Aller au contenu
1337skills 1337skills - Aide-mémoires

ffuf Guide de Référence Rapide pour le Web Fuzzer

Vue d’ensemble

ffuf (Fuzz Faster U Fool) est un web fuzzer rapide écrit en Go. Il est conçu pour être un outil polyvalent pour les tests de sécurité d’applications web, capable de fuzzer des répertoires, des fichiers, des paramètres, des en-têtes, et plus encore. ffuf est reconnu pour sa vitesse, sa flexibilité et ses capacités de filtrage étendues.

⚠️ Avertissement : Cet outil est destiné uniquement aux tests d’intrusion autorisés et aux évaluations de sécurité. Assurez-vous d’avoir une autorisation appropriée avant de l’utiliser sur une cible.

Installation

Installation de Go

# Install via Go
go install github.com/ffuf/ffuf/v2@latest

# Verify installation
ffuf -V

Installation via Gestionnaire de Packages

# Ubuntu/Debian
sudo apt update
sudo apt install ffuf

# Arch Linux
sudo pacman -S ffuf

# macOS with Homebrew
brew install ffuf

# Kali Linux (pre-installed)
ffuf -h

Installation Manuelle

# Download latest release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzf ffuf_2.1.0_linux_amd64.tar.gz
sudo mv ffuf /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/ffuf

Installation Docker

# Pull Docker image
docker pull ffuf/ffuf

# Run with Docker
docker run --rm ffuf/ffuf -h

Utilisation de Base

Structure de Commande

# Basic syntax
ffuf -u URL -w WORDLIST

# Get help
ffuf -h

# Check version
ffuf -V

Exemples de Base

# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File fuzzing with extensions
ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ/FUZ2Z -w wordlist1.txt:FUZZ -w wordlist2.txt:FUZ2Z

Fuzzing de Répertoires et Fichiers

Fuzzing de Répertoire de Base

# Directory enumeration
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt

# Multiple extensions
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.txt,.js,.css,.xml,.json

Options Avancées de Répertoire

# Increase threads
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 100

# Add delay between requests
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 0.1

# Follow redirects
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -r

# Recursion
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2

Fuzzing d’Extensions de Fichiers

# Fuzz file extensions
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Common web extensions
echo -e "php\nhtml\nhtm\ntxt\njs\ncss\nxml\njson\nasp\naspx\njsp" > extensions.txt
ffuf -u http://target.com/index.FUZZ -w extensions.txt

# Backup file extensions
echo -e "bak\nold\ntmp\nbackup\n~\nswp" > backup_extensions.txt
ffuf -u http://target.com/index.FUZZ -w backup_extensions.txt

Fuzzing de Paramètres

Fuzzing de Paramètres GET

# Basic GET parameter fuzzing
ffuf -u http://target.com/page.php?FUZZ=value -w parameters.txt

# Multiple parameters
ffuf -u http://target.com/page.php?param1=FUZZ&param2=FUZ2Z -w values1.txt:FUZZ -w values2.txt:FUZ2Z

# Parameter name fuzzing
ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt

Fuzzing de Paramètres POST

# POST data fuzzing
ffuf -u http://target.com/login.php -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded"

# JSON POST data fuzzing
ffuf -u http://target.com/api/login -w passwords.txt -X POST -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' -H "Content-Type: application/json"

# Multiple POST parameters
ffuf -u http://target.com/login.php -w usernames.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded"

Fuzzing de Valeurs de Paramètres

# SQL injection payloads
ffuf -u http://target.com/page.php?id=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt

# XSS payloads
ffuf -u http://target.com/search.php?q=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

# Command injection payloads
ffuf -u http://target.com/ping.php?host=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt

