FFUF The Defacto Tool for Website Penetration Testing
Introduction:
There's an abundance of tools at pentesters fingertips to crack a web applications armor. None seem to be more versatile or useful in the discovery phase than FFUF. FFUF is a web fuzzer tool written in GO which allows users to use wordlists to perform website directory discovery and inject GET and POST parameters to attempt to crack into a websites back end. The following are a few examples of it's usage:
Project Setup:
For this tutorial I'll be using Google Gruyere which is a web app specifically built to be hacked. https://google-gruyere.appspot.com/
For the wordlists I clones the following repository: https://github.com/danielmiessler/SecLists
Directory Discovery:
One of the most common uses of FFUF is directory discovery. This is an important part of any pentesters process when they are trying to gain unauthorized access to a website. FFUF can be given any wordlist to enumerate and check if any of those words match the websites directories. This is a brute-force method of discovery which makes hundreds of requests to accomplish it's goal, depending on how big the wordlist is that was supplied.
ffuf -w SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://google-gruyere.appspot.com/470523742524253302105644792224613202319/FUZZ
Subdomain Discovery
Another common use for FFUF is to discover what subdomains exist for a website. Knowing this can expose API's, admin consoles and other interfaces that could be vulnerable to attack.
ffuf -w SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://google-gruyere.appspot.com/470523742524253302105644792224613202319/FUZZ
Username Discovery
FFUF can also be used to discover existing usernames for a web application. If the login page sends back a message when a username does not exist, this can be used to send a large list of usernames to the login page and discover which ones are valid. Once we know those valid usernames we can attempt to crack their passwords and gain access to the account
ffuf -w /usr/share/SecLists/Usernames/top-usernames-shortlist.txt -X POST -d "username=FUZZ&&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://mydomain.com/login -mr "username already exists"
Conclusion:
This is just a few of the many powerful attacks that FFUF can be used for. Check out their documentation and start learning more!