brum3ns / firefly Goto Github PK

Black box fuzzer for web applications

Go 100.00%

bugbounty fuzz fuzzing penetration-testing pentesting security-tools fuzzer black-box-testing blackbox web-security

firefly's Introduction

</ Advantages | Features | Installation | Usage | Community >

Firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.

Advantages

Hevy use of gorutines and internal hardware for great preformance
Built-in engine that handles each task for "x" response results inductively
Highly cusomized to handle more complex fuzzing
Filter options and request verifications to avoid junk results
Friendly error and debug output
Build in payloads (default list are mixed with the wordlist from seclists)
Payload tampering and encoding functionality

Features

Installation

go install -v github.com/Brum3ns/firefly/cmd/firefly@latest

go get -v github.com/Brum3ns/firefly/cmd/firefly

Usage

Simple

firefly -h

firefly -u 'http://example.com/?query=FUZZ'

Advanced usage

Request

Different types of request input that can be used

Basic

firefly -u 'http://example.com/?query=FUZZ' --timeout 7000

Request with different methods and protocols

firefly -u 'http://example.com/?query=FUZZ' -m GET,POST,PUT -p https,http,ws

Pipeline

echo 'http://example.com/?query=FUZZ' | firefly

HTTP Raw

firefly -r '
GET /?query=FUZZ HTTP/1.1
Host: example.com
User-Agent: FireFly'

This will send the HTTP Raw and auto detect all GET and/or POST parameters to fuzz.

firefly -r '
POST /?A=1 HTTP/1.1
Host: example.com
User-Agent: Firefly
X-Host: FUZZ

B=2&C=3' -au replace

Request Verifier

Request verifier is the most important part. This feature let Firefly know the core behavior of the target your fuzz. It's important to do quality over quantity. More verfiy requests will lead to better quality at the cost of internal hardware preformance (depending on your hardware)

firefly -u 'http://example.com/?query=FUZZ' -e

Payloads

Payload can be highly customized and with a good core wordlist it's possible to be able to fully adapt the payload wordlist within Firefly itself.

Payload debug

Display the format of all payloads and exit

firefly -show-payload

Tampers

List of all Tampers avalible

firefly -list-tamper

Tamper all paylodas with given type (More than one can be used separated by comma)

firefly -u 'http://example.com/?query=FUZZ' -e s2c

Encode

firefly -u 'http://example.com/?query=FUZZ' -e hex

Hex then URL encode all payloads

firefly -u 'http://example.com/?query=FUZZ' -e hex,url

Payload regex replace

firefly -u 'http://example.com/?query=FUZZ' -pr '\([0-9]+=[0-9]+\) => (13=(37-24))'

The Payloads: ' or (1=1)-- - and " or(20=20)or " Will result in: ' or (13=(37-24))-- - and " or(13=(37-24))or " Where the => (with spaces) inducate the "replace to".

Filters

Filter options to filter/match requests that include a given rule.

Filter response to ignore (filter) status code 302 and line count 0

firefly -u 'http://example.com/?query=FUZZ' -fc 302 -fl 0

Filter responses to include (match) regex, and status code 200

firefly -u 'http://example.com/?query=FUZZ' -mr '[Ee]rror (at|on) line \d' -mc 200

firefly -u 'http://example.com/?query=FUZZ' -mr 'MySQL' -mc 200

Preformance

Preformance and time delays to use for the request process

Threads / Concurrency

firefly -u 'http://example.com/?query=FUZZ' -t 35

Time Delay in millisecounds (ms) for each Concurrency

FireFly -u 'http://example.com/?query=FUZZ' -t 35 -dl 2000

Wordlists

Wordlist that contains the paylaods can be added separatly or extracted from a given folder

Single Wordlist with its attack type

firefly -u 'http://example.com/?query=FUZZ' -w wordlist.txt:fuzz

Extract all wordlists inside a folder. Attack type is depended on the suffix <type>_wordlist.txt

firefly -u 'http://example.com/?query=FUZZ' -w wl/

Example

Wordlists names inside folder wl :

fuzz_wordlist.txt

time_wordlist.txt

Output

JSON output is strongly recommended. This is because you can benefit from the jq tool to navigate throw the result and compare it.

