Fast web fuzzer written in Go

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

ffuf - Fuzz Faster U Fool

A fast web fuzzer written in Go.

Sponsors

Offensive Security

Official Discord Channel

ffuf has a channel at Porchetta Industries Discord server alongside of channels for many other tools.

Come to hang out & to discuss about ffuf, it's usage and development!

Porchetta Industries

Installation

  • Download a prebuilt binary from releases page, unpack and run!

    or

  • If you have recent go compiler installed: go get -u github.com/ffuf/ffuf (the same command works for updating)

    or

  • git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build

Ffuf depends on Go 1.13 or greater.

Example usage

The usage examples below show just the simplest tasks you can accomplish using ffuf.

For more extensive documentation, with real life usage examples and tips, be sure to check out the awesome guide: "Everything you need to know about FFUF" by Michael Skelton (@codingo).

Typical directory discovery

asciicast

By using the FUZZ keyword at the end of URL (-u):

ffuf -w /path/to/wordlist -u https://target/FUZZ

Virtual host discovery (without DNS records)

asciicast

Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242)while fuzzing the Host - header:

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

GET parameter fuzzing

GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name.

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.

ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401

POST data fuzzing

This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.

ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

Maximum execution time

If you don't want ffuf to run indefinitely, you can use the -maxtime. This stops the entire process after a given time (in seconds).

ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60

When working with recursion, you can control the maxtime per job using -maxtime-job. This will stop the current job after a given time (in seconds) and continue with the next one. New jobs are created when the recursion functionality detects a subdirectory.

ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2

It is also possible to combine both flags limiting the per job maximum execution time as well as the overall execution time. If you do not use recursion then both flags behave equally.

Using external mutator to produce test cases

For this example, we'll fuzz JSON data that's sent over POST. Radamsa is used as the mutator.

When --input-cmd is used, ffuf will display matches as their position. This same position value will be available for the callee as an environment variable $FFUF_NUM. We'll use this position value as the seed for the mutator. Files example1.txt and example2.txt contain valid JSON payloads. We are matching all the responses, but filtering out response code 400 - Bad request:

ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400

It of course isn't very efficient to call the mutator for each payload, so we can also pre-generate the payloads, still using Radamsa as an example:

# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt

# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf

ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400

Configuration files

When running ffuf, it first checks if a default configuration file exists. The file path for it is ~/.ffufrc / $HOME/.ffufrc for most *nixes (for example /home/joohoi/.ffufrc) and %USERPROFILE%\.ffufrc for Windows. You can configure one or multiple options in this file, and they will be applied on every subsequent ffuf job. An example of .ffufrc file can be found here.

The configuration options provided on the command line override the ones loaded from ~/.ffufrc. Note: this does not apply for CLI flags that can be provided more than once. One of such examples is -H (header) flag. In this case, the -H values provided on the command line will be appended to the ones from the config file instead.

Additionally, in case you wish to use bunch of configuration files for different use cases, you can do this by defining the configuration file path using -config command line flag that takes the file path to the configuration file as its parameter.

Usage

To define the test case for ffuf, use the keyword FUZZ anywhere in the URL (-u), headers (-H), or POST data (-d).

Fuzz Faster U Fool - v1.3.0-dev

HTTP OPTIONS:
  -H                  Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
  -X                  HTTP method to use
  -b                  Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
  -d                  POST data
  -ignore-body        Do not fetch the response content. (default: false)
  -r                  Follow redirects (default: false)
  -recursion          Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
  -recursion-depth    Maximum recursion depth. (default: 0)
  -recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
  -replay-proxy       Replay matched requests using this proxy.
  -timeout            HTTP request timeout in seconds. (default: 10)
  -u                  Target URL
  -x                  Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080

