Fuzzing
Fuzzing for Loot!
Fuzzing is a software testing technique that involves feeding random or invalid data into a program to find security vulnerabilities and coding errors. The goal is to crash the program and identify faults that might not be found through traditional testing methods. In particular, web fuzzing can be used for a variety of uses such as directory enumeration, IDOR, username and password enumeration, and more.
There are many ffuf matcher options included to help create useful output:
-mc: Match HTTP status codes i.e. 200-ml: Match amount of lines in response-mr: Match regexp-ms: Match HTTP response size-mw: Match amount of words in response
Filters can also be used to remove specific results:
-fc: Filter HTTP status codes-fl: Filter by amount of lines in response-fr: Filter regexp-fs: Filter HTTP response size-fw: Filter by amount of words in response
Fuzzing Usernames
When creating the command, FUZZ will be used to specify where the username would go in the request parameters.
ffuf -w $WORDLIST -X $METHOD -d $PARAMETERS -H $HEADERS -u $URL -mr $REGEXExample:
ffuf -w usernames-names -X POST -d "username=FUZZ&email=a@b.c&password=pass123&cpassword=pass123" -H "Content-Type: application/x-www-form-urlencoded" -u http://$SITE/signup -mr "username already exists"Fuzzing Web Credentials
Although a tool like hydra might be better for this, ffuf can also be used to brute force credentials. Since there's two wordlists, there's a need to specify wordlists in this case.
ffuf -w $USERS:W1,$PASSWDS:W2 -X $METHOD -d $PARAMETERS -h $HEADERS -u $URL -fc $HTTP_CODEExample:
ffuf -w users.txt:W1,passwords.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://$SITE/login -fc 200Fuzzing API Endpoints
Discover API endpoints once discovering a domain has one, to see if any are vulnerable to exploitation.
ffuf -u 'http://$DOMAIN/api/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -mc all -t 100 -ic -fc 404Last updated