to ffuf or not to ffuf
...or how to shoot web servers with shit-ton of requests
HajySec 2020 / @joohoi
whoami
Joona Hoikkala
- @joohoi (everywhere on the interwebs)
- Backend dev / sysadmin for almost two decades
- Open source stuff: acme-dns, ffuf, certbot
fhat fs fuzzing?
Fuzz testing means sending unexpected or malformed data to a program in order to get it to produce (un)expected results.
For web, it's often used as a catch-all term for all things like resource discovery, credential brute forcing, API mapping etc.
Usually refers to black box testing.
What goes in?
- Wordlists: common filenames, passwords, paths
- Generated: input generated by mutators like radamsa or just random() from /dev/urandom
- Files: whatever the target application is supposed to handle, commonly images, archives, xml
Input content
- Password lists, user lists
- Known API paths
- Common resource paths, parameter names and values
- Mutations of valid input data
Common targets
- GET parameters: names, values or both
- Headers: Host, authentication, cookies, proxy headers...
- POST data: form data, JSON, files...
What to look for (matching)
- Response codes
- Content ( regexes \o/ )
- Response sizes (bytes, # of words)
Available tools
- Burp Suite
- OWASP ZAP
- dirb
- dirbuster
- wfuzz
- gobuster
- ...ffuf
Why yet another?
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
- Fast!
- Flexible
- Reliable
- Interoperable filters/matchers
- Small footprint & easy to deploy
- Can be used in CI automation
- Autocalibration
- Feature complete
Demo time
Resource discovery
ffuf -w "/path/to/wordlist" -u "https://ffuf.io.fi/FUZZ" -t 100 -cPassword bruteforcing
ffuf -c -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "username=joohoi&password=FUZZ" -w passwords.txt \
-u "https://ffuf.io.fi/login.php" -fr "error"Multiple wordlists
(and HTTP Basic auth bruteforcing)
ffuf -c -w "users.txt:USER" -w "passwords.txt:PASS" \
-u "https://USER:PASS@ffuf.io.fi/secure/" -fc 401Virtualhost discovery
ffuf -c -w SecLists/Discovery/DNS/fierce-hostlist.txt \
-H "Host: FUZZ.ffuf.io.fi" -t 1000 -u "http://ffuf.io.fi/"GET parameter fuzzing
seq 1 10000 > numbers.txt && \
ffuf -c -w "numbers.txt" -u "https://ffuf.io.fi/content.php?id=FUZZ"What the fuzz?
Enter the mutator!
Using Radamsa to mutate valid inputs.
ffuf -c --input-cmd 'radamsa --seed $FFUF_NUM valid1.txt valid2.txt' \
-X POST -H "Content-Type: application/json" -t 100 \
-u https://auth.acme-dns.io/register -d 'FUZZ' -mc allPre-generating mutations
radamsa -n 100 -o %n.txt valid1.txt valid2.txt
# Now we should have 100 files with different payloads
ffuf -c --input-cmd 'cat $FFUF_NUM.txt' \
-X POST -H "Content-Type: application/json" -t 100 \
-u https://auth.acme-dns.io/register -d 'FUZZ' -mc allParse config from raw HTTP request
Save the raw request from browser, Burp etc.
▶ cat req.txt
GET / HTTP/1.1
Host: ffuf.io.fi
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
DNT: 1
Pragma: no-cache
Cache-Control: no-cacheAnd ffuf we go
ffuf -request "req.txt"Advanced output: Burp
ffuf -w "/path/to/wordlist" -u "https://ffuf.io.fi/FUZZ" -t 100 -c \
--replay-proxy "http://127.0.0.1:8080"Advanced output: HTML report
ffuf -w "/path/to/wordlist" -u "https://ffuf.io.fi/FUZZ" -t 100 -c \
-of html -o output.htmlAdvanced output: JSON
ffuf -w "/path/to/wordlist" -u "https://ffuf.io.fi/FUZZ" -t 100 -c \
-of json -o output.jsonAdvanced output: raw
ffuf -w "/path/to/wordlist" -u "https://ffuf.io.fi/FUZZ" -c \
-od raw_outputThanks!
Resources from this talk
- https://github.com/ffuf/ffuf
- https://github.com/danielmiessler/SecLists
- https://portswigger.net/burp
- https://ffuf.io.fi/hajysec
If you have questions or comments, you can contact me over Twitter, GitHub or CitySec Mattermost: @joohoi