Posted:

24 Jul 2024

Fuzzing a Web application’s endpoints using ffuf.

Preparation | Procedure

I will be grading labs on a best-six-out-of-seven basis, so you can treat this lab as optional.

Preparation

None

Procedure

Note
 Within the lab, you can view this procedure at http://10.0.0.1. You will also be using http://10.0.0.1 as a fuzz target.

FFuF usage

FFuF (Fuzz Faster U Fool) is a fast web fuzzing tool created in Go. It is mainly used for web enumeration, fuzzing, and directory brute-forcing. Read its manual page or help (-h) output and answer the following questions:

  1. How do you save FFuF’s output to a markdown file such as ffuf.md?

  2. What option would you use to follow redirects?

  3. How do you print complete URLs and redirect locations?

  4. How do you enable colourized output?

  5. How can you match only URLs with HTTP status 200 (OK)?

  6. How can you filter out URLs with HTTP status code 403 (Forbidden)?

URL discovery

The FFuF tool always requires at least two option:

-u

Target URL to fuzz. This should contain the literal value FUZZ, which will be replaced with words in a wordlist.

-w

Wordlist file. We can use wordlists from /usr/share/seclists in our Kali installation, or we can supply custom wordlists at the command line by using -w - (stdin).

Using these arguments:

  1. "Fuzz" the site http://10.0.0.1 with a single-word wordlist. What is the HTTP status code, file size and word count of the resulting file?

  2. Use the Discovery/Web-Content/common.txt wordlist to discover some files and directories that are present on http://10.0.0.1.

  3. Try again with the Discovery/Web-Content/raft-large-files.txt wordlist. What difference do you see?

  4. Use the -e option in conjunction with the raft-medium-words-lowercase.txt wordlist to discover more files with common endings (e.g., .txt and .php).

  5. Find as many files and directories as you can within the /vulnerabilities directory (e.g., /vulnerabilities/brute/index.php).

Parameter fuzzing

FFuF can fuzz things besides URLs!

  1. Using a very short wordlist (e.g., one word), fuzz http://10.0.0.1/sqli-labs/Less-1/index.php?FUZZ=1. How many words are in the HTML you receive as a result?

  2. Use Discovery/Web-Content/burp-parameter-names.txt to fuzz the space of parameters to /sqli-labs/Less-1 by filtering on the number of words in the HTTP response.

Password fuzzing

We can also use ffuf for wordlist-based brute-force attacks, for example, trying passwords on an authentication page.

  1. Use the cURL command to inspect the login page at http://10.0.0.1/sqli-labs/Less-11/index.php. What do you observe about the HTML form?

  2. Use the -X POST argument to cURL to make a POST request to /sqli-labs/Less-11/, using the -d argument to pass HTML form data attempting to log in with the username batman and the password dark knight. For example, if you wanted to submit an HTML form with a field a having the value foo and b having the value 42, you would pass a=foo&b=42 to -d.

  3. Use FFuF with the same -X and -d arguments to fuzz the password of the Dummy user. Try using the Passwords/Leaked-Databases/phpbb.txt wordlist. You will also need to set the HTTP header Content-Type: application/x-www-form-urlencoded, since FFuF doesn’t set it automatically like cURL.

  4. Confirm that you have successfully found the Dummy user’s password.

  5. Use curl and diff to compare the HTML of /sqli-labs/Less-11 under the following conditions. What do you observe?

    • no username or password supplied

    • incorrect username or password supplied

    • correct username and password supplied

    • username Dummy, password phpbbin' (note: the URL encoding of the single quote ' character is %27)