Zum Inhalt

ff. Schnelle Web Fuzzer Cheat Blatt

generieren

Überblick

ffuf (Fuzz Faster U Fool) ist ein schnelles Web Fuzzer geschrieben in Go. Es ist ein vielseitiges Werkzeug für Web-Anwendung Sicherheitstests, in der Lage zu fuzzing Verzeichnisse, Dateien, Parameter, Kopfzeilen und mehr. ffuf ist bekannt für seine Geschwindigkeit, Flexibilität und umfangreiche Filterfähigkeiten.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.

Installation

Zur Installation

```bash

Install via Go

go install github.com/ffuf/ffuf/v2@latest

Verify installation

ffuf -V ```_

Installation des Paketmanagers

```bash

Ubuntu/Debian

sudo apt update sudo apt install ffuf

Arch Linux

sudo pacman -S ffuf

macOS with Homebrew

brew install ffuf

Kali Linux (pre-installed)

ffuf -h ```_

Manuelle Installation

```bash

Download latest release

wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz tar -xzf ffuf_2.1.0_linux_amd64.tar.gz sudo mv ffuf /usr/local/bin/

Make executable

sudo chmod +x /usr/local/bin/ffuf ```_

Docker Installation

```bash

Pull Docker image

docker pull ffuf/ffuf

Run with Docker

docker run --rm ffuf/ffuf -h ```_

Basisnutzung

Befehlsstruktur

```bash

Basic syntax

ffuf -u URL -w WORDLIST

Get help

ffuf -h

Check version

ffuf -V ```_

Beispiele

```bash

Basic directory fuzzing

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

File fuzzing with extensions

ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

Multiple FUZZ keywords

ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z ```_

Verzeichnis und Datei Fuzzing

Basic Directory Fuzzing

```bash

Directory enumeration

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

With specific extensions

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

Multiple extensions

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json ```_

Erweiterte Verzeichnisoptionen

```bash

Increase threads

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

Add delay between requests

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

Follow redirects

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

Recursion

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2 ```_

Dateierweiterung Fuzzing

```bash

Fuzz file extensions

ffuf -u http://target.com/index.FUZZ -w extensions.txt

Common web extensions

echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt ffuf -u http://target.com/index.FUZZ -w extensions.txt

Backup file extensions

echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt ```_

Parameter Fuzzing

GET Parameter Fuzzing

```bash

Basic GET parameter fuzzing

ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

Multiple parameters

ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

Parameter name fuzzing

ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt ```_

POST Parameter Fuzzing

```bash

POST data fuzzing

ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

JSON POST data fuzzing

ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '\\{"username":"admin","password":"FUZZ"\\}' -H "Content-Type: application/json"

Multiple POST parameters

ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded" ```_

Parameter Wert Fuzzing

```bash

SQL injection payloads

ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

XSS payloads

ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

Command injection payloads

ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt ```_

Header Fuzzing

Basic Header Fuzzing

```bash

User-Agent fuzzing

ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

Custom header fuzzing

ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

Authorization header fuzzing

ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ" ```_

HTTP Methode Fuzzing

```bash

HTTP method fuzzing

ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

Create methods wordlist

echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt ```_

Host Header Fuzzing

```bash

Host header fuzzing for virtual hosts

ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

IP-based host header fuzzing

ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com" ```_

Subdomain Fuzzing

Grundlegende Subdomain Fuzzing

```bash

Subdomain enumeration via Host header

ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

HTTPS subdomain fuzzing

ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

Filter by response size

ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234 ```_

Advanced Subdomain Techniques

```bash

Multiple subdomain levels

ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

Subdomain with specific ports

ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

Custom subdomain patterns

ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com" ```_

Filtern und Passieren

Antwort Code Filtern

```bash

Match specific status codes

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

Filter out status codes

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

Match successful responses

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299 ```_

Antwort Größe Filter

```bash

Filter by response size

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

Filter by size range

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

Match specific size

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678 ```_

Antwort Inhalt filtern

```bash

Filter by response words

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

Match specific word count

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

Filter by response lines

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10 ```_

Antwort Text filtern

```bash

Filter responses containing specific text

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

Match responses containing text

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

Filter using regex

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404" ```_

Ausgabe und Reporting

Ausgabeformate

```bash

Save to file

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

JSON output

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

CSV output

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

HTML output

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html ```_

Verbose Ausgang

```bash

Verbose mode

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

Silent mode (only results)

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

Color output

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c ```_

Erweiterte Techniken

Beschränkung und Stealth

```bash

Slow scanning to avoid detection

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

Random delay

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

Custom timeout

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30 ```_

Proxy und SSL Optionen

```bash

Use proxy

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

Skip SSL verification

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

Custom CA certificate

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem ```_

Authentication

```bash

Basic authentication

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass'|base64)"

