Directory fuzzing
When browsing through web applications, there can be directories, or files, which are not visible when browsing through applications. These hidden interfaces usually comprise admins’ control panels, files such as credit card data and API endpoints that contain susceptibilities. The actual method that ethical hackers employ for this purpose is termed as directory fuzzing. This is done by sending many potential URLs to a web server in order to find out which of them will respond accordingly.
New to directory fuzzing? One of the most effective tools for this activity is Ffuf, the Fast Fuzzer. In its Web implementation it is written in Go and it is about as fast and flexible as it gets. Ffuf is not only a directory brute-forcer but can fuzz almost any section of HTTP request; therefore it is a tool that any information security practitioner should have.
What is Ffuf?
Ffuf is an fast web fuzzer which is easy to config from the source code. While it’s primarily used for directory fuzzing, it can also be employed for:
- Parameter fuzzing
- Header fuzzing
Discovering the file extensions
Authentication bypass tests
Ffuf supports things like recursive fuzzing, which can fuzz deeper into a site, not limit to the authenticated session, the ability to add custom headers to any request and even JSON requests. More importantly, it is fast and flexible, which placed it on the lips of bug bounty hunters and penetration testers.
Why Use Ffuf?
As mentioned most of the directory brute forcings tools are available but the primary purpose is speed. A while ago CryptoCat
decided to make a video about which fuzzer is better ffuf
or wfuzz
well the answer is obvious ffuf
is way better.
Ffuf stands out other several reasons and some of them are:
- Speed: Initial as a Go program, Ffuf has been designed with speed in mind.
- Flexibility: With Burp it can fuzz all the headers, URLs, parameters and and other items I do not know.
- Ease of Use: The syntax is simple to understand, and also compatible with many tools and software’s.
- Extensibility: This tool has another feature I checked for recursion, work with the custom wordlist and tasks like SQL injection or XSS.
Installing Ffuf
Method 1: Using Package Manager (Kali Linux)
sudo apt install ffuf
This will install the latest stable version from the Kali repositories.
Method 2: Building from Source
- Ensure Go is installed on your system.
- Run the following command:
go install github.com/ffuf/ffuf/v2@latest
- Verify the installation:
ffuf -version
Basic Usage
To perform a simple directory fuzzing scan we can use the following command.:
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt
- -u: Specifies the target URL.
- FUZZ: The placeholder that will be replaced by words from the wordlist.
- -w: Path to the wordlist file.
Example:
ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
This will try each word in the wordlist against the target URL.
Some Cool Features of ffuf
1. Using Recursion
Actually, recursion is very helpful for finding the directory in the next level of nesting. In other words images and web resources might be located beneath each layer for example something like wwww.example.com/directory1/directory2/file.txt
In this example the resource file.txt
exists inside the depth of two directories.To enable recursion:
ffuf -u http:>//target.com/FUZZ /path/to/wordlist.txt -recursion
You can also set the recursion depth manually:
-recursion-depth 2
2. Fuzzing with Extensions
For example, to look for certain file type the -e flag is used. This is very useful because not all websites are terminated by the same extension on web browsers. Some of these websites may be similar to having a single web page with a name such as index.html or index.php or if lucky might come across something like database.bak or backup.bak which are just backup extension.
ffuf -u http:>/FUZZ: //target.com/FUZZ -w /path/to/wordlist.txt -e .php,.html,.bak
Adding appends the file extensions given into each word in the wordlist.
3. Some response mechanisms allow filtering or matching of the response to other set responses.
Another thing that makes Ffuf powerful is in the way it can filter and match on the resposes based on several HTTP parameters. While fuzzing walking through the different responses can sometimes be a daunting exercise especially if the criteria for filtering the results has not been employed. Once you apply filters and matchers, you are left with something much more essential: relevant endpoints and possible weaknesses.
Status Codes
Status code is one of the fastest ways for understanding the server’s response to particular requests. Again it’s not necessary to go through all responses scanning for the required one, -mc can work with specific status codes. For example **200 OK is usually for a valid page while **403 Forbidden means that the page is not accessibe.
ffuf -u http:>target.com/FUZZ -w /path/to/wordlist.txt -mc ‘200 403’
This command will display only responses with the status of 200 and 403; the pages with the status of 200 are accessible but interesting and potentially valuable pages that belong to the status 403 should not be ignored.
