A Comprehensive Guide to FFUF for Bug Hunters

Bug bounty hunting is a challenging yet rewarding field. One of the essential tools in a bug hunter’s arsenal is FFUF (Fuzz Faster U Fool), a versatile web fuzzing tool. FFUF is highly regarded for its speed, flexibility, and ability to uncover hidden directories, files, and parameters that might otherwise go unnoticed. In this guide, we’ll delve deep into how you can leverage FFUF to enhance your bug hunting efforts.

What is FFUF?

FFUF is an open-source fuzzing tool designed to be fast and efficient. It supports various protocols and allows users to perform fuzzing tasks like directory discovery, parameter fuzzing, and more. FFUF is particularly known for its speed, making it a go-to tool for security researchers and bug hunters.

Installation

Before you can start using FFUF, you need to install it. FFUF is written in Go, so you’ll need to have Go installed on your system. Once Go is set up, you can install FFUF with the following command

go install github.com/ffuf/ffuf/v2@latest

After installation, ensure that the $GOPATH/bin directory is in your PATH so that you can run FFUF from anywhere.

Basic Usage

FFUF is extremely versatile and can be used for a variety of tasks. Below, we’ll cover some basic usage scenarios that every bug hunter should know.

Directory Bruteforcing

One of the most common uses of FFUF is directory bruteforcing. This involves sending a large number of requests to a target URL to discover hidden directories. Here’s a basic command to perform directory bruteforcing

ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt

• -u specifies the target URL, with FUZZ as the placeholder for where the wordlist entries will be substituted.
• -w points to the wordlist file containing potential directory names.

FFUF will try each word in the wordlist, appending it to the URL, and checking if a valid response is received. This method can uncover hidden directories or files that might be interesting for further investigation.

Parameter Fuzzing

Beyond directory discovery, FFUF can also be used to fuzz URL parameters. This is useful for finding parameters that might be vulnerable to attacks like SQL injection, XSS, or parameter pollution.

Here’s an example command for parameter fuzzing:

ffuf -u https://target.com/page?param=FUZZ -w /path/to/wordlist.txt

In this scenario, FFUF replaces FUZZ with each word in the wordlist, helping you identify how the application behaves with different inputs.

POST Data Fuzzing

FFUF can also handle POST data, which is particularly useful when you need to fuzz inputs sent via POST requests. Here’s an example:

ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -w /path/to/wordlist.txt

• -X POST indicates that this is a POST request.
• -d specifies the POST data, with FUZZ representing the password being fuzzed.

This can help you identify weak passwords, potential SQL injection points, or other vulnerabilities in the login mechanism.

Advanced Usage

FFUF offers advanced features that can further enhance your bug hunting capabilities.

Recursive Fuzzing

Sometimes, finding one hidden directory isn’t enough; you want to dig deeper. FFUF supports recursive fuzzing, which allows it to automatically start fuzzing newly discovered directories.

ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt -recursion -recursion-depth 2

• -recursion enables recursive fuzzing.
• -recursion-depth controls how deep the recursion goes. Setting this to 2 will fuzz up to two levels deep.

Filtering and Matching Responses

While fuzzing, you may encounter many irrelevant results. FFUF allows you to filter or match responses based on status codes, content size, and more. Here’s an example:

ffuf -u https://target.com/FUZZ -w /path/to/wordlist.txt -mc 200 -fs 0

• -mc 200 only displays results with a 200 HTTP status code.
• -fs 0 filters out responses with a content size of 0 bytes.

This helps you focus on the most promising results.

Using Multiple Wordlists

In some cases, a single wordlist might not be sufficient. FFUF supports using multiple wordlists simultaneously, which can be useful for complex fuzzing scenarios.

ffuf -u https://target.com/FUZZ/FUZZ2 -w /path/to/wordlist1.txt:/path/to/wordlist2.txt

Here, FUZZ and FUZZ2 placeholders will be replaced by entries from wordlist1.txt and wordlist2.txt, respectively.

Tips and Best Practices

• Use Appropriate Wordlists: Different targets require different wordlists. Tools like SecLists provide extensive collections of wordlists tailored for various tasks.
• Monitor Rate Limits: Some servers enforce rate limits to prevent abuse. Use FFUF’s -rate option to control the speed of your requests.
• Leverage FFUF Output: FFUF supports various output formats like JSON, which you can further process with tools like jq for deeper analysis.
• Combine with Other Tools: FFUF works well alongside other tools like Burp Suite, Nmap, and Nikto, providing a comprehensive approach to reconnaissance and fuzzing.