Researching web applications using the Ffuf utility
How a powerful brute force and fuzzing tool works
In the field of information security and web application testing, every slight vulnerability can lead to serious consequences. The Ffuf utility can be a reliable assistant in detecting hidden threats and conducting an in-depth analysis of the security of web systems. Let's take a look at fuzzing with Ffuf and explore a few key techniques for using it.
Let's start working with Ffuf
Ffuf is a powerful command line tool designed to iterate through the contents of web applications. It allows you to automate the fuzzing process, thereby detecting hidden files and directories, as well as checking various URL parameters and HTTP headers.
Installation
Download pre-compiled binary from the releases page, unpack and run!
If you are using macOS with Homebrewyou can install Ffuf with the command: brew install ffuf
If you have a recent Go compiler installed: go install github.com/ffuf/ffuf/v2@latest (same command used for update)
git clone https://github.com/ffuf/ffuf ; cd ffuf; go get ; go build
Ffuf requires Go 1.16 or later.
Ffuf commands
To see how to use the tool, let's start by running the command ffuf -h. We get the following list:
HTTP OPTIONS: | |
-H | Heading |
-X | HTTP method to use |
-b | Cookie data |
-d | POST data |
-http2 | Use HTTP2 protocol (default: false) |
-ignore-body | Don't load response content (default: false) |
-r | Follow redirects (default: false) |
-recursion | Scan recursively. Only the FUZZ keyword is supported, and the URL (-u) must end with it (default: false) |
-recursion-depth | Maximum recursion depth (default: 0) |
-recursion-strategy | Recursion strategy: “default” for redirection-based and “greedy” for recursion over all matches (default: default) |
-replay-proxy | Replay matched requests using this proxy |
-sni | Target TLS SNI, does not support FUZZ keyword |
-timeout | HTTP request timeout in seconds (default: 10) |
-u | Target URL |
-x | Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 |
GENERAL OPTIONS: | |
-V | Show version information (default: false) |
-ac | Automatic calibration of filtering parameters (default: false) |
-acc | Custom autocalibration string. Can be used several times. Implies -ac |
-ach | Auto-calibration on host (default: false) |
-ack | Autocalibration keyword (default: FUZZ) |
-acs | Autocalibration strategy: “basic” or “advanced” (default: basic) |
-c | Color output. (default: false) |
-config | Load configuration from file |
-json | JSON output, output JSON records on a new line (default: false) |
-maxtime | Maximum running time in seconds for the entire process (default: 0) |
-maxtime-job | Maximum running time in seconds for each task (default: 0) |
-noninteractive | Disable interactive console functionality (default: false) |
-p | Seconds of “delay” between requests or a range of random delay. For example “0.1” or “0.1-2.0” |
-rate | Requests per second rate (default: 0) |
-s | Do not display additional information (silent mode) (default: false) |
-sa | Stop in all cases of errors. Implies -sf and -se (default: false) |
-se | Stop on random errors (default: false) |
-sf | Stop when >95% of responses return 403 Forbidden (default: false) |
-t | Number of simultaneous threads (default: 40) |
-v | Verbose output, print full URL and redirect location (if any) with results (default: false) |
MATCH OPTIONS: | |
-mc | Match HTTP status codes or “all” for everything (default: 200,204,301,302,307,401,403,405,500) |
-ml | Match the number of lines in the response |
-mmode | Set operator Match. Either: and, or (default: or) |
-mr | Regular Expression Matching |
-ms | HTTP response size match |
-mt | Match how many milliseconds are before the first byte of the response, either more or less. For example: >100 or <100 |
-mw | Match the number of words in the answer |
FILTERING OPTIONS: | |
-fc | Filtering HTTP status codes from the response. Code list and range |
-fl | Filtering by the number of lines in the response. List of row numbers and ranges |
-fmode | Filter set operator. Either: and, or (default: or) |
-fr | Filtering by regular expressions |
-fs | Filtering by HTTP response size. List of sizes and ranges |
-ft | Filtering by time to the first byte of the response in milliseconds. List of values and ranges |
-fw | Filter by the number of words in the answer. List of word counts and ranges |
OUTPUT OPTIONS: | |
-debug-log | Write all internal information to the specified file |
-o | Write output to file |
-od | Path to the directory to save the found results |
-of | Output file format. Available formats: json, ejson, html, md, csv, ecsv (or 'all' for all formats) (default: json) |
-or | Don't create output file if we don't have results (default: false) |
EXAMPLES OF USING: | |
Fuzzing file paths from the wordlist.txt dictionary, matching all answers, but filtering those with a content size of 42. Colorful, detailed output. | ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v |
Fuzzing the Host header, matches 200 HTTP responses. | ffuf -w hosts.txt -u https://example.org/ -H “Host: FUZZ” -mc 200 |
Fuzzing POST JSON data. Match all responses that do not contain the text “error”. | ffuf -w entries.txt -u https://example.org/ -X POST -H “Content-Type: application/json”\ -d '{“name”: “FUZZ”, “anotherkey”: “anothervalue”}' -fr “error” |
Fuzzing in several places. Match only responses that reflect the value of the keyword “VAL”. Color output. | ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr “VAL” -c |
More details and examples: https://github.com/ffuf/ffuf | |
What can you use Ffuf for?
