Dashboard β€Ί Modules β€Ί Attacking Web Apps with Ffuf

Attacking Web Apps with Ffuf

Web
> Start Learning

πŸ“– Overview

Directory and parameter fuzzing with ffuf.

🎯
1
Exercises
πŸƒ
2
Flashcards
πŸ—ΊοΈ
1
Mind Maps

πŸ“‹ Cheatsheet

Directory Fuzzing

ffuf -u http://10.10.10.5/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt # Basic directory fuzzing

Extension Fuzzing

ffuf -u http://10.10.10.5/indexFUZZ -w extensions.txt # Fuzz file extensions

Parameter Fuzzing

ffuf -u http://10.10.10.5/page?FUZZ=value -w params.txt # Fuzz GET parameters

Subdomain

ffuf -u http://FUZZ.domain.com -w subdomains.txt -H 'Host: FUZZ.domain.com' # Fuzz subdomains (vhost)

Filters

-fc 404    # Filter out 404 responses
-fs 0      # Filter out responses with size 0
-fw 10     # Filter out responses with 10 words

πŸ’» Command Examples

⚠️ Common Pitfalls

  • Using too fast rate
  • Wrong filter settings

πŸ’‘ Exam Survival Tips

  • Try multiple wordlists
  • Fuzz with extensions

🎯 Exercises

View All
fill command medium
Write an ffuf command to fuzz the 'id' parameter value on http://10.10.10.5/page?id=FUZZ using numbe...

πŸ—ΊοΈ Mind Maps

Fuzzing Workflow with Ffuf