Content Length
Another type of filter is one that allows respondents to filter responses by their content length. Quite frequently, web applications use the same status codes fordifferent types of pages. To distinguish between these responses the information has to be filtered according to its length.As For instance, if the typical “Not Found” page has a content length of 1234 bytes, you can exclude such responses using -fl:
ffuf -u http:>/target.com/FUZZ -w /path/to/wordlist.txt -fl 1234
This way, responses with rather low and pell-mell content lengths are eliminated along with other common error pages might contain something interesting.
Regex Matching
Regex is used in order to make filters even more specific, indicating certain patterns in the response body. This comes handy when searching for certain keywords/file paths in response. For example, if you’re hunting for admin panels, you can match responses containing the word “admin”:
ffuf -u http:>//target.com/FUZZ -w /path/to/wordlist.txt -mr admin
Using regex matching, it is also possible to find such data as API keys, error messages, or file paths and documents. With proper regex patterns, there are always other significant items that may not be easily spotted if they are scrutinized with regex patterns.
Do Filtering and Matching Really Matter?
What if I tell you that you have to fuzz a big web application that has thousands of endpoints? If not filtered, one can be redirecting the page to other completely unrelated sites or get nothing but 404 not found pages, irrelevant general messages or replies containing similar articles. When done correctly and to an appropriate extent, filter application and matching eliminate the clutter and single out the results to pay further attention to.
Nevertheless, status codes might not paint the complete picture about the incident. A response ‘200 OK’ could be an empty webpage or some internal admin panel with daring sensitive information. Likewise, restricting to the only content length while considering the value of the content will be a waste. Using status codes, content length, and regular expression matching gives a more holistic point of view to the results of fuzzing.
In real-world scenarios, you may encounter web servers that return 200 OK for every request, making status code matching less effective. In such cases, content length and regex matching become crucial. By using all three filtering methods together, you can fine-tune your fuzzing process and uncover hidden resources with greater accuracy.
Example Use Case
Let’s say you’re fuzzing a web application to find backup files. The server responds with 200 OK for all requests, regardless of whether the file exists or not. Here’s how you can use filtering and matching to find meaningful results:
ffuf -u http://target.com/FUZZ -w /path/to/backup_wordlist.txt -mc 200 -fl 5120 -mr ".bak"
In this example:
- -mc 200 ensures you only see successful responses.
- -fl 5120 filters out generic responses with a length of 5120 bytes.
- -mr “.bak” highlights responses containing backup file extensions.
By combining these filters, you reduce noise and focus on finding actual backup files that could contain sensitive data. This structured approach saves time, minimizes false positives, and increases your chances of discovering valuable information.
4. Silent Mode and Output
When performing a fuzzing scan, the result may be confusing and if you work with thousands of possible addresses. As it is, Ffuf displays all results by default, these may overwhelm your terminal leave alone taking up a lot of space of the terminal. Silent mode is a function that allows for the elimination of the majority of the displayed information while displaying only the results you are interested in.
To enable silent mode and save the results to a file:
ffuf -u http:>target.com/FUZZ -w /path/to/wordlist.txt -s -o results.txt
5. Handling Authentication
Authentications strategies are meant for defining restrictions for certain sections of a web application. But during a penetration test, one has to fuzz these protected endpoints to find out what other resources are available.
Authentication with Custom Headers
Headers are even used in many APIs of authentication like API keys, and the bearer token Authentication is an HTTP header-based mechanism. Here’s how to fuzz an authenticated API endpoint using a custom header:
ffuf -u http:;//target.com/FUZZ -w /path/to/wordlist.txt -H “Authorization: Bearer TOKEN”
Cookies for session based authentication
Most sites that include login for web applications use cookies to help in management of session states. You can use these session cookies to bypass login restrictions and fuzz authenticated endpoints:
ffuf -u http:>/target.com/FUZZ -w /path/to/wordlist.txt -b “sessionid=abc123”
These cookies can be taken directly from your browser or common proxy tool such as the Burp Suite. It means that by tapping them into your Ffuf requests, there will be possibilities of accessing material behind various forms of authentication.
Another important consideration when fuzzing private areas is the way in which/Authentication handling is addressed. Most of the weaknesses are behind the login screen, so being able to reach these endpoints is critical to a comprehensive test.