Directory fuzzing
One of the first steps in testing web applications is searching for hidden directories and files. Ffuf provides a convenient way to fuzz directories. It automates the process of searching URLs and discovering hidden resources.
Based on the provided help, we can generate a command to brute force the directory with the flags -w (dictionary to brute force) and -u (URL of the web application being tested).
The complete command will look like this:
ffuf -w path/to/dictionary.txt -u http://server_url/FUZZ
In our test case, we see that Ffuf tested almost 90 thousand URLs in five seconds. Speed may vary depending on your internet speed.
It is also possible to increase or decrease the speed by changing the number of threads using the -t flag. By default this option is 40 threads. However, increasing the number of threads can be dangerous, since the web application may not be able to withstand such a load and result in a DOS attack.
Example with changing the number of threads:
ffuf -w path/to/dictionary.txt -u http://server_url/FUZZ -t 200
Fuzzing files and extensions
Additionally, Ffuf can be used to detect hidden files on web servers. This allows security researchers to find potential vulnerabilities in web applications.
Previously, we discovered the secret directory, which returns a 403 response. When we go to this page, we see the following.
We do not have enough rights to view the contents of the directory.
Let's use web fuzzing again to see if the directory contains any hidden pages. But first you need to find out what types of pages the website uses. For example, .html, .aspx, .php. One common way to determine this is to look up the server type from the HTTP response headers and guess the extension. For example, if the server we are testing is apache, then it could be .php, or if it was IIS, then it could be .asp or .aspx, and so on. However, this method is not very practical.
A great way to find out what types of pages a web server is using is to fuzz its home page index.FUZZ. Payload looks like this:
ffuf -w path/to/dictionary.txt -u http://server_url/indexFUZZ.
For this testing, in my opinion, one of the SecLists dictionaries is best suited, namely SecLists/Discovery/Web-Content/web-extensions.txt.
The server gave a 200 response to the index.php file. Let's go to the address http://fuzzing.site/index.phpto make sure the fuzzer is working correctly.
Knowing that the server uses PHP files, we can start fuzzing the secret directory we are interested in with the appropriate .php extension. We can set the extension using the -e flag, but with a different dictionary:
ffuf -w Desktop/Fuzzing/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://fuzzing.site/secret/FUZZ -e .php
In this directory there is a file secret.php. Let's check its availability through the browser at http://fuzzing.site/secret/secret.php
Bingo, we reached a hidden page to which there were no links and we would not have discovered it any other way than by searching through directories and files.
Fuzzing subdomains of hidden virtual hosts
Ffuf can be used to fuzz to identify subdomains or hidden virtual hosts. This is especially important when testing networks and identifying possible entry points for attackers.
If we turn to our test lab, subdomain phasing will look like this. For it, you can also refer to one of the dictionaries SecLists/Discovery/DNS/subdomains-top1million-5000.txt.
During fuzzing, the mx subdomain was identified. The full link looks like this: http://mx.fuzzing.site. We can go to this address to make sure that such a subdomain really exists.
Great, we have found the entry point to the organization's mail.
What else can Ffuf
The utility also allows you to fuzzing for PHP parameters, which provides security checks for web applications written in this programming language.
Finally, Ffuf can be used for fuzzing parameter values. This feature allows you to test the processing of various inputs in web applications and identify potential vulnerabilities.
Using Ffuf and these fuzzing techniques, you can conduct a complete security analysis of your web applications and detect potential vulnerabilities before attackers can exploit them.
The material was prepared as part of the start of accepting applications for an online master's degree. “Information security” from MEPhI and Skillfactory.
All students in the program will have the opportunity to work on live equipment and test their acquired knowledge in the laboratories of NRNU MEPhI. For those who cannot connect in person, a videoconferencing broadcast will be organized, as well as remote access to the equipment.
