maximum execution time
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://w3wiki.org/FUZZ -maxtime 60
In this example, We are specifying the maximum request time. We have used -maxtime tag for specifying the time.
Example 4: POST Data Fuzzing
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X POST -d “username=admin\&password=FUZZ” -u https://testphp.vulnweb.com/login.php -fc 401
In this example, We are using the POST method for fuzzing the directories.
Example 5: Using an external mutator to produce test cases
ffuf –input-cmd ‘radamsa –seed $FFUF_NUM example1.txt example2.txt’ -H “Content-Type: application/json” -X POST -u https://testphp.vulnweb.com/ -mc all -fc 400
In this example, We’ll fuzz JSON data that’s sent over POST. Radamsa s used as the mutator.
ffuf – Fast Web Fuzzer Linux Tool Written in Go
Fuzzing is the automatic process of giving random input to an application to look for any errors or any unexpected behavior. But finding any hidden directories and files on any web server can also be categorized under fuzzing. If we try to perform this process manually then it can take dozens of months to find the directories on the server. So the automation approach is the best for performing fuzzing. FFUF is the automated tool developed in the Golang language which is the fastest fuzzer tool in today’s date. It has various key features of manipulation the method from GET to POST and vice versa. We can use various wordlists for fuzzing the vhost as well. FFUF tool is an open-source and free-to-use tool.
Note: As Ffuf is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to Install Golang in your system. – Installation of Go Lang in Linux