GENERAL OPTIONS:
  -V                  Show version information. (default: false)
  -ac                 Automatically calibrate filtering options (default: false)
  -acc                Custom auto-calibration string. Can be used multiple times. Implies -ac
  -c                  Colorize output. (default: false)
  -config             Load configuration from a file
  -maxtime            Maximum running time in seconds for entire process. (default: 0)
  -maxtime-job        Maximum running time in seconds per job. (default: 0)
  -noninteractive     Disable the interactive console functionality (default: false)
  -p                  Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
  -rate               Rate of requests per second (default: 0)
  -s                  Do not print additional information (silent mode) (default: false)
  -sa                 Stop on all error cases. Implies -sf and -se. (default: false)
  -se                 Stop on spurious errors (default: false)
  -sf                 Stop when > 95% of responses return 403 Forbidden (default: false)
  -t                  Number of concurrent threads. (default: 40)
  -v                  Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS:
  -mc                 Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405)
  -ml                 Match amount of lines in response
  -mr                 Match regexp
  -ms                 Match HTTP response size
  -mw                 Match amount of words in response

FILTER OPTIONS:
  -fc                 Filter HTTP status codes from response. Comma separated list of codes and ranges
  -fl                 Filter by amount of lines in response. Comma separated list of line counts and ranges
  -fr                 Filter regexp
  -fs                 Filter HTTP response size. Comma separated list of sizes and ranges
  -fw                 Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS:
  -D                  DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
  -e                  Comma separated list of extensions. Extends FUZZ keyword.
  -ic                 Ignore wordlist comments (default: false)
  -input-cmd          Command producing the input. --input-num is required when using this input method. Overrides -w.
  -input-num          Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
  -input-shell        Shell to be used for running command
  -mode               Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
  -request            File containing the raw http request
  -request-proto      Protocol to use along with raw request (default: https)
  -w                  Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:
  -debug-log          Write all of the internal logging to the specified file.
  -o                  Write output to file
  -od                 Directory path to store matched results to.
  -of                 Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
  -or                 Don't create the output file if we don't have results (default: false)

EXAMPLE USAGE:
  Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
  Colored, verbose output.
    ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

  Fuzz Host-header, match HTTP 200 responses.
    ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

  Fuzz POST JSON data. Match all responses not containing text "error".
    ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
      -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

  Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
    ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

  More information and examples: https://github.com/ffuf/ffuf

Interactive mode

By pressing ENTER during ffuf execution, the process is paused and user is dropped to a shell-like interactive mode:

entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help

available commands:
 fc [value]             - (re)configure status code filter 
 fl [value]             - (re)configure line count filter 
 fw [value]             - (re)configure word count filter 
 fs [value]             - (re)configure size filter 
 queueshow              - show recursive job queue
 queuedel [number]      - delete a recursion job in the queue
 queueskip              - advance to the next queued recursion job
 restart                - restart and resume the current ffuf job
 resume                 - resume current ffuf job (or: ENTER) 
 show                   - show results for the current job
 savejson [filename]    - save current matches to a file
 help                   - you are looking at it
> 

in this mode, filters can be reconfigured, queue managed and the current state saved to disk.

When (re)configuring the filters, they get applied posthumously and all the false positive matches from memory that would have been filtered out by the newly added filters get deleted.

The new state of matches can be printed out with a command show that will print out all the matches as like they would have been found by ffuf.

As "negative" matches are not stored to memory, relaxing the filters cannot unfortunately bring back the lost matches. For this kind of scenario, the user is able to use the command restart, which resets the state and starts the current job from the beginning.

Sponsorware

ffuf employs a sponsorware model. This means that all new features developed by its author are initially exclusively available for their sponsors. 30 days after the exclusive release, all the new features will be released at the freely available open source repository at https://github.com/ffuf/ffuf .

This model enables me to provide concrete benefits for the generous individuals and companies that enable me to work on ffuf. The different sponsorship tiers can be seen here.

All the community contributions are and will be available directly in the freely available open source repository. The exclusive version benefits only include new features created by @joohoi

Access the sponsorware through code contributions

People that create significant contributions to the ffuf project itself should and will have access to the sponsorware as well. If you are planning to create such a contribution, please contact @joohoi first to ensure that there aren't other people working on the same feature.

Helper scripts and advanced payloads

See ffuf-scripts repository for helper scripts and payload generators for different workflows and usage scenarios.

License

ffuf is released under MIT license. See LICENSE.

