Fuzzing a Web application’s endpoints using ffuf.
FFuF (Fuzz Faster U Fool) is a fast web fuzzing tool created in Go.
It is mainly used for web enumeration, fuzzing, and directory brute-forcing.
Read its manual page or help (
-h) output and answer the following questions:
How do you save FFuF’s output to a markdown file such as
What option would you use to follow redirects?
How do you print complete URLs and redirect locations?
How do you enable colourized output?
How can you match only URLs with HTTP status 200 (OK)?
How can you filter out URLs with HTTP status code 403 (Forbidden)?
The FFuF tool always requires at least two option:
Target URL to fuzz. This should contain the literal value
FUZZ, which will be replaced with words in a wordlist.
Wordlist file. We can use wordlists from
/usr/local/share/SecListsin our Kali installation.
Discovery/Web-Content/big.txtwordlist to discover some files and directories that are present on http://10.0.0.1.
Try again with the
Discovery/Web-Content/raft-large-files.txtwordlist. What difference do you see?
Discovery/Web-Content/web-extensions.txtwordlist to discover the index file for the Web application on http://10.0.0.1.
-eoption in conjunction with the
raft-medium-words-lowercase.txtwordlist to discover more files with common endings (e.g.,
.txtand the file extension you found earlier).
-recursionoption to find as many files and directories as you can within the
FFuF can fuzz things besides URLs!
Using a very short wordlist (e.g., one word), fuzz http://10.0.0.1/sqli-labs/Less-1/?FUZZ=1. How many words are in the HTML you receive as a result?
Discovery/Web-Content/burp-parameter-names.txtto fuzz the space of parameters to
/sqli-labs/Less-1by filtering on the number of words in the HTTP response.
We can also use ffuf for wordlist-based brute-force attacks, for example, trying passwords on an authentication page.
Use the cURL command to inspect the login page at http://10.0.0.1/sqli-labs/Less-11/. What do you observe about the HTML form?
-X POSTargument to cURL to make a POST request to
/sqli-labs/Less-11/, using the
-dargument to pass HTML form data attempting to log in with the username
batmanand the password
dark knight. For example, if you wanted to submit an HTML form with a field
ahaving the value
bhaving the value
42, you would pass
Use FFuF with the same
-darguments to fuzz the password of the
Dummyuser. Try using the
Passwords/Leaked-Databases/phpbb.txtwordlist. You will also need to set the HTTP header
Content-Type: application/x-www-form-urlencoded, since FFuF doesn’t set it automatically like cURL.
Confirm that you have successfully found the
diffto compare the HTML of
/sqli-labs/Less-11under the following conditions. What do you observe?
no username or password supplied
incorrect username or password supplied
correct username and password supplied
phpbbin'(note: the URL encoding of the single quote