253 lines
8.4 KiB
HTML
253 lines
8.4 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>ffuf Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">ffuf Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go. It's highly flexible for directory discovery, parameter fuzzing, virtual host discovery, and more.</p>
|
|
<hr>
|
|
<h2>Basic Usage</h2>
|
|
<ul>
|
|
<li>ffuf -u <url>/FUZZ -w <wordlist> - Basic directory fuzzing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>FUZZ keyword marks where wordlist entries are inserted</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Input Options</h2>
|
|
<ul>
|
|
<li>-u - Target URL with FUZZ keyword</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-w - Wordlist file (can use multiple: -w list1:KEYWORD1 -w list2:KEYWORD2)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-X - HTTP method (default GET)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-d - POST data</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-H - Header (can use multiple)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-b - Cookie data</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Matcher Options (Show Results)</h2>
|
|
<ul>
|
|
<li>-mc - Match HTTP status codes (default 200,204,301,302,307,401,403,405)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-ml - Match response line count</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-mr - Match regex pattern</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-ms - Match response size</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-mw - Match word count</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-mt - Match response time (milliseconds)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Filter Options (Hide Results)</h2>
|
|
<ul>
|
|
<li>-fc - Filter HTTP status codes</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-fl - Filter by line count</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-fr - Filter by regex</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-fs - Filter by response size</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-fw - Filter by word count</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-ft - Filter by response time</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Output Options</h2>
|
|
<ul>
|
|
<li>-o - Output file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-of - Output format (json, ejson, html, md, csv, all)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-od - Output directory for matched results</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-v - Verbose output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-s - Silent mode (no banner)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-c - Colorize output</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Performance Options</h2>
|
|
<ul>
|
|
<li>-t - Threads (default 40)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-p - Delay between requests (seconds, e.g., 0.1)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-rate - Requests per second</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-timeout - Request timeout (default 10)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Other Options</h2>
|
|
<ul>
|
|
<li>-r - Follow redirects</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-recursion - Enable recursion</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-recursion-depth - Max recursion depth</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-e - Extension list (.php,.html,.txt)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-ic - Ignore wordlist comments</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-ac - Autocalibrate filtering</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-x - Proxy URL</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-replay-proxy - Send matches through proxy</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Examples</h2>
|
|
<h3>Directory Discovery</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt</code></pre>
|
|
<p>Basic directory brute forcing.</p>
|
|
<h3>With Extensions</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -e .php,.html,.txt</code></pre>
|
|
<p>Add extensions to each word.</p>
|
|
<h3>Filter by Size</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -fs 4242</code></pre>
|
|
<p>Hide responses of specific size.</p>
|
|
<h3>POST Parameter Fuzzing</h3>
|
|
<pre><code>ffuf -u http://example.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt</code></pre>
|
|
<p>Fuzz POST parameters.</p>
|
|
<h3>Header Fuzzing</h3>
|
|
<pre><code>ffuf -u http://example.com -H "X-Custom-Header: FUZZ" -w wordlist.txt</code></pre>
|
|
<p>Fuzz header values.</p>
|
|
<h3>Virtual Host Discovery</h3>
|
|
<pre><code>ffuf -u http://example.com -H "Host: FUZZ.example.com" -w subdomains.txt -fs 4242</code></pre>
|
|
<p>Find virtual hosts.</p>
|
|
<h3>GET Parameter Fuzzing</h3>
|
|
<pre><code>ffuf -u "http://example.com/page?id=FUZZ" -w numbers.txt</code></pre>
|
|
<p>Fuzz GET parameters.</p>
|
|
<h3>Multiple Wordlists</h3>
|
|
<pre><code>ffuf -u http://example.com/FOLDER/FILE -w dirs.txt:FOLDER -w files.txt:FILE</code></pre>
|
|
<p>Use multiple wordlists with keywords.</p>
|
|
<h3>Autocalibrate</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -ac</code></pre>
|
|
<p>Automatically calibrate filters.</p>
|
|
<h3>With Proxy</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080</code></pre>
|
|
<p>Route through Burp Suite.</p>
|
|
<h3>Rate Limited</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -rate 50</code></pre>
|
|
<p>Limit to 50 requests/second.</p>
|
|
<h3>Recursive</h3>
|
|
<pre><code>ffuf -u http://example.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2</code></pre>
|
|
<p>Recurse into found directories.</p>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use -ac for auto-calibration on unknown targets</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Filter by size (-fs) when pages return custom 404s</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -replay-proxy to send only matches through Burp</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Multiple FUZZ keywords enable complex fuzzing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Faster than gobuster for most use cases</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -e for extension fuzzing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Match on response time (-mt) can find blind vulns</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Always get authorization before scanning</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html>
|