LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[FFUF]






--> MAKE REQUEST USING FILE REQUEST (burpsuite)

1. Save request as a file in burpsuite [repeater > request > right click > save as file].
2. Change the parameter to FUZZ in the request file.
3. Use ffuf.

C1: ffuf -request [filename] -request-proto http -w /path/to/wordlist
SAMPLE: ffuf -request req.txt -request-proto http -w /usr/share/wordlist/common.txt
SAMPLE: ffuf -request req.txt -request-proto http -w /usr/share/wordlist/common.txt -fs 2346

SAMPLE: 
ffuf -request req.txt -request-proto http -mode clusterbomb -w /usr/share/list/common.txt:FUZZUSER -w /usr/list/common.txt:FUZZPASS

-request = specify the file
-request-proto = specify protocol
-w = wordlist
-fs = filter request size to minimize the output
-mode = specify the attack type
  




ADVANCE FUZZING TECHNIQUES
#WAF BYPASS
$ ffuf -w [WORDLIST] -u [URL] -X GET -H "User-Agent: FUZZ"
$ ffuf -w /home/payloads_list.txt -u http://machetevault.com/FUZZ -X GET -H "User-Agent: FUZZ"

#CONTENT TYPE
$ ffuf -w [WORDLIST] -u [URL] -X POST -H "Content-Type: FUZZ" -d '{"data": "example"}'
$ ffuf -w /home/common_list.txt -u http://machetevault.com/FUZZ -X POST -H "Content-Type: FUZZ" -d '{"data": "example"}'

#PARAMETERS DISCOVER
$ ffuf -w [WORDLIST] -u [URL] 
$ ffuf -w /home/wordlist.txt -u http://machetevault.com?FUZZ=value

#LINK DISCOVERY FOLLOWING LINKS
$ ffuf -w [WORDLIST] -u [URL] -recursion -recursion-depth 1
$ ffuf -w /home/wordlist.txt -u http://machetevault.com/FUZZ -recursion -recursion-depth 1

#JWT TOKEN & HEADER BRUTE FORCE 
$ ffuf -w [WORDLIST] -u [URL] -H "Authorization: Bearer FUZZ"
$ ffuf -w /home/jwt_token_list.txt -u http://machetevault.com -H "Authorization: Bearer FUZZ"
$ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -H "X-Custom-Header: FUZZ"

#RATE LIMIT BY-PASS
$ ffuf -w [WORDLIST] -u [URL] -p 0.1s
$ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -p 0.1s

#ENUMERATE FILE EXTENSION
$ ffuf -w [WORDLIST] -u [URL] -e .php,.html,.phtml,.css
$ ffuf -w /home/common.txt -u http://machetevault.com/FUZZ -e .php,.html,.phtml,.css

#HTTP REQUEST SMUGGLING
$ ffuf -w [WORDLIST] -u [URL] -X FUZZ
$ ffuf -w /home/payloads_list.txt -u http://machetevault.com -X FUZZ

©® - 2023/2024.