diff --git a/README.md b/README.md index 7dc45a2..0e9f792 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,77 @@ # ffuf - Fuzz Faster U Fool -A fast web fuzzer written in Go, allows fuzzing of URL and header values. +A fast web fuzzer written in Go. + +Heavily inspired by the great projects [gobuster](https://github.com/OJ/gobuster) and [wfuzz](https://github.com/xmendez/wfuzz). + +## Features + + - Fast! + - Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values + - Silent mode (`-s`) for clean output that's easy to use in pipes to other processes. + - Modularized architecture that allows integration with existing toolchains with reasonable effort + - Easy-to-add filters and matchers (they are interoperable) + +## Example cases + +### Typical directory discovery + +By using the FUZZ keyword at the end of URL (`-u`): + +``` +ffuf -w /path/to/wordlist -u https://target/FUZZ +``` + +### Virtual host discovery (without DNS records) + +Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header: + +``` +ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242 +``` + +### GET parameter fuzzing + +GET parameter name fuzzing is very similar to directory discovery, and works by defining the `FUZZ` keyword as a part of the URL. This also assumes an response size of 4242 bytes for invalid GET parameter name. + +``` +ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242 +``` + +If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401. + +``` +ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401 +``` + +### POST data fuzzing + +This is a very straightforward operation, again by using the `FUZZ` keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses. + +``` +ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" https://target/login.php -fc 401 +``` ## Usage + +To define the test case for ffuf, use the keyword `FUZZ` anywhere in the URL (`-u`), headers (`-H`), or POST data (`-d`). + ``` Usage of ./ffuf: -H value Header name and value, separated by colon. Multiple -H flags are accepted. -X string HTTP method to use. (default "GET") + -c Colorize output. + -d string + POST data. -fc string Filter HTTP status codes from response -fs string Filter HTTP response size -k Skip TLS identity verification (insecure) -mc string - Match HTTP status codes from respose (default "200,204,301,302,307") + Match HTTP status codes from respose (default "200,204,301,302,307,401") -ms string Match HTTP response size -s Do not print additional information (silent mode) @@ -30,4 +86,16 @@ eg. `ffuf -u https://example.org/FUZZ -w /path/to/wordlist` ## Installation -Either download a prebuilt binary from Releases page or install [Go 1.9 or newer](https://golang.org/doc/install). and build the project with `go get && go build` + - [Download](https://github.com/ffuf/ffuf/releases/latest) a prebuilt binary from [releases page](https://github.com/ffuf/ffuf/releases/latest), unpack and run! + or + - If you have go compiler installed: `go get github.com/ffuf/ffuf` + +## TODO + - Tests! + - Filters: word count, regex + - Option to follow redirects + - Optional scope for redirects + - Client / server architecture to queue jobs and fetch the results later + - Fuzzing multiple values at the same time + - Output module for file writing in different formats: csv, json + - Output module to push the results to an HTTP API