Aller au contenu

ffuf Feuille de chaleur rapide Fuzzer Web

Copier toutes les commandes Générer PDF

Aperçu général

ffuf (Fuzz Faster U Fool) est un fuzzer web rapide écrit en Go. Il est conçu pour être un outil polyvalent pour les tests de sécurité des applications web, capable de buzzing répertoires, fichiers, paramètres, en-têtes, et plus encore. ffuf est connu pour sa vitesse, sa flexibilité et ses capacités de filtrage étendues.

C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.

Installation

Aller à l'installation

# Install via Go
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

Installation du gestionnaire de paquets

# Ubuntu/Debian
sudo apt update
sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h
```_

### Installation manuelle
```bash
# Download latest release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf
```_

### Installation Docker
```bash
# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

Utilisation de base

Structure de commandement

# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Exemples fondamentaux

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

Répertoire et Fuzzing de fichiers

Annuaire de base Fuzzing

# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Options de répertoire avancées

# Increase threads
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

Extension de fichiers Fuzzing

# Fuzz file extensions
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Common web extensions
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Backup file extensions
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

Paramètre Fuzzing

Obtenez Paramètre Fuzzing

# Basic GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

POSTE Paramètre Fuzzing

# POST data fuzzing
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Valeur du paramètre Fuzzing

# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

En-tête Fuzzing

En-tête de base Fuzzing

# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

HTTP Méthode Fuzzing

# HTTP method fuzzing
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Create methods wordlist
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt

En-tête de l'hôte

# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

Sous-domaine Fuzzing

Fuzzing sous-domaine de base

# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# Filter by response size
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Techniques avancées du sous-domaine

# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

Filtrage et correspondance

Filtre de code de réponse

# Match specific status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

# Filter out status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

# Match successful responses
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299

Filtre de taille de réponse

# Filter by response size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

# Filter by size range
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

# Match specific size
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678

Filtrage du contenu de réponse

# Filter by response words
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

# Match specific word count
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

# Filter by response lines
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10

Filtre de texte de réponse

# Filter responses containing specific text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

# Match responses containing text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

# Filter using regex
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404"

Résultats et rapports

Formats de sortie

# Save to file
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

# HTML output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html

Sortie verbale

# Verbose mode
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

# Color output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c

Techniques avancées

Limite de vitesse et vol

# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# Random delay
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

# Custom timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

Options mandataires et SSL

# Use proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Skip SSL verification
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Custom CA certificate
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem

Authentification

# Basic authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass'|base64)"

# Cookie authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

# Bearer token
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Gestion des listes de mots

Création de listes de mots personnalisées

# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > combined.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt

Listes de mots populaires

# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# Parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Subdomain wordlists
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt

Scripts d'automatisation

Script complet de flou sur le Web

#!/bin/bash

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "$OUTPUT_DIR/parameters.json" -of json

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=$\\\\{BASH_REMATCH[1]\\\\}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -fs 0 -o "$OUTPUT_DIR/subdomains.json" -of json
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"

Script de fin de ligne d'API

#!/bin/bash

API_BASE=$1
OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    exit 1
fi

echo "[+] Fuzzing API endpoints for $API_BASE"

# API version fuzzing
echo "[+] API version fuzzing..."
ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

# Common API endpoints
echo "[+] Common API endpoints..."
ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

# HTTP methods fuzzing
echo "[+] HTTP methods fuzzing..."
ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete."

Paramètre Brute Force Script

#!/bin/bash

TARGET_URL=$1
PARAM_NAME=$2
WORDLIST=$3

if [ -z "$TARGET_URL" ]||[ -z "$PARAM_NAME" ]||[ -z "$WORDLIST" ]; then
    echo "Usage: $0 <target_url> <parameter_name> <wordlist>"
    exit 1
fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

# GET parameter brute force
ffuf -u "$TARGET_URL?$PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

# POST parameter brute force
ffuf -u $TARGET_URL -w $WORDLIST -X POST -d "$PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete."

Intégration avec d'autres outils

Intégration de Burp Suite

# Use Burp as proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Intégration des noyaux

# Run ffuf first, then nuclei on found endpoints
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

# Extract URLs from ffuf results
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run nuclei on found URLs
nuclei -l found_urls.txt -t /path/to/nuclei-templates/

Intégration Nmap

# Discover web services first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract hosts and ports, then fuzz
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt|awk '\\\\{print $2\\\\}'|while read host; do
    ffuf -u "http://$host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
done

Optimisation des performances

Threading et Speed

# Optimal thread count (usually 40-100)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Adjust timeout for slow servers
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

# Silent mode for better performance
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

Gestion de la mémoire

# For large wordlists, use streaming
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

# Monitor memory usage
watch -n 1 'ps aux|grep ffuf'

Dépannage

Questions communes

# SSL certificate issues
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

# Rate limiting
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# DNS resolution issues
ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com"

Mode de débogage

# Verbose output for debugging
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Test single request
ffuf -u http://target.com/test -w <(echo "test") -v

Meilleures pratiques

Stratégie de flou

  1. Commencez avec des listes de mots communes: Utilisez d'abord de petites listes de mots ciblées
  2. Utilisez les filtres appropriés: Filtrer le bruit pour se concentrer sur des résultats intéressants
  3. Buzzing technologique: Utiliser des listes de mots pertinentes pour la technologie cible
  4. Fuzzing récursif: Répertoires trouvés par Fuzz pour une énumération plus approfondie
  5. Découverte de paramètres: N'oubliez pas de flouter pour les paramètres cachés

Considérations relatives à la fuite

# Slow and stealthy fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

# Random user agent
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)"

Ressources

  • [dossier GitHub] (LINK_4)
  • [SecListes de listes de mots] (LINK_4)
  • [Guide d'essai de l'OWASP] (LINK_4)
  • Application Web Fuzzing

*Cette feuille de triche fournit une référence complète pour l'utilisation de ffuf. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des tests de sécurité d'application Web. *