Fuzzing d’En-têtes

Fuzzing d’En-têtes de Base

# User-Agent fuzzing
ffuf -u http://target.com/ -w user-agents.txt -H "User-Agent: FUZZ"

# Custom header fuzzing
ffuf -u http://target.com/ -w header-values.txt -H "X-Custom-Header: FUZZ"

# Authorization header fuzzing
ffuf -u http://target.com/admin -w tokens.txt -H "Authorization: Bearer FUZZ"

Fuzzing de Méthodes HTTP

# HTTP method fuzzing
ffuf -u http://target.com/api/endpoint -w methods.txt -X FUZZ

# Create methods wordlist
echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS\nTRACE\nCONNECT" > methods.txt

Fuzzing d’En-tête Host

# Host header fuzzing for virtual hosts
ffuf -u http://target.com/ -w subdomains.txt -H "Host: FUZZ.target.com"

# IP-based host header fuzzing
ffuf -u http://192.168.1.100/ -w subdomains.txt -H "Host: FUZZ.target.com"

Fuzzing de Sous-domaines

Fuzzing de Sous-domaine de Base

# Subdomain enumeration via Host header
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# HTTPS subdomain fuzzing
ffuf -u https://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com"

# Filter by response size
ffuf -u http://target.com/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 1234

Techniques Avancées de Sous-domaines

# Multiple subdomain levels
ffuf -u http://target.com/ -w subdomains.txt:SUB1 -w subdomains.txt:SUB2 -H "Host: SUB1.SUB2.target.com"

