ffuf
There are three versions of ffuf
available in the Trickest library. Each one is packaged a little differently to be suitable and more convenient for a particular use case and usage pattern.
ffuf
This is the base version ffuf
. You can use it to fuzz any part of a URL with a wordlist. Use the FUZZ
placeholder to define the location where the words of the wordlist will be inserted (e.g. https://trickest.io/FUZZ
to fuzz for directories.)
Basic Usage Examples
Basic directory brute-force
Pass your target to the target-url
parameter with the FUZZ
placeholder added as a path, and pass the wordlist to the wordlist
parameter to fuzz directories.
Directory brute-force under a known path.
Add the FUZZ
placeholder at any point in the URL, such as within a subdirectory to fuzz at this location.
GET parameter brute-force
Add the FUZZ
placeholder as a parameter to brute force for inputs.
POST parameter brute-force
Pass POST
to the method
input, and add the FUZZ
placeholder to the data
string input to brute force POST parameters.
Parameter value brute-force
Add the FUZZ
keyword as a value of any GET or POST parameter to brute force its value.
Header brute-force
Add the FUZZ
placeholder to the header
string input to brute force headers.
Virtual host brute-force
Add the FUZZ
placeholder to the header
input as a value of the Host
header to brute force virtual hosts.
Improvements
Filter results
By default, ffuf
will output all of the results it finds. However, you can use certain inputs to filter out unwanted results. Some options you can use to do this include:
filter-http-status-code-from-response
filter-http-response-size
filter-by-amount-of-lines
filter-by-amount-of-words
filter-regexp
filter-time
If you use more than filtering criteria, use the filter-mode
input to specify the filter set operator (either and
or or
; default: or
)
Match results
Use these inputs to only write results to the output if they match certain criteria. They work in the same way as filtering options.
match-http-status-code-from-response
match-http-response-size
match-by-amount-of-lines
match-by-amount-of-words
match-time
match-regexp
If you use more than filtering criteria, use the matcher-mode
input to specify the filter set operator (either and
or or
; default: or
)
Auto-calibrate filtering options
Use the calibrate-filtering-options
boolean flag to let ffuf decide how to filter for unique results.
Increase/decrease thread count
The default number of threads for ffuf is 40
. Use the number-of-concurrent-threads
input to change this number.
Increasing the number of threads can speed up the execution while decreasing the number of threads can make the scan less aggressive.
Add delay
Use the delay-between-requests
input to set either a specific delay between requests or a random delay within a range (in seconds.
Set a maximum run time
Use the max-run-time-for-process
input (in seconds)
Scan recursively
Use the scan-recursively
input.
You can further configure the recursion behavior using these inputs:
max-run-time-for-job
: Control the time (in seconds) that ffuf will spend on each job (not the entire process). A new job is created when ffuf detects a new subdirectory.recursion-depth
recursion-strategy
: Usegreedy
to recurse on all matches
Output to a different format
By default, ffuf will write results as a JSON file with the scan results inside the results
sub-object.
...
"results": [
{
"input": {
"FUZZ": "admin"
},
"position": 1,
"status": 301,
"length": 226,
"words": 9,
"lines": 7,
"content-type": "text/html; charset=UTF-8",
"redirectlocation": "https://trickest.io/admin",
"duration": 67233959,
"resultfile": "",
"url": "https://trickest.io/admin",
"host": "trickest.io"
}
],
...
Use the output-format
input to chage it to ejson
, html
, md
, csv
, or ecsv
.
ffuf-multi
ffuf-multi
is packaged slightly differently to ffuf
to make it easier to fuzz multiple hosts. It is equivalent to this command
ffuf -u HOST/WORD -w hosts.txt:HOST -w wordlist.txt:WORD
Most of the improvements that apply to ffuf
will apply to ffuf-multi
. However, if you decide to automatically calibrate filtering results, it will be useful to use host-auto-calibration
instead of the default calibrate-filtering-options
and experiment with different calibration options such as auto-calibration-strategy
and auto-calibration-keyword
.
ffuf-od
ffuf-od
works similarly to the base ffuf except it saves the HTTP responses of each match and writes them to a folder. Most of the improvements that apply to ffuf
will apply to ffuf-od
.
{% code title="example output file" %}
GET /admin HTTP/1.1
Host: trickest.io
User-Agent: Fuzz Faster U Fool v1.5.0
Accept-Encoding: gzip
---- ↑ Request ---- Response ↓ ----
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Fri, 32 Oct 2099 13:33:37 GMT
Server: nginx
<h1>Admin</h1>
{% endcode %}
Notable Workflows
- Simple Content Discovery
- Brute-Force Files & Directories on a List of Hosts
- Virtual Host Discovery
- CVEs
- Brute-force File & Directories on a List of Hosts
Similar Tools
- dirsearch
- wfuzz
- gobuster
- meg
- crithit
- kiterunner
- fuzzuli
- vhostscan
- arjun
- x8