Cardboard Iguana Security

Search

SearchSearch

fuff

July 31, 20241 min read

A general web fuzzing tool. Use FUZZ as your placeholder.

Directory/file enumeration

How to enumerate URL paths with fuff

ffuf -w /usr/share/wordlists/dirb/common.txt \
     -u https://$DOMAIN/FUZZ
Link to original

Brute force virtual hosts

How to brute force virtual host entries with fuff

fuff can fuzz HTTP headers, which can be used to try to brute force virtual host entries.

ffuf -w /usr/share/wordlists/metasploit/namelist.txt \
     -H "Host: FUZZ.$DOMAIN" \
     -u https://$IP

Use -fs $SIZE to remove results of a particular size from the list (which you’ll probably need to do when trying to brute force virtual hosted subdomains).

Link to original

Username enumeration

How to enumerate users with fuff

Assuming that our login or password reset form isn’t AJAX-y:

ffuf -w /usr/share/wordlists/wfuzz/others/names.txt \
     -X POST -d "$POST_VARS" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -u $FORM_URL -mr "$ERROR_MEESAGE_SUBSTRING" -s

Here $POST_VARS should look something like username=FUZZ&email=FUZZ@example.com&password=1234&cpassword=1234. The -mr flag instructs ffuf to filter on page text for a “successful hit”; -s supresses all output except successful fuzzes (as defined by -mr).

Link to original

Brute force login credentials

How to brute force login credentials with fuff

ffuf -w /usr/share/wordlists/wfuzz/others/names.txt:W1,$HOME/.local/share/red-team/wordlists/rockyou.txt:W2 \
     -X POST -d "$POST_VARS" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -u $LOGIN_URL -fc 200 -s

Here we assign W1 and W2 to take terms from the two supplied wordlists; $POST_VARS then looks something like username=W1&password=W2. This example assumes that a successful login will return an HTTP status code other than 200 (probably a 301 or 302); -s supresses all output except successful fuzzes (the inverse of -fc).

Note that ffuf will try every possible combination of elements between the two wordlists, which means that the number of combinations tried grows geometrically. So you probably don’t want to try the above example directly, but rather generate a shorter user list first via enumeration (see the previous section).

Link to original

Graph View

Backlinks