Comments
  • Extension (-e) does not add dot (.ext) in between the filename and the extension

    Extension (-e) does not add dot (.ext) in between the filename and the extension

    when specifying an extension (-e) using a wordlist, the request combines the file name from the wordlist together with the extension supplied. For example, if I have a file name in my wordlist named info and I use the -e php attribute, the request will go to example.com/infophp instead of example.com/info.php

  • Feature Request: Allow encoding/other operations on fuzzing input

    Feature Request: Allow encoding/other operations on fuzzing input

    It would be great if ffuf could allow the user to encode/perform other operations on the fuzzing input, just like burp suite intruder.

    This could be used for Basic authorization bruteforcing for instance. The user could pass two lists and do base64 encode on fuzz_input_1:fuzz_input_2

  • [request] add arbitrary, multiple extensions to requests

    [request] add arbitrary, multiple extensions to requests

    Flag: -e, Default: (none) Commandline: -e .aspx,.php,nodot Generator logic (FUZZ = current entry from wordlist): /FUZZ /FUZZ.aspx /FUZZ.php /FUZZnodot

  • Recursion still not working 1.3.0

    Recursion still not working 1.3.0

    Recursion still not working

    ffuf -w dict.txt -u https://example.com/FUZZ -recursion -recursion-depth 3 no jobs added to que after finding /api/ and other dirs

  • Getting internal/poll.runtime_pollWait ... stack trace output when fuzzing

    Getting internal/poll.runtime_pollWait ... stack trace output when fuzzing

    When fuzzing with large wordlist (>300k) or fuzzing multiple hosts with smaller wordlist (~5k) I'm getting the following stack trace

    goroutine 65015 [runnable]:
    internal/poll.runtime_pollWait(0x14e4f2d70528, 0x72, 0xffffffffffffffff)
    	/usr/local/go/src/runtime/netpoll.go:203 +0x55
    internal/poll.(*pollDesc).wait(0xc01108ba18, 0x72, 0x1200, 0x123c, 0xffffffffffffffff)
    	/usr/local/go/src/internal/poll/fd_poll_runtime.go:87 +0x45
    internal/poll.(*pollDesc).waitRead(...)
    	/usr/local/go/src/internal/poll/fd_poll_runtime.go:92
    internal/poll.(*FD).Read(0xc01108ba00, 0xc0220ae000, 0x123c, 0x123c, 0x0, 0x0, 0x0)
    	/usr/local/go/src/internal/poll/fd_unix.go:169 +0x19b
    net.(*netFD).Read(0xc01108ba00, 0xc0220ae000, 0x123c, 0x123c, 0x203008, 0xc021416980, 0xc006e429b8)
    	/usr/local/go/src/net/fd_unix.go:202 +0x4f
    net.(*conn).Read(0xc016805ef8, 0xc0220ae000, 0x123c, 0x123c, 0x0, 0x0, 0x0)
    	/usr/local/go/src/net/net.go:184 +0x8e
    crypto/tls.(*atLeastReader).Read(0xc0214169a0, 0xc0220ae000, 0x123c, 0x123c, 0x0, 0x0, 0xc006e42918)
    	/usr/local/go/src/crypto/tls/conn.go:760 +0x60
    bytes.(*Buffer).ReadFrom(0xc01a0e25d8, 0x8af540, 0xc0214169a0, 0x40b975, 0x7bf040, 0x8086e0)
    	/usr/local/go/src/bytes/buffer.go:204 +0xb1
    crypto/tls.(*Conn).readFromUntil(0xc01a0e2380, 0x8af860, 0xc016805ef8, 0x5, 0xc016805ef8, 0x4aeb60)
    	/usr/local/go/src/crypto/tls/conn.go:782 +0xec
    crypto/tls.(*Conn).readRecordOrCCS(0xc01a0e2380, 0x0, 0x0, 0x40e0cb)
    	/usr/local/go/src/crypto/tls/conn.go:589 +0x115
    crypto/tls.(*Conn).readRecord(...)
    	/usr/local/go/src/crypto/tls/conn.go:557
    crypto/tls.(*Conn).Read(0xc01a0e2380, 0xc01bff0000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
    	/usr/local/go/src/crypto/tls/conn.go:1233 +0x15b
    net/http.(*persistConn).Read(0xc009044d80, 0xc01bff0000, 0x1000, 0x1000, 0x40671d, 0x60, 0x0)
    	/usr/local/go/src/net/http/transport.go:1825 +0x75
    bufio.(*Reader).fill(0xc0101d9bc0)
    	/usr/local/go/src/bufio/bufio.go:100 +0x103
    bufio.(*Reader).Peek(0xc0101d9bc0, 0x1, 0xc0109ebf80, 0xc00144e968, 0xc011945d28, 0x6b14d6, 0x0)
    	/usr/local/go/src/bufio/bufio.go:138 +0x4f
    net/http.(*persistConn).readLoop(0xc009044d80)
    	/usr/local/go/src/net/http/transport.go:1978 +0x1a8
    created by net/http.(*Transport).dialConn
    	/usr/local/go/src/net/http/transport.go:1647 +0xc56
    
