Note: English is not my native language.
PS: I would be updating this page as I get more information on fuff, for now I would like to add all things what I have learned from TryHackMe fluff room.
What is fuzzing
- fuzz(input data), what fuzzing means is giving wierd input data to the application in order to find any errors or security loopholes that application has, basically it can crash the system as well.
- fuzz testing (or fuzzing) is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and data into a computer program in order to find coding errors and security loopholes.
What is ffuf
- ffuf is fuzz faster u fool, basically it is a web enumeration, fuzzing or directory brute forcing tool.
ffuf -h- This will give us overview of all options in ffuf
Usage
ffuf -u https:mashtt.code.blog/FUZZ -w /usr/share/wordlists...- Basically FUZZ which is written at last of url is to specify where wordlist should inject its list… DOPE.
- If we want we can also use any other keyword instead of FUZZ, like this
ffuf -u https:mashtt.code.blog/PIE -w /usr/share/wordlists/words.txt:PIE
Notes
- By default ffuf uses http method to brute force directory search
- Using good wordlist is efficient
- DOPE SHIT FOUND.
- so most of the time, if website uses PHP and here we are brute forcing for every other shit extension, definetly not worth it.
- Instead we could do something like this,
ffuf -u https:mashtt.code.blog/indexFFUF -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt- You know why we did this??? because index page would be common on most websites, so why not first check which language does this website uses, by indexFFUF.
- Now, web-extensions.txt files has .php, .aspx all those shits, that would be appending instead of FFUF…Noice.
- Next thing, is we know what extensions does website uses, we could use that only from now on + common extensions like txt,pdf,docs… all those sensitive info (*cough…*cough)
ffuf -u https:mashtt.code.blog/FFUF -w /usr/share/wordlists/seclists/Discovery/Web-Content/wordlist -e .php,.txt- Now this was exploring files or pages, but when exploring directories, we don’t normally require extensions.
- Filtering
- Ok lets filter out some useful information for quick get to know things.
- Few options which can be used as filters
- -fc : filter code, it will not show us outputs with this responses, for example if fc is set to 403, it will not show us those result. Note: It is very tempting to just set 403 all the time, but there are always pages or files which are not accessible to us, so they show 403, but that’s where real hacking comes into play.
- -fr : filter regexp, it filters according to regexp we provided, now i have seen one usage on tryhackme, but as i am not good with regexp yet, still i will list what they told.
ffuf -u [<http://10.10.200.76/FUZZ>](<http://10.10.200.76/FUZZ>) -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\\..*'What this does is, files which are after . as they gives 403, but we might need few files which are after dot, so it will match those expressions which are after dot, I have still not looked into regexp thing, so this might be wrong. - -mc : match code, if we want only to show output based on certain codes we could use
-mc 200,201. - -fs : filter size, avoid zero file size files.
- There are many other filters, to know about them, use ffuf -h, and it will show different filters.
- Fuzzing API Endpoints
- As we know api endpoints are different types of paramters of api url from which we can fetch different resources.
- Now, if we hit an endpoint and we don’t know what type of paramters does that endpoint accepts, we can FUZZ it, basically we can fuzz different paramters on that endpoint, and check valid results.
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39- Now as you can see, I have got an api endpoint
[http://MACHINE_IP/sqli-labs/Less-1/](http://MACHINE_IP/sqli-labs/Less-1/)they asked me to put id as an parameter to fetch the results for a particular id, not this time we got to know that ID is the paramter we want to fetch, but sometimes, when we hit an endpoint, we don;t know what parameter does api accepts.
- Next after getting a valid paramter, we can actually fetch results or fetch sensitive information from them, we can also see which url we cannot access so that we can further try to exploit it.
- They also said, few other things we can do after we get a valid paramter, Discovering a vulnerable parameter could lead to file inclusion, path disclosure, XSS, SQL injection, or even command injection. Since ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.
- Now lets fuzz the values, basically brute forcing every point to check if we hit something crucial to the company
for i in {0..255}; do echo $i; done | ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33- Here we are not using wordlist instead
-w -This is used as option which will tell that ffuf will accept paramters from stdout. - So after using for loop to print all values from 1-255 to fuzz on values, we fuzz them to url
- We can also use fuzz to brute force on login pages, which is not acceptable in any bug bounty program that’s for sure, since it can lead to DOS, so it is out of scope, but in CTF’s we can brute force login and password.
ffuf -u [<http://10.10.236.163/sqli-labs/Less-11/>](<http://10.10.236.163/sqli-labs/Less-11/>) -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'- In this, we are using
-Xto use post method, get is default, then-dis used for body of post method, in this, uname is the name of login box, passwd is also name of login box, submit is of submit button and it has value of Submit, next we need to specify header too(This thing i need to check why header was written) and since the result were showing all sizes of 1435 we can exclude those with fs
Hey there, I am Mashtt 