Practical Scenarios
Scenario 1: Discovering Admin Panels
Due to the fact that these interfaces are a way through which attackers get administrative access to a web application, admin panels are generally popular with attackers. There are numerous methods used by hackers to discover the admin panels of the site, among which there is a method called ‘wordlist’.
ffuf -u http:On the website target.com/FUZZ I use:
FUZZ –w /usr/share/wordlists/dirb/common.txt -mc 200
In this example:
All the words in the wordlist take the place of FUZZ.
-mc 200 is used to filter the responses so that only successful responses that is that has the HTTP code 200 are shown.
This makes it easy to find readily available admin panels.
Scenario 2: Searching for Backup Files
Original files are backed up to files that are usually at least somewhat sensitive, and are left open. To find these files, use ffuf to search for them with additional file type extensions added at the end.
ffuf -u http:=/target.com/FUZZ -w /path/to/wordlist.txt -e .bak,.zip,.tar
Here:
-e .bak,.zip,.tar defines the file extensions to add to every word of the wordlist.
It can be used to search for misconfigured or those that are forgotten to be created as backup files.
Scenario 3: Fuzzing POST Data
Performing vocabularies tests of POST requests is important in identifying flaws in web forms, APIs and services. When using ffuf, one can fuzz Post data by inputting the request method -X POST and the inclusion of the bodies using the -d flag.
ffuf -u http:http://target.com/ -X POST -d “username=FUZZ&password=pass123” –wordlist /path/to/wordlist.txt
FUZZ in the payload is substituted by each word in the wordlist.
For instance, this method evaluates input fields like username for areas of risks including SQL injection or counter intelligence weak credit.
You can test multiple fields simultaneously:
ffuf -u http://target.com/ -X POST -d “username=FUZZ&password=FUZZ” -w /path/to/wordlist.txt
It is particularly useful for searching default or low sensitivity profiles in terms of multiple fields.
Scenario 4:Fuzzing JSON Payloads
Most of the today’s Web applications and APIs employ JSON as their primary mode of data exchange. Ffuf supports input fuzzing by setting the right content type, and by placing a FUZZ keyword in the JSON data.
Example:
ffuf -u http:https://target.com/api – X POST – H “Content-Type: application/json” – d “{“user”:“FUZZ”}” – w /path/ to/ wordlist.txt
Specific to this case, Ffuf will insert FUZZ with each word in the wordlist and submit a similar JSON payload to the target API. This technique can uncover:
You can fuzz nested JSON structures by placing FUZZ at different levels of the JSON object:
-d '{"user":{"id":"FUZZ"}}'
This approach comes handy when locating prospective mass assignment troubles or when experimenting with the API endpoint that accept complex JSON objects.
Understanding Ffuf Modes: Pitchfork, Clusterbomb, and Sniper
Fast Fuzzer (Ffuf) is a versatile, powerful fuzzing tool that works well on web applications and input parameters. One of its most powerful features is support for multi-wordlist fuzzing, offering three modes of operation: Pitchfork, Sniper and Clusterbomb. Each is for a purpose and has slight different syntax to resolve the purpose.
1. Clusterbomb Mode (Default)
What It Does: In clusterbomb mode, I test all payloads from several wordlists in sequence. Ffuf binds a wordlist to a specific placeholder in the URL or in fields, simply waiting for them to be entered and iterating over them in an exhaustive way. However, we note you can use one
or more
wordlists.
Best For: Testing on most parameters across most fields when each combination is important.
Example:
ffuf -u https://example.com/FIRST/SECOND \
-w "/usr/share/wordlists/rockyou.txt:FIRST" \
-w "/usr/share/wordlists/common.txt:SECOND" \
-mode clusterbomb
In this example:
The FIRST
placeholder is substituted with words from rockyou.txt
.
- The
SECOND
placeholder is substituted with words in common.txt
.
The mode tests on combinations such as /admin/login
, /user/logout
, etc.
2. Pitchfork Mode
What It Does: Parallelized one-to-one alignment of words from different wordlists into pitchfork mode. Fuzzing will stop if the wordlists have different lengths because if the shortest list runs out of entries, further fuzzing stops. You can use either ‘one’ or ‘more’ wordlists.
Best For: Scenarios of parallelting tests for related users and passwords.
