curl -s "https://www.facebook.com/" | wc -c
142767

curl -s "https://www.facebook.com/" | wc -c
142720

• Sometimes response lengths can by dynamic, is there any way to set an offset value along with -fc filter to filter the response lengths with an offset value.

• This will be problematic for both parameter fuzzing & Vhost fuzzing.

it would be very useful if you added an optional parameter to show redirection location for 30x responses

Example

domain.com    [Status: 301, Size: 0, Words: 1] -> /wordpress/blog

It is kinda hard to read when there is long lines :)

Great tool! The fastest I've tried for directory bruting.

One request I'd like to make is a check for every response returning a 403. I've seen other tools do is if almost every response is a 403, then they quit with a warning instead of going through the entire wordlist.

if the input is ffuf -u example.com it should test both http and https :)

The regex filtering currently matches only against the response body, make it match response headers as well.

First off, I love this tool. It is awesome. My only feature request: instead of printing "Error in runner: Get <url> ...read: connection reset by peer" and "Client.Timeout exceeded" errors, retry the attack and mark an 'error' counter with the status line. This will keep from dropping tests due to an overloaded server, and keep the output somewhat cleaner.

Hi there,

Thank you for working on ffuf, it's an exciting tool! I am not sure if I am missing something, but it appears that ffuf needs the FUZZ keyword in the POST data to be defined when giving it data with -input-cmd which I guess makes sense:

If I also supply -d "FUZZ" in the arguments and intercept the requests, all of them are blank. It seems that -data doesn't play along with -input-cmd I believe.

Additionally, what advantage does -input-cmd offer over just creating multiple fuzz payloads with radamsa and appending them to a file and using this with -w?

PS: I tried from both Linux/Windows boxes, but only intercepted on Windows using PowerShell. Manually testing my -input-cmd command reads the file's content fine.

Hi,

while running ffuf to fuzz for virtual-hosts for one of the URL it is giving error

Error in runner: Get https://www.domain.com/: EOF

Command running with:

./ffuf -k -c -t 10 -mc 200 -w ./wordlist.txt -H 'Host: FUZZ.domain.com' -u https://www.domain.com/ 

Things I have tried:

1. Using smaller wordlist
2. Lowering thread counts
3. Trying other fuzzing like parameter for same host

It is just failing for virtual-hosts fuzzing for this URL only.

Thanks

Hi,
As I understood, the current behavior on scpecifying multiple filter options is to filter if a one of them is true for a response, but is there any way to filter only if all the specifed filters are true?

For example, if I specify both -fc 200 and -fs 0, I would not see in results responses with the 200 status code and any content-length and responses with 0 content-length and any status code.
But what if I need to filter only responses where status code is 200 AND content-length is 0? I cannot find such option.

first of all you are doing an amazing tool here, second it would be a huge pros if you add argument for brute forcing a list of urls (domains) along side with -u for just single domain .

If -l option is chosen, the output will be included them. At present, ffuf just print it in stdout.

Hi joohoi,

ffuf doesn't stop on receiving 429 status code for probes.
I my opinion the -sa flag should also look for 429 status codes and if there are x number of time its repeated then stop the probes.

This is how I am using the ffuf

./ffuf -sa -mc all -fc 400,405,406,418,444,500,501,502,503,504,508,520 -ac -c -l -k -r -w untitled.txt -u https://signup.example.com/FUZZ

POST /reflected/parameter/body HTTP/1.1
Host: public-firing-range.appspot.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Referer: https://public-firing-range.appspot.com/reflected/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

q=xxxxxxxxxxxxxxxxxx

• Response

<html>
  <body>
    xxxxxxxxxxxxxxxxxx
  </body>
</html>

ffuf -w w -u https://public-firing-range.appspot.com/reflected/parameter/body -X POST -d 'FUZZ=xxxxx'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v0.11git
________________________________________________

 :: Method       : POST
 :: URL          : https://public-firing-range.appspot.com/reflected/parameter/body
 :: Matcher      : Response status: 200,204,301,302,307,401,403
________________________________________________

sdgs                    [Status: 200, Size: 38, Words: 9]
q                       [Status: 200, Size: 38, Words: 9]
dsagds                  [Status: 200, Size: 38, Words: 9]
dsgdsg                  [Status: 200, Size: 38, Words: 9]
:: Progress: [4/4] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::


# cat w
dsagds
dsgdsg
q
sdgs

I suggest you add the possibility of tracking the directories and guessing on them after the completion of the main place

Like This :

ffuf -w list.txt -u https://Site.com/FUZZ -fc 403 
......
�[2Kadmin              [Status: 301, Size: 413, Words: 46]
�[2Kuploads              [Status: 301, Size: 414, Words: 46]

.....

