ffuf
There are three versions of ffuf available in the Trickest library. Each one is packaged a little differently to be suitable and more convenient for a particular use case and usage pattern.
ffuf
This is the base version ffuf. You can use it to fuzz any part of a URL with a wordlist. Use the FUZZ placeholder to define the location where the words of the wordlist will be inserted (e.g. https://trickest.io/FUZZ to fuzz for directories.)
Basic Usage Examples
Basic directory brute-force
Pass your target to the target-url parameter with the FUZZ placeholder added as a path, and pass the wordlist to the wordlist parameter to fuzz directories.
Fuzz directories with ffuf
Directory brute-force under a known path.
Add the FUZZ placeholder at any point in the URL, such as within a subdirectory to fuzz at this location.
Fuzz directories within a subdirectory with ffuf
GET parameter brute-force
Add the FUZZ placeholder as a parameter to brute force for inputs.
Fuzz parameters with ffuf
POST parameter brute-force
Pass POST to the method input, and add the FUZZ placeholder to the data string input to brute force POST parameters.
Fuzz POST data with ffuf
Parameter value brute-force
Add the FUZZ keyword as a value of any GET or POST parameter to brute force its value.
Fuzz parameter values with ffuf
Header brute-force
Add the FUZZ placeholder to the header string input to brute force headers.
Fuzz headers with ffuf
Virtual host brute-force
Add the FUZZ placeholder to the header input as a value of the Host header to brute force virtual hosts.
Fuzz virtual hosts with ffuf
Improvements
Filter results
By default, ffuf will output all of the results it finds. However, you can use certain inputs to filter out unwanted results. Some options you can use to do this include:
filter-http-status-code-from-responsefilter-http-response-sizefilter-by-amount-of-linesfilter-by-amount-of-wordsfilter-regexpfilter-time
If you use more than filtering criteria, use the filter-mode input to specify the filter set operator (either and or or; default: or)
Filter ffuf results
Match results
Use these inputs to only write results to the output if they match certain criteria. They work in the same way as filtering options.
match-http-status-code-from-responsematch-http-response-sizematch-by-amount-of-linesmatch-by-amount-of-wordsmatch-timematch-regexp
If you use more than filtering criteria, use the matcher-mode input to specify the filter set operator (either and or or; default: or)
Match ffuf results
Auto-calibrate filtering options
Use the calibrate-filtering-options boolean flag to let ffuf decide how to filter for unique results.
Auto-calibrate ffuf's filtering options
Increase/decrease thread count
The default number of threads for ffuf is 40. Use the number-of-concurrent-threads input to change this number.
Increasing the number of threads can speed up the execution while decreasing the number of threads can make the scan less aggressive.
Change the number of ffuf threads
Add delay
Use the delay-between-requests input to set either a specific delay between requests or a random delay within a range (in seconds.
Set a delay between ffuf requests
Set a maximum run time
Use the max-run-time-for-process input (in seconds)
Set a maximum run time for ffuf
Scan recursively
Use the scan-recursively input.
You can further configure the recursion behavior using these inputs:
max-run-time-for-job: Control the time (in seconds) that ffuf will spend on each job (not the entire process). A new job is created when ffuf detects a new subdirectory.recursion-depthrecursion-strategy: Usegreedyto recurse on all matches
Scan recursively with ffuf
Output to a different format
By default, ffuf will write results as a JSON file with the scan results inside the results sub-object.
...
"results": [
{
"input": {
"FUZZ": "admin"
},
"position": 1,
"status": 301,
"length": 226,
"words": 9,
"lines": 7,
"content-type": "text/html; charset=UTF-8",
"redirectlocation": "https://trickest.io/admin",
"duration": 67233959,
"resultfile": "",
"url": "https://trickest.io/admin",
"host": "trickest.io"
}
],
...
Use the output-format input to chage it to ejson, html, md, csv, or ecsv.
Change ffuf's output format
ffuf-multi
ffuf-multi is packaged slightly differently to ffuf to make it easier to fuzz multiple hosts. It is equivalent to this command
ffuf -u HOST/WORD -w hosts.txt:HOST -w wordlist.txt:WORD
Most of the improvements that apply to ffuf will apply to ffuf-multi. However, if you decide to automatically calibrate filtering results, it will be useful to use host-auto-calibration instead of the default calibrate-filtering-options and experiment with different calibration options such as auto-calibration-strategy and auto-calibration-keyword.
ffuf-od
ffuf-od works similarly to the base ffuf except it saves the HTTP responses of each match and writes them to a folder. Most of the improvements that apply to ffuf will apply to ffuf-od.
{% code title="example output file" %}
GET /admin HTTP/1.1
Host: trickest.io
User-Agent: Fuzz Faster U Fool v1.5.0
Accept-Encoding: gzip
---- ↑ Request ---- Response ↓ ----
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Fri, 32 Oct 2099 13:33:37 GMT
Server: nginx
<h1>Admin</h1>
{% endcode %}
Notable Workflows
- Simple Content Discovery
- Brute-Force Files & Directories on a List of Hosts
- Virtual Host Discovery
- CVEs
- Brute-force File & Directories on a List of Hosts
Similar Tools
- dirsearch
- wfuzz
- gobuster
- meg
- crithit
- kiterunner
- fuzzuli
- vhostscan
- arjun
- x8