Fuzzing a Web application’s endpoints using ffuf.

Preparation | Procedure

Preparation

None

Procedure

FFuF usage

FFuF (Fuzz Faster U Fool) is a fast web fuzzing tool created in Go. It is mainly used for web enumeration, fuzzing, and directory brute-forcing. Read its manual page or help (-h) output and answer the following questions:

  1. How do you save FFuF’s output to a markdown file such as ffuf.md?

  2. What option would you use to follow redirects?

  3. How do you print complete URLs and redirect locations?

  4. How do you enable colourized output?

  5. How can you match only URLs with HTTP status 200 (OK)?

  6. How can you filter out URLs with HTTP status code 403 (Forbidden)?

URL discovery

The FFuF tool always requires at least two option:

-u

Target URL to fuzz. This should contain the literal value FUZZ, which will be replaced with words in a wordlist.

-w

Wordlist file. We can use wordlists from /usr/local/share/SecLists in our Kali installation.

  1. Use the Discovery/Web-Content/big.txt wordlist to discover some files and directories that are present on http://10.0.0.1.

  2. Try again with the Discovery/Web-Content/raft-large-files.txt wordlist. What difference do you see?

  3. Use the Discovery/Web-Content/web-extensions.txt wordlist to discover the index file for the Web application on http://10.0.0.1.

  4. Use the -e option in conjunction with the raft-medium-words-lowercase.txt wordlist to discover more files with common endings (e.g., .txt and the file extension you found earlier).

  5. Use the -recursion option to find as many files and directories as you can within the /vulnerabilities directory.

Parameter fuzzing

FFuF can fuzz things besides URLs!

  1. Using a very short wordlist (e.g., one word), fuzz http://10.0.0.1/sqli-labs/Less-1/?FUZZ=1. How many words are in the HTML you receive as a result?

  2. Use Discovery/Web-Content/burp-parameter-names.txt to fuzz the space of parameters to /sqli-labs/Less-1 by filtering on the number of words in the HTTP response.

Password fuzzing

We can also use ffuf for wordlist-based brute-force attacks, for example, trying passwords on an authentication page.

  1. Use the cURL command to inspect the login page at http://10.0.0.1/sqli-labs/Less-11/. What do you observe about the HTML form?

  2. Use the -X POST argument to cURL to make a POST request to /sqli-labs/Less-11/, using the -d argument to pass HTML form data attempting to log in with the username batman and the password dark knight. For example, if you wanted to submit an HTML form with a field a having the value foo and b having the value 42, you would pass a=foo&b=42 to -d.

  3. Use FFuF with the same -X and -d arguments to fuzz the password of the Dummy user. Try using the Passwords/Leaked-Databases/phpbb.txt wordlist. You will also need to set the HTTP header Content-Type: application/x-www-form-urlencoded, since FFuF doesn’t set it automatically like cURL.

  4. Confirm that you have successfully found the Dummy user’s password.

  5. Use curl and diff to compare the HTML of /sqli-labs/Less-11 under the following conditions. What do you observe?

    • no username or password supplied

    • incorrect username or password supplied

    • correct username and password supplied

    • username Dummy, password phpbbin' (note: the URL encoding of the single quote ' character is %27)