Example:
ffuf -u https://example.com/FIRST/SECOND \
-w "/usr/share/wordlists/users.txt:FIRST" \
-w "/usr/share/wordlists/passwords.txt:SECOND" \
-mode pitchfork
In this example:
users.txt
and passwords.txt
pair the first with the first.
- Example requests:
/admin/123
/user/password
/guest/qwerty
3. Sniper Mode
What It Does: Sniper mode uses a single wordlist to target one placeholder or parameter at a time. It substitutes words sequentially, making it ideal for focused testing of a single variable.
Best For: Precision testing of single fields or parameters.
Example:
ffuf -u https://example.com/FIRST \
-w "/usr/share/wordlists/rockyou.txt:FIRST" \
-mode sniper
This substitutes the FIRST
placeholder with each word from the rockyou.txt
wordlist sequentially:
To sum up …..
- Clusterbomb: Best for exhaustive testing of all combinations across multiple wordlists. Comprehensive but slower.
- Pitchfork: Perfect for parallel fuzzing of corresponding inputs (e.g., usernames and passwords).
- Sniper: The go-to for focused and precise testing of a single parameter or field.
Tips for Effective Fuzzing
Pro Tip # 1: Fuzzing from an HTTP Request File
Another great tip is to take an entire HTTP request and integrate it with Ffuf by either copying or pasting it into your file and running it with the fuzz file. This method can be used to fuzz complex types of requests which include headers, post data and much more.
Main Steps of Save and Fuzz Operation on an HTTP Request File
- Use an interception tool to intercept the request from the application, it could be Burp Suite or ZAP etc.
- Copy the request as a file (e.g., on the file http.req for working with later on).
- Use Ffuf to fuzz the saved request:
ffuf -request http.req -w /path/to/wordlist.txt -fw 200
In this command:
- -request http.req: Experiment describes the saved HTTP request file.
- -w /path/to/wordlist.txt: GOES TO The wordlist to be used.
- -fw 200: Categorizes responses per number of words meaning that you can only view responses with 200 words for example.
In the following cases we can apply this technique
Fuzzing from a saved request file is especially helpful when dealing with:
- Authenticated endpoints: Log a logged in request, fuzz it, and capture the result; it doesn’t have to reauthenticate each time.
- Complex API requests: It is easy to handle JSON, XML or multipart data.
- Custom headers and tokens: Include all the needed headers when you fuzz.
Pro Tip # 2: Don’t Turn Away from Using Chatgpt
If you find Ffuf’s syntax hard to remember, you can use the following prompt to ask ChatGPT for help:
Prompt:
“Fuzzing an endpoint with Ffuf”
Prompt:
Ffuf me I want to fuzz an endpoint The target URL is http:[I'd rather] example.com but also provide [and] an HTTP REQUEST //example.com
, [and/or] I need to Fuzz the username
parameter in a POST request with [payload] username=FUZZ&password=admin
. Give me the exact Ffuf command."
With these prompts you can quickly get the (Ffuf) syntax for the use case without having to remember every option. Like in many other scenarios, ChatGPT can help fuzz headers, parameters, or even the full request file.
Pro Tip #3: Leverage Auto-Filters (-ac
)
Using the -ac
option while fuzzing is a game changer to reduce the amount of noise. Auto filters will automatically filter out responses with similar characteristics, like size or lines from your results and make them cleaner, and more actionable.
How Auto-Filters Work
If you use -ac
, Ffuf inspects the response during fuzzing and, based on that, dynamically filters out those responses that are always identical. You get to focus on responses which are unique on their own and that might provide valid or exploitable endpoints.
Example:
ffuf -u http:-w means you provide the wordlist file, -ac means you need to define all the queries. Including -w, it would be:
//target.com/FUZZ -w /path/to/wordlist.txt -ac
This command:
Changes the target URL with any of the provided wordlist and fuzzes them.
- Automatically removes repetitive or irrelevant responses (e.g. 404 pages).
Advantages?
- Eliminates time spent in manual filtering.
- It helps you see interesting places like custom error pages or valid directories.
Conclusion
The use of Ffuf to perform directory fuzzing on web servers is a very powerful way of discovering resources on web servers that are otherwise hidden. Even if they aren’t outright damaging, these features make security researchers better able to find value during a penetration test or bug bounty engagement, by understanding what they have to look at first before beginning the test. Ffuf is so flexible and fast, that it should be part of every security professional’s kit.