When this complete The Ffuf Automatically Will Brute force On /admin/ And /uploads/

Idk, it can be dangerous you know 🚀

all on the title :)

#featurerequest

Is there a simple way to filter out responses with N <= size <= M ?

Hello! When using the awesome -ac option, it seems to ignore 301s and 302s. They don't get added to the filters. As an example, I made a sample wordlist with:

test1
admin
stuff
othertest

Running this against http://www.irccloud.com (which has a public bounty program) returns:

ffuf -w /tmp/wordlist.txt -u http://www.irccloud.com/FUZZ -ac -x http://127.0.0.1:8080

othertest               [Status: 301, Size: 0, Words: 1]
test1                   [Status: 301, Size: 0, Words: 1]
stuff                   [Status: 301, Size: 0, Words: 1]
admin                   [Status: 301, Size: 0, Words: 1]
:: Progress: [4/4] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

In the proxy, I also see the three calibration requests, and they all return 301 with the same size and words as well. I'm going to poke around in the source a bit and see if I can figure out a fix, but go is definitely not my strongpoint!

Faced this error so many-many-many times during scans:
:: Progress: [1499/1000000] :: 53 req/sec :: Duration: [0:00:28] :: Errors: 94 ::2019/06/14 23:06:37 Unsolicited response received on idle HTTP channel starting with "HTTP/1.0 408 Request Time-out\nCache-Control: no-cache\nConnection: close\nContent-Type: text/html\n\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n<head>\n\t<title>Down for Maintenance 408</title>\n\t<meta name=\"viewport\" content=\"initial-scale=1.0, width=device-width, maximum-scale=1.0, user-scalable=no\" />\n\t<script src=\"//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js\"></script>\n\t<link rel=\"stylesheet\" type=\"text/css\" href=\"//ds.phncdn.com/www-static/css/maintenance.css?cache=2017072823\" />\n\n <script type=\"text/javascript\">\n (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){\n (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),\n m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)\n })(window,document,'script','//www.google-analytics.com/analytics.js','ga');\n ga('create', 'UA-2623535-1', 'pornhub.com');\n ga('require', 'displayfeatures');\n ga('send', 'pageview');\n </script>\n</head>\n<body>\n\t<div id=\"PornhubNetworkBar\"></div>\n\t<div id=\"maintenancePageResponsive\">\n\t\t<div class=\"titleMaintenance clearfix\">\n\t\t\t<div class=\"topContainer clearfix\">\n\t\t\t\t<div class=\"phImage\"><img src=\"//ds.phncdn.com/www-static/images/pornhub_logo.png?cache=2017072823\" /></div>\n\t\t\t\t<div class=\"textMaintenance\"><h1>Is undergoing maintenance</h1></div>\n\t\t\t</div>\n\t\t</di"; err=<nil>

Hi!

Thanks for developing such a great tool. Would be great to support multiple proxies, as wfuzz does for example.

Not sure how complex would be, but HTTP and SOCKS5 proxies and cycling each request by a different proxy would be great.

I did not many tests to confirm this but seems that filter regex or match regex only apply to response body/content.

Is there anything stopping from at least, filtering also header responses?

Also, would be interesting to use headers size, since this is currently filtering Content-Length.

Thanks!

:)

Ffuf does not write to the designated output file unless the command finishes.

Considering wordlists can be rather large and canceling them before completion is a regular thing, the tool should write the output file as it runs, in case something happens and the command is unable to finish.

Pre-scan

1. Request: admin$RANDSTR$/ .htaccess$RANDSTR$ $RANDSTR$/
2. Auto-set -fw and -fs according to the results from the requests above

Would it be possible to support multiple wordlists, like wfuzz does ?

The syntax is -w wordlist1.txt -w worlist2.txt with the keywords FUZZ, FUZ2Z, FUZnZ..

It would be awesome to have a recursive option, with --recursive for example, with an option to specify the depth.
Every time we have a 200 response on a folder, ffuf would automatically scan the subfolders after the initial scan.

It will be very useful to have the ability to output not only words found, like
api about static
but full urls like
https://github.com/ffuf/ https://github.com/api/ https://github.com/about/
Because in saved csv-reports there is no scan query or so present, so it will be awesome to see full urls in every of hundreds of report-files saved, to see from what target it comes from.

Current logic

If resp.Status matches one of the statuses defined, the entry is valid (match-only)

Desired logic

If resp.Status does not match any of the blacklisted statuses, the entry is valid (match-all)

Sane defaults: 404,410,502,503