    goroutine 65... [runnable]:
    ...
    ...
    goroutine 66... [runnable]:
    

    The command I'm using

    ffuf -u HOST/PATH -w hosts:HOST -w customWordlist:PATH -o ffuf.json -mc all -t 10000

    where hosts file has 92 hosts and customWordlist file has ~5700 words.

    ffuf version is v1.1.0-git but I experienced this issue even within earlier versions.

  • Save Output About

    Save Output About

    I used the following command for subdomain on a site.

    ffuf -c -w ~/wordlist/subdomain.txt -u https://tesla.com -H "Host: FUZZ.tesla.com" -fc 301 -t 150
    

    Shortcomings

    • We cannot save the results of the scan.
    • I wish the results would look like a full url. ( For Example https://shop.tesla.com https://meet.tesla.com )
  • SIGABRT v0.12 on Ubuntu 19.10

    SIGABRT v0.12 on Ubuntu 19.10

    Attempting to fuzz differents hosts using commandline:

    ./ffuf -u FUZZ/Some/path/here -w hosts.txt -mc 200 -fw 0-10,20-10000 -o output.json -t 20

    Working fine for 2-3 minutes with correct hits, then:

            /'___\  /'___\           /'___\
           /\ \__/ /\ \__/  __  __  /\ \__/
           \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
            \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
             \ \_\   \ \_\  \ \____/  \ \_\
              \/_/    \/_/   \/___/    \/_/
    
           v0.12
    ________________________________________________
    
     :: Method           : GET
     :: URL              : FUZZ/Some/path/here
     :: Output file      : output.json
     :: File format      : json
     :: Follow redirects : false
     :: Calibration      : false
     :: Timeout          : 10
     :: Threads          : 20
     :: Matcher          : Response status: 200
     :: Filter           : Response words: 0-10,20-10000
    ________________________________________________
    
    <STATUS MSG CUT>
    
    SIGABRT: abort
    PC=0x7f36e34183eb m=18 sigcode=18446744073709551610
    
    goroutine 0 [idle]:
    runtime: unknown pc 0x7f36e34183eb
    stack: frame={sp:0x7f369fffb2c0, fp:0x0} stack=[0x7f369f7ff288,0x7f369fffee88)
    00007f369fffb1c0:  00007f36e3587fef  000000000000000f
    00007f369fffb1d0:  00000002fffffffe  00007f36e35bc440
    00007f369fffb1e0:  0000000000000000  ffffffffffff0000
    00007f369fffb1f0:  454c36312d465455  0000000000002f2f
    00007f369fffb200:  ffff0000000000ff  ffff000000000000
    00007f369fffb210:  0000000000000000  0000000000000000
    00007f369fffb220:  ffff000000ff0000  ffff000000ff0000
    00007f369fffb230:  00007f369fffb200  0000000000000000
    00007f369fffb240:  0000000000000000  ffffffffffffffff
    00007f369fffb250:  0000000000000000  0000000000000000
    00007f369fffb260:  00007f369fffb500  00007f36e33f97b3
    00007f369fffb270:  0000000000000000  0000000000000000
    00007f369fffb280:  7b7b7b7b7b7b7b7b  7b7b7b7b7b7b7b4e
    00007f369fffb290:  000000c00040d800  000000000000001c
    00007f369fffb2a0:  0000000000000020  000000c00040d820
    00007f369fffb2b0:  c95c8146d79d8b00  1b0c52eb5dc741cf
    00007f369fffb2c0: <0000000000000000  c200000000000000
    