(If Firefly is pipeline chained with other tools, standard plaintext may be a better choice.)

Simple plaintext output format

firefly -u 'http://example.com/?query=FUZZ' -o file.txt

JSON output format (recommended)

firefly -u 'http://example.com/?query=FUZZ' -oJ file.json

Community

Everyone in the community are allowed to suggest new features, improvements and/or add new payloads to Firefly just make a pull request or add a comment with your suggestions!

firefly's People

Contributors

Stargazers

Watchers

firefly's Issues

panic: runtime error: slice bounds out of range [1:0]

I tried to run this command and got the error below

firefly -u "http://testphp.vulnweb.com/redir.php?r=https://x.com"

panic: runtime error: slice bounds out of range [1:0]

goroutine 40 [running]:
github.com/Brum3ns/firefly/pkg/request.worker.request({_, _, _, _}, {0x1, 0x0, {0xc0000cc020, 0x20}, {0x7ae58a, 0x6}, ...})
/home/g/go/pkg/mod/github.com/!brum3ns/[email protected]/pkg/request/request.go:145 +0x9a7
github.com/Brum3ns/firefly/pkg/request.worker.spawnRequestWorker.func1()
/home/g/go/pkg/mod/github.com/!brum3ns/[email protected]/pkg/request/handler.go:171 +0x11e
created by github.com/Brum3ns/firefly/pkg/request.worker.spawnRequestWorker
/home/g/go/pkg/mod/github.com/!brum3ns/[email protected]/pkg/request/handler.go:163 +0xcb

Error on first usage

I've just installed firefly using

go install -v github.com/Brum3ns/firefly/cmd/firefly@latest

Then I tried the tool with

firefly -u 'http://example.com/?query=FUZZ'

and I got:

...
________________________________________________________________ 

[INF] Grep Wordlist[s] setup in process
2023/02/11 11:41:06 [FAI] open db/yml/transformation.yml: no such file or directory

A fix could be install the database in the .config directory (only on Linux) if it's the first time running the tool or the db is missing.
Or if the database is not too big it could be possible to transform txt and yaml files to go files exporting global variables (a map or a list for example), this completely avoids the "installation" part told before that will be different for each OS.

panic: runtime error: invalid memory address or nil pointer dereference

Hello,

Tested on Kali Linux (last update).

└─$ go install -v github.com/Brum3ns/firefly/cmd/firefly@latest                                                                        1 ⨯
go: downloading github.com/Brum3ns/firefly v0.0.0-20230211164014-eb164ddd0dbf
github.com/Brum3ns/firefly/pkg/firefly/types
github.com/Brum3ns/firefly/pkg/functions/globalVariables
github.com/Brum3ns/firefly/pkg/storage
github.com/Brum3ns/firefly/pkg/design
github.com/Brum3ns/firefly/pkg/functions
github.com/Brum3ns/firefly/pkg/output
github.com/Brum3ns/firefly/pkg/firefly/prepare
github.com/Brum3ns/firefly/pkg/firefly/technique
github.com/Brum3ns/firefly/pkg/parse
github.com/Brum3ns/firefly/pkg/runner
github.com/Brum3ns/firefly/cmd/firefly

└─$ ./firefly -u 'https://URL/FUZZ' 

  ___ _          __ _      
 | __(*)_ _ ___ / _| |_  __ 
 | _|| | '_/ -_)  _| | \/ /
 |_| |_|_| \___|_| |_|\, /
                      /_/  

  By: YesWeHack/Brumens          v1.0
 
[!] Stay ethical. The creator of the tool is not responsible for any misuse or damage.
________________________________________________________________ 

