LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[FFUF]



--> MAKE REQUEST USING FILE REQUEST (burpsuite) 1. Save request as a file in burpsuite [repeater > request > right click > save as file]. 2. Change the parameter to FUZZ in the request file. 3. Use ffuf. C1: ffuf -request [filename] -request-proto http -w /path/to/wordlist SAMPLE: ffuf -request req.txt -request-proto http -w /usr/share/wordlist/common.txt SAMPLE: ffuf -request req.txt -request-proto http -w /usr/share/wordlist/common.txt -fs 2346 SAMPLE: ffuf -request req.txt -request-proto http -mode clusterbomb -w /usr/share/list/common.txt:FUZZUSER -w /usr/list/common.txt:FUZZPASS -request = specify the file -request-proto = specify protocol -w = wordlist -fs = filter request size to minimize the output -mode = specify the attack type
ADVANCE FUZZING TECHNIQUES #WAF BYPASS $ ffuf -w [WORDLIST] -u [URL] -X GET -H "User-Agent: FUZZ" $ ffuf -w /home/payloads_list.txt -u http://machetevault.com/FUZZ -X GET -H "User-Agent: FUZZ" #CONTENT TYPE $ ffuf -w [WORDLIST] -u [URL] -X POST -H "Content-Type: FUZZ" -d '{"data": "example"}' $ ffuf -w /home/common_list.txt -u http://machetevault.com/FUZZ -X POST -H "Content-Type: FUZZ" -d '{"data": "example"}' #PARAMETERS DISCOVER $ ffuf -w [WORDLIST] -u [URL] $ ffuf -w /home/wordlist.txt -u http://machetevault.com?FUZZ=value #LINK DISCOVERY FOLLOWING LINKS $ ffuf -w [WORDLIST] -u [URL] -recursion -recursion-depth 1 $ ffuf -w /home/wordlist.txt -u http://machetevault.com/FUZZ -recursion -recursion-depth 1 #JWT TOKEN & HEADER BRUTE FORCE $ ffuf -w [WORDLIST] -u [URL] -H "Authorization: Bearer FUZZ" $ ffuf -w /home/jwt_token_list.txt -u http://machetevault.com -H "Authorization: Bearer FUZZ" $ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -H "X-Custom-Header: FUZZ" #RATE LIMIT BY-PASS $ ffuf -w [WORDLIST] -u [URL] -p 0.1s $ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -p 0.1s #ENUMERATE FILE EXTENSION $ ffuf -w [WORDLIST] -u [URL] -e .php,.html,.phtml,.css $ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -e .php,.html,.phtml,.css #HTTP REQUEST SMUGGLING $ ffuf -w [WORDLIST] -u [URL] -X FUZZ $ ffuf -w /home/payloads_list.txt -u http://machetevault.com -X FUZZ

©® - Since 2023