# Subdomain with specific ports
ffuf -u http://target.com:8080/ -w subdomains.txt -H "Host: FUZZ.target.com"

# Custom subdomain patterns
ffuf -u http://target.com/ -w patterns.txt -H "Host: FUZZ-api.target.com"

Filtrage et Correspondance

Filtrage par Code de Réponse

# Match specific status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302

# Filter out status codes
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403

# Match successful responses
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200-299

Filtrage par Taille de Réponse

Would you like me to continue with the remaining sections?```bash

Filter by response size

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234

Filter by size range

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1000-2000

Match specific size

ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -ms 5678


### Response Content Filtering
```bash
# Filter by response words
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 100

# Match specific word count
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mw 50-100

# Filter by response lines
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fl 10

Response Text Filtering

# Filter responses containing specific text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Not Found"

# Match responses containing text
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mr "Welcome"

# Filter using regex
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fr "Error.*404"

Output and Reporting

Output Formats

# Save to file
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.json -of json

# CSV output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.csv -of csv

# HTML output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -o results.html -of html

Verbose Output

# Verbose mode
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

# Color output
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -c

Advanced Techniques

Rate Limiting and Stealth

# Slow scanning to avoid detection
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# Random delay
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -p 1-3

# Custom timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

Proxy and SSL Options

# Use proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Skip SSL verification
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Custom CA certificate
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -cert cert.pem

Authentication

# Basic authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Basic $(echo -n 'user:pass'|base64)"

# Cookie authentication
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=token"

# Bearer token
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Wordlist Management

Creating Custom Wordlists

# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > combined.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\napi\nv1\nv2\ntest\ndev\nstaging\nproduction" > custom_dirs.txt
# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# Parameter wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Subdomain wordlists
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt

Automation Scripts

Comprehensive Web Fuzzing Script

#!/bin/bash

TARGET=$1
OUTPUT_DIR="ffuf_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web fuzzing for $TARGET"

# Directory fuzzing
echo "[+] Directory fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -o "$OUTPUT_DIR/directories.json" -of json

# File fuzzing with extensions
echo "[+] File fuzzing..."
ffuf -u $TARGET/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.js,.css,.xml,.json,.bak,.old -mc 200 -o "$OUTPUT_DIR/files.json" -of json

# Parameter fuzzing
echo "[+] Parameter fuzzing..."
ffuf -u $TARGET/index.php?FUZZ=test -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -mc 200 -fs 0 -o "$OUTPUT_DIR/parameters.json" -of json

# Subdomain fuzzing (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=$\\\\{BASH_REMATCH[1]\\\\}
    echo "[+] Subdomain fuzzing for $DOMAIN..."
    ffuf -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$DOMAIN" -mc 200 -fs 0 -o "$OUTPUT_DIR/subdomains.json" -of json
fi

echo "[+] Fuzzing complete. Results saved in $OUTPUT_DIR/"

API Endpoint Fuzzing Script

#!/bin/bash

API_BASE=$1
OUTPUT_FILE="api_endpoints.json"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    exit 1
fi

echo "[+] Fuzzing API endpoints for $API_BASE"

# API version fuzzing
echo "[+] API version fuzzing..."
ffuf -u $API_BASE/FUZZ -w <(echo -e "v1\nv2\nv3\napi\napi/v1\napi/v2\napi/v3") -mc 200,301,302 -o "api_versions.json" -of json

# Common API endpoints
echo "[+] Common API endpoints..."
ffuf -u $API_BASE/api/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,301,302 -o "api_endpoints.json" -of json

# HTTP methods fuzzing
echo "[+] HTTP methods fuzzing..."
ffuf -u $API_BASE/api/users -w <(echo -e "GET\nPOST\nPUT\nDELETE\nPATCH\nHEAD\nOPTIONS") -X FUZZ -mc 200,201,204,301,302,405 -o "api_methods.json" -of json

echo "[+] API fuzzing complete."

Parameter Brute Force Script

#!/bin/bash

TARGET_URL=$1
PARAM_NAME=$2
WORDLIST=$3

if [ -z "$TARGET_URL" ]||[ -z "$PARAM_NAME" ]||[ -z "$WORDLIST" ]; then
    echo "Usage: $0 <target_url> <parameter_name> <wordlist>"
    exit 1
fi

echo "[+] Brute forcing parameter $PARAM_NAME on $TARGET_URL"

# GET parameter brute force
ffuf -u "$TARGET_URL?$PARAM_NAME=FUZZ" -w $WORDLIST -mc 200 -fs 0 -o "param_bruteforce_get.json" -of json

# POST parameter brute force
ffuf -u $TARGET_URL -w $WORDLIST -X POST -d "$PARAM_NAME=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mc 200 -fs 0 -o "param_bruteforce_post.json" -of json

echo "[+] Parameter brute force complete."

Integration with Other Tools

Burp Suite Integration

# Use Burp as proxy
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Nuclei Integration

# Run ffuf first, then nuclei on found endpoints
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -o found_endpoints.json -of json

# Extract URLs from ffuf results
jq -r '.results[].url' found_endpoints.json > found_urls.txt

# Run nuclei on found URLs
nuclei -l found_urls.txt -t /path/to/nuclei-templates/

Nmap Integration

# Discover web services first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract hosts and ports, then fuzz
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt|awk '\\\\{print $2\\\\}'|while read host; do
    ffuf -u "http://$host/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
done

Performance Optimization

Threading and Speed

# Optimal thread count (usually 40-100)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Adjust timeout for slow servers
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 10

# Silent mode for better performance
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s

Memory Management

# For large wordlists, use streaming
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 30

# Monitor memory usage
watch -n 1 'ps aux|grep ffuf'

Troubleshooting

Common Issues

# SSL certificate issues
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -timeout 30

# Rate limiting
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2

# DNS resolution issues
ffuf -u http://192.168.1.100/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "Host: target.com"

Debug Mode

# Verbose output for debugging
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -v

# Test single request
ffuf -u http://target.com/test -w <(echo "test") -v

Best Practices

Fuzzing Strategy

  1. Start with common wordlists: Use small, targeted wordlists first
  2. Use appropriate filters: Filter out noise to focus on interesting results
  3. Technology-specific fuzzing: Use relevant wordlists for the target technology
  4. Recursive fuzzing: Fuzz found directories for deeper enumeration
  5. Parameter discovery: Don’t forget to fuzz for hidden parameters

Stealth Considerations

# Slow and stealthy fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 1 -p 2-5 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -x http://proxy:8080

# Random user agent
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: $(shuf -n1 user_agents.txt)"
```## Ressources
https://github.com/ffuf/ffuf- [Dépôt GitHub de ffuf](
https://github.com/danielmiessler/SecLists- [Listes de mots SecLists](
https://owasp.org/www-project-web-security-testing-guide/- [Guide de test OWASP](
https://owasp.org/www-community/Fuzzing- [Test de fuzz d'applications web](

---

*Cette fiche technique fournit une référence complète pour l'utilisation de ffuf. Assurez-vous toujours d'avoir une autorisation appropriée avant de mener des tests de sécurité d'applications web.*