[INF] Grep Wordlist[s] setup in process
[OK] Configuration completed
[INF] Verify target behaviour: 100%
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x559e6b6a727e]

goroutine 346 [running]:
github_0com_1Brum3ns_1firefly_1pkg_1runner.ReqTemplate
        /home/user/PWN/WEB/firefly/pkg/runner/request.go:116
github_0com_1Brum3ns_1firefly_1pkg_1runner.Request
        /home/user/PWN/WEB/firefly/pkg/runner/request.go:128
created by github_0com_1Brum3ns_1firefly_1pkg_1runner.New
        /home/user/PWN/WEB/firefly/pkg/runner/runner.go:87 +0x4c5

Add support for an http proxy

Hello mate and great work!

Could you please add proxy support to the tool, so that we can see the requests via burp suite or other tools?

Wrong db installation path

installed using

go install -v github.com/Brum3ns/firefly/cmd/[email protected]

executed

firefly

got

   / __7 o          / _7/¯7  
  / _7 /¯7 /¯_7¯-_)/ _7/ /\¯\/7
 /_/  /_/ /_/ \__7/_/ /_/  ) /
                          /_/
                                (v1.1.0)
   By: @yeswehack : Brumens
[INF]  The 'db' folder containing all the resources for Firefly to work will be stored at: /home/edoardottt/.config/firefly//db/ 
[INPUT] Write "ok" to confirm:

Add support for filter by number of milliseconds to the first response byte

Hi, great utility, better than ffuf in some points, but definitely lacking a flag that would allow you to search for attacks based on time.

-mt Filter by the number of milliseconds to the first response byte, either more or less. EXAMPLE: >100 or <100

I would like to see this filter in firefly!

How fix it?

┌──(kali㉿kali)-[~]
└─$ go install -v github.com/Brum3ns/firefly/cmd/firefly@latest
runtime/internal/sys
# runtime/internal/sys
/usr/local/go/src/runtime/internal/sys/consts.go:13:7: StackGuardMultiplier redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:27:7: other declaration of StackGuardMultiplier
/usr/local/go/src/runtime/internal/sys/consts.go:16:7: DefaultPhysPageSize redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:36:7: other declaration of DefaultPhysPageSize
/usr/local/go/src/runtime/internal/sys/consts.go:20:7: PCQuantum redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:40:7: other declaration of PCQuantum
/usr/local/go/src/runtime/internal/sys/consts.go:23:7: Int64Align redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:43:7: other declaration of Int64Align
/usr/local/go/src/runtime/internal/sys/consts.go:30:7: MinFrameSize redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:50:7: other declaration of MinFrameSize
/usr/local/go/src/runtime/internal/sys/consts.go:34:7: StackAlign redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:54:7: other declaration of StackAlign
                                                                             
┌──(kali㉿kali)-[~]
└─$ git clone https://github.com/Brum3ns/firefly.git
cd firefly/
go build cmd/firefly.go
./firefly -h
fatal: destination path 'firefly' already exists and is not an empty directory.
# runtime/internal/sys
/usr/local/go/src/runtime/internal/sys/consts.go:13:7: StackGuardMultiplier redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:27:7: other declaration of StackGuardMultiplier
/usr/local/go/src/runtime/internal/sys/consts.go:16:7: DefaultPhysPageSize redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:36:7: other declaration of DefaultPhysPageSize
/usr/local/go/src/runtime/internal/sys/consts.go:20:7: PCQuantum redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:40:7: other declaration of PCQuantum
/usr/local/go/src/runtime/internal/sys/consts.go:23:7: Int64Align redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:43:7: other declaration of Int64Align
/usr/local/go/src/runtime/internal/sys/consts.go:30:7: MinFrameSize redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:50:7: other declaration of MinFrameSize
/usr/local/go/src/runtime/internal/sys/consts.go:34:7: StackAlign redeclared in this block
        /usr/local/go/src/runtime/internal/sys/arch.go:54:7: other declaration of StackAlign
zsh: no such file or directory: ./firefly
                                                                             
┌──(kali㉿kali)-[~/firefly]
└─$

thx