    <lots of more output here>
    

    Shouldnt it be possible to fuzz the host in a URL? (I.e. probing many hosts for a path)

  • Filter by regexp doesn't seem to work on responses

    Filter by regexp doesn't seem to work on responses

    I use -fr '<filter>' flag but it still includes responses that have this string. I'm pretty sure that those responses contain this string. However there is no way to confirm this, so I think a flag that allows to debug the response would be a great feature. Finally, I also noticed that I can't filter the responses by header key (e.g. -fr 'Set-Cookie'). It seems like most of the match/filter functionality is focused on the body of the message. Perhaps I'm missing something, just let me know. Otherwise I could probably help with the PR on this.

  • Suggestion to add url-list argument

    Suggestion to add url-list argument

    first of all you are doing an amazing tool here, second it would be a huge pros if you add argument for brute forcing a list of urls (domains) along side with -u for just single domain .

  • Getting a single issue everytime i am running ffuf

    Getting a single issue everytime i am running ffuf

    Just firing the normal basic command ffuf -u https://example.com/FUZZ -w wordlist.txt

    and getting an error

    keyword defined, but not found in headers, method, URL or POST data

    Using windows 10 Problem occured after the updation to latest version of ffuf. Please resolve this issue ASAP

  • Retry Connection Reset

    Retry Connection Reset

    First off, I love this tool. It is awesome. My only feature request: instead of printing "Error in runner: Get <url> ...read: connection reset by peer" and "Client.Timeout exceeded" errors, retry the attack and mark an 'error' counter with the status line. This will keep from dropping tests due to an overloaded server, and keep the output somewhat cleaner.

  • AutoCalibrationKeyword -ack option is not work

    AutoCalibrationKeyword -ack option is not work

    Autocalibration keyword defualt is "FUZZ" when i use this cmd, ack works fine, i can see the request log

    ./ffuf -w smalldir.txt:FUZZ -u http://127.0.0.1:8000/FUZZ -ac
    
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /adminCBFwDRqSiVFkHwJo HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /admincUnrzJGL HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /.htaccessUCGvEiPCThsmsoOb HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /.htaccessxkfvXlgF HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /njQPuYXxGAxLgFGD HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:23:11] "GET /HfZiewhn HTTP/1.1" 404 -
    

    my small dict file

    cat ./smalldir.txt
    0/
    000/
    01/
    010/
    02/
    03/
    1/
    

    when i use ack option, change AutoCalibrationKeyword to DIR, request log did not meet expectations

    ./ffuf -w smalldir.txt:DIR -u http://127.0.0.1:8000/DIR -ac -ack DIR
    
    $ python3 app.py
    Press CTRL+C to quit
     * Restarting with stat
     * Debugger is active!
     * Debugger PIN: 378-795-110
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /000/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /01/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /010/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /0/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /03/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /02/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    127.0.0.1 - - [04/Jan/2023 11:31:36] "GET /1/ HTTP/1.1" 404 -
    
  • CSRF TOKEN Bypass

    CSRF TOKEN Bypass

    is there is any way to extract the csrf token from the web forms and pass it to ffuf as a second parameter using (Pitchfork+recursive grep) attack like in burpsuite ??

  • Feature request OUTPUT OPTIONS: -oc (save current location)

    Feature request OUTPUT OPTIONS: -oc (save current location)

    Hi,

    Suppose I start the terminal in location: ~hacking/targets/example.com for the target example.com -o ffuf-directories-results will save the output in default location, something like: /home/adelante/ -oc > save to current location (terminal start location), in my case ~hacking/targets/example.com will be a time saver.

