Basics
This is a post for all those beginners who are new to web penetration testing and wants to learn more about it. we are going to discuss what is a fuzzing process and what are the tools that could be used in the fuzzing process. For demonstration purposes, I am going to use the Kali Linux machine I use as the main and single OS of my system. Fuzzing is a process in which a value is dynamically changed by the attacker in order to find some attack vectors/bugs/vulnerabilities and sometimes errors and exceptions. Fuzzing is just not about HTTP headers and parameters fuzzing. we fuzz binaries to find bugs in those. There are many fuzzing tools for web penetration testing and for binary exploitation.
All of the above-mentioned open-source tools are some examples of web and binary fuzzers. you can download and try each one if you are able to. but today, we are going to see the power of ffuf web fuzzer. If I get some requests for an article on binary fuzzers, maybe I will write one.
FFUF
ffuf is such an amazing fuzzing tool for HTTP traffic made with go-lang. It is now officially part of kali-tools which means if you are using KaliLinux you can install it using apt package manager as they have added it into their own repository.
apt insall ffufOr you can download the source code from GitHub and build it on your own system.
git clone https://github.com/ffuf/ffuf.git
cd ffuf
go get
go buildAs I’ve mentioned earlier that I am using Kali Linux, and I already have it pre-install (or I can use apt to install it).
In the releases section of GitHub, you can even find some pre-compiled go binaries of ffuf for various architectures(arm, amd64, i386 etc).
fuzzing is really simple with ffuf if you are familiar with wfuzz. you will replace the parameter value with keyword FUZZ if you want to fuzz that particular parameter. actually, I like wfuzz more when the situation requires you to fuzz two parameters simultaneously(with multipal wordlists). I don’t think ffuf is able to do that. but ffuf is generally loved because of its speed. wfuzz is way much slower than this tool.
#Example 1.
dir fuzzing
ffuf -u https://technicalanvigator.in/FUZZ -w /usr/share/wordlists/dirb/common.txt
-w is for wordlist
-u is for URL (FUZZ keyword is required to fuzz the given place)
#Example 2.
GET parameter fuzzing (?id=FUZZ)
ffuf -u https://technicalnavigator.in/index.php\?id=FUZZ -w /usr/share/wordlists/dirb/common.txt
#Example 3.
POST parameter fuzzing
ffuf -u https://technicalnavigator.in/login.php --data 'user=FUZZ&pass=1234' -w /usr/share/wordlists/dirb/common.txt
#Example 4.
filter options
01:58:01 root@kali-lucky ~ → ffuf --help | grep -i filter
-ac Automatically calibrate filtering options (default: false)
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
these are quite useful while playing CTF as well as facing real-world penetration testing problems. I have seen that -fc is often used. because there may be some functionality to handle routes.
#Example 5.
matching options
03:27:08 root@kali-lucky ~ → ffuf --help | grep -i match
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
-od Directory path to store matched results to.
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Fuzz Host-header, match HTTP 200 responses.
Fuzz POST JSON data. Match all responses not containing text "error".
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.# extra
- You can use -e flag to fuzz only for specified extensions(.php, .xml, .html etc)
- -o is for writing the result into an output file
- -json for output in JSON
- -x is for proxy (http://127.0.0.1:8080)
- you can get colorful output with -c flag
- -r to increase and decrease the rate of requests