Cookie authentication

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

Bearer token

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." ```_

Englische Sprache

Erstellen von benutzerdefinierten Wordlisten

```bash

Combine multiple wordlists

cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > combined.txt

Generate wordlist from website

cewl http://target.com -w custom_wordlist.txt

Technology-specific wordlist

echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt ```_

Beliebte Wordlists

```bash

SecLists wordlists

/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

Parameter wordlists

/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

Subdomain wordlists

/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt ```_

Automatisierungsskripte

Umfassendes Web Fuzzing Script

```bash

!/bin/bash

TARGET=\(1 OUTPUT_DIR="ffuf_results_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

Directory fuzzing

echo "[+] Directory fuzzing..." ffuf -u \(TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "\)OUTPUT_DIR/directories.json" -of json

File fuzzing with extensions

echo "[+] File fuzzing..." ffuf -u \(TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "\)OUTPUT_DIR/files.json" -of json

Parameter fuzzing

echo "[+] Parameter fuzzing..." ffuf -u \(TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "\)OUTPUT_DIR/parameters.json" -of json

Subdomain fuzzing (if domain provided)

if [[ \(TARGET =~ ^https?://([^/]+) ]]; then DOMAIN=\)\\{BASH_REMATCH[1]\\} echo "[+] Subdomain fuzzing for \(DOMAIN..." ffuf -u \(TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.\)DOMAIN" -mc 200 -fs 0 -o "\)OUTPUT_DIR/subdomains.json" -of json fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/" ```_

API Endpoint Fuzzing Script

```bash

!/bin/bash

API_BASE=$1 OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then echo "Usage: $0 " exit 1 fi

echo "[+] Fuzzing API endpoints for $API_BASE"

API version fuzzing

echo "[+] API version fuzzing..." ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

Common API endpoints

echo "[+] Common API endpoints..." ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

HTTP methods fuzzing

echo "[+] HTTP methods fuzzing..." ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete." ```_

Parameter Brute Force Script

```bash

!/bin/bash

TARGET_URL=\(1 PARAM_NAME=\)2 WORDLIST=$3

if [ -z "\(TARGET_URL" ]||[ -z "\)PARAM_NAME" ]||[ -z "$WORDLIST" ]; then echo "Usage: $0 " exit 1 fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

GET parameter brute force

ffuf -u "\(TARGET_URL?\)PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

POST parameter brute force

ffuf -u $TARGET_URL -w \(WORDLIST -X POST -d "\)PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete." ```_

Integration mit anderen Tools

Integration von Burp Suite

```bash

Use Burp as proxy

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

Export Burp findings to wordlist

From Burp: Target > Site map > Right-click > Copy URLs

Process URLs to create custom wordlist

```_

Nucles Integration

```bash

Run ffuf first, then nuclei on found endpoints

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

Extract URLs from ffuf results

jq -r '.results[].url' found_endpoints.json > found_urls.txt

Run nuclei on found URLs

nuclei -l found_urls.txt -t /path/to/nuclei-templates/ ```_

Nmap Integration

```bash

Discover web services first

nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

Extract hosts and ports, then fuzz

grep "80/open|443/open|8080/open|8443/open" web_ports.txt|awk '\\{print \(2\\\\}'|while read host; do ffuf -u "http://\)host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302 done ```_

Leistungsoptimierung

Gewinde und Geschwindigkeit

```bash

Optimal thread count (usually 40-100)

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

Adjust timeout for slow servers

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

Silent mode for better performance

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s ```_

Speicherverwaltung

```bash

For large wordlists, use streaming

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

Monitor memory usage

watch -n 1 'ps aux|grep ffuf' ```_

Fehlerbehebung

Gemeinsame Themen

```bash

SSL certificate issues

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

Connection timeout

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

Rate limiting

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

DNS resolution issues

ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com" ```_

Debug Mode

```bash

Verbose output for debugging

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

Test single request

ffuf -u http://target.com/test -w <(echo "test") -v ```_

Best Practices

Fuzzing Strategie

  1. **Start mit gemeinsamen Wortlisten*: Verwenden Sie zunächst kleine, gezielte Wortlisten
  2. **Benutze geeignete Filter*: Filtern Sie Geräusche aus, um sich auf interessante Ergebnisse zu konzentrieren
  3. **Technologiespezifische Fuzzing*: Verwenden Sie relevante Wortlisten für die Zieltechnologie
  4. **Recursive fuzzing*: Fuzz fand Verzeichnisse für tiefere Aufzählungen
  5. ** Entdeckung des Parameters*: Vergessen Sie nicht, Fuzz für versteckte Parameter

Stealth Überlegungen

```bash

Slow and stealthy fuzzing

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Use proxy for anonymity

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

Random user agent

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)" ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von ffuf. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Berechtigung haben, bevor Sie Web-Anwendung Sicherheitstests durchführen. *