    I know about-od (Directory path to store matched results to) but it doesn't help in the automation process, plus it is not productive to store all the results from different targets in the same location.

    Other tools save to the current location by default when you use -o, ffuf unfortunately does not save to the current location, but to the user's folder.

  • support merge for wordlists

    support merge for wordlists

    Description

    Add the merge mode to merge multiple Wordlists. image

    Additonally

    • [x] If this is the first time you are contributing to ffuf, add your name to CONTRIBUTORS.md. The file should be alphabetically ordered.
    • [x] Add a short description of the fix to CHANGELOG.md

    Thanks for contributing to ffuf :)

  • Auto calibration with multiple urls

    Auto calibration with multiple urls

    Hello there, thank you creating such a helpfull tool for community, I have a question related to it ffuf -w "domains.txt:URL" -w directories.txt -u URL/FUZZ -t 50 -ac when i run this command, it returns the results but not accurate too much for garbages and 301s

    My question is what if i want to fuzz multiple urls and separate output for each domain for example ffuf took 1st domain and using -ac command it returns a good result, so i want output in separate file for each domain inorder to get accurate results, then go for 2nd and so on..

Fastest recursive HTTP fuzzer, like a Ferrari.
Fastest recursive HTTP fuzzer, like a Ferrari.

Medusa Fastest recursive HTTP fuzzer, like a Ferrari. Usage Usage: medusa [options...] Options: -u Single URL -uL

Oct 14, 2022
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

▄▄▄▄ ██▓ █████▒██▀███ ▒█████ ██████ ▄▄▄█████▓ ▓█████▄ ▓██▒▓██ ▒▓██ ▒ ██▒▒██▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ▒██▒ ▄██▒██▒▒████ ░▓██ ░▄█ ▒▒██░ ██▒░

Dec 24, 2022
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Oct 25, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Feb 23, 2022
A fast tool to scan CRLF vulnerability written in Go
A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

Jan 1, 2023
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

Dec 31, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
A fast and easy to use URL health checker ⛑️ Keep your links healthy during tough times
A fast and easy to use URL health checker ⛑️ Keep your links healthy during tough times

AreYouOK? A minimal, fast & easy to use URL health checker Who is AreYouOk made for ? OSS Package Maintainers ??️

Oct 7, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Dec 26, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

Dec 30, 2022
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Jan 5, 2023
MX1014 is a flexible, lightweight and fast port scanner.

MX1014 MX1014 是一个遵循 “短平快” 原则的灵活、轻便和快速端口扫描器 此工具仅限于安全研究和教学,用户承担因使用此工具而导致的所有法律和相关责任! 作者不承担任何法律和相关责任! Version 1.1.1 - 版本修改日志 Features 兼容 nmap 的端口和目标语法 支持各

Dec 19, 2022
Fast scan for redtools
Fast scan for redtools

scaninfo by 华东360安服团队 注意的点 漏洞扫描的时候有时候最后几个任务会卡住,是因为ftp爆破模块,这个fscan也一样目前没有好的解决办法,后续更新.先阶段可以-eq 21跳过ftp,或者control+c 主动停止不影响结果保存。 有时候扫外网的全端口会漏掉端口可以使用-n 指定

Dec 27, 2022
XXTEA is a fast and secure encryption algorithm.

XXTEA Golang Introduction xxtea is a fast and secure encryption algorithm. This project is the Golang implementation of the xxtea encryption algorithm

Aug 3, 2022
Incident Response - Fast suspicious file finder

FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunti

Dec 28, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Dec 27, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Jan 7, 2023
Open Source Web Application Firewall
Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Nov 24, 2022
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

Welcome to xray ?? 一款功能强大的安全评估工具 ✨ Demo ?? 使用文档 ⬇️ 下载地址 注意:xray 不开源,直接下载构建的二进制文件即可,仓库内主要为社区贡献的 poc,每次 xray 发布将自动打包。 ?? 快速使用 在使用之前,请务必阅读并同意 License 文件中

Jan 5, 2023