Saltar a contenido

ffuf Fast Web Fuzzer Cheat Sheet

"Clase de la hoja" idbutton id="ffuf-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos

########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button

■/div titulada

Sinopsis

ffuf (Fuzz Faster U Fool) es un fuzzer web rápido escrito en Go. Está diseñado para ser una herramienta versátil para las pruebas de seguridad de aplicaciones web, capaz de fusionar directorios, archivos, parámetros, encabezados y más. ffuf es conocido por su velocidad, flexibilidad y amplia capacidad de filtrado.

NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.

Instalación

Instalación

# Install via Go
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

Paquete Manager Instalación

# Ubuntu/Debian
sudo apt update
sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h

Instalación manual

# Download latest release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf

Docker Instalación

# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

Uso básico

Estructura del comando

# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Ejemplos básicos

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

Directorio y Archivo Fuzzing

Directorio básico Fuzzing

# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Opciones de directorio avanzado

# Increase threads
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

extensión de archivo Fuzzing

# Fuzz file extensions
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Common web extensions
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Backup file extensions
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

Parameter Fuzzing

# Parameter Fuzzing

# Basic GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

POST Parameter Fuzzing

# POST data fuzzing
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Valor parámetro Fuzzing

# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

Header Fuzzing

Cabecera básica Fuzzing

# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

HTTP Método Fuzzing

# HTTP method fuzzing
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Create methods wordlist
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt

Host Header Fuzzing

# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

Subdominio Fuzzing

Subdominio básico Fuzzing

# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# Filter by response size
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Técnicas avanzadas de subdominio

# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

Filtro y emparejamiento

Código de respuesta

# Match specific status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

# Filter out status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

# Match successful responses
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299

Filtro de tamaño de respuesta

# Filter by response size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

# Filter by size range
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

# Match specific size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678

Filtro de contenidos de respuesta

# Filter by response words
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

# Match specific word count
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

# Filter by response lines
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10

Filtro de texto de respuesta

# Filter responses containing specific text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

# Match responses containing text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

# Filter using regex
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404"

Productos y presentación de informes

Formatos de salida

# Save to file
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

# HTML output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html

Productos de Verbose

# Verbose mode
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

# Color output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c

Técnicas avanzadas

Tasa de limitación y integridad

# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# Random delay
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

# Custom timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

Opciones proxy y SSL

# Use proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Skip SSL verification
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Custom CA certificate
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem

Autenticación

# Basic authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass'|base64)"

# Cookie authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

# Bearer token
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Gestión de Wordlist

Creación de listas de palabras personalizadas

# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > combined.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt

Listas de palabras populares

# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# Parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Subdomain wordlists
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt

Scripts de automatización

Script completo de Fuzzing Web

#!/bin/bash

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "$OUTPUT_DIR/parameters.json" -of json

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=$\\\\{BASH_REMATCH[1]\\\\}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -fs 0 -o "$OUTPUT_DIR/subdomains.json" -of json
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"

API Endpoint Fuzzing Script

#!/bin/bash

API_BASE=$1
OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    exit 1
fi

echo "[+] Fuzzing API endpoints for $API_BASE"

# API version fuzzing
echo "[+] API version fuzzing..."
ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

# Common API endpoints
echo "[+] Common API endpoints..."
ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

# HTTP methods fuzzing
echo "[+] HTTP methods fuzzing..."
ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete."

Parameter Brute Force Script

#!/bin/bash

TARGET_URL=$1
PARAM_NAME=$2
WORDLIST=$3

if [ -z "$TARGET_URL" ]||[ -z "$PARAM_NAME" ]||[ -z "$WORDLIST" ]; then
    echo "Usage: $0 <target_url> <parameter_name> <wordlist>"
    exit 1
fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

# GET parameter brute force
ffuf -u "$TARGET_URL?$PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

# POST parameter brute force
ffuf -u $TARGET_URL -w $WORDLIST -X POST -d "$PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete."

Integración con otras herramientas

Burp Suite Integration

# Use Burp as proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Nuclei Integration

# Run ffuf first, then nuclei on found endpoints
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

# Extract URLs from ffuf results
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run nuclei on found URLs
nuclei -l found_urls.txt -t /path/to/nuclei-templates/

Integración de Nmap

# Discover web services first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract hosts and ports, then fuzz
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt|awk '\\\\{print $2\\\\}'|while read host; do
    ffuf -u "http://$host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
done

Optimización del rendimiento

Tracción y velocidad

# Optimal thread count (usually 40-100)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Adjust timeout for slow servers
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

# Silent mode for better performance
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

Gestión de memoria

# For large wordlists, use streaming
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

# Monitor memory usage
watch -n 1 'ps aux|grep ffuf'

Solución de problemas

Cuestiones comunes

# SSL certificate issues
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

# Rate limiting
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# DNS resolution issues
ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com"

Modo de depuración

# Verbose output for debugging
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Test single request
ffuf -u http://target.com/test -w <(echo "test") -v

Buenas prácticas

Fuzzing Strategy

  1. Empieza con listas comunes: Utilizar listas de palabras pequeñas y específicas primero
  2. Utilizar filtros adecuados: Filtra el ruido para centrarse en resultados interesantes
  3. **Tecnología específica: Utilice las listas de palabras pertinentes para la tecnología de destino
  4. Recursivo fuzzing: Fuzz encontró directorios para una enumeración más profunda
  5. El descubrimiento del parámetro: No te olvides de fuzz para parámetros ocultos

Consideraciones de integridad

# Slow and stealthy fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

# Random user agent
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)"

Recursos

-...

*Esta hoja de trampa proporciona una referencia completa para usar ffuf. Siempre asegúrese de tener una autorización adecuada antes de realizar las pruebas de seguridad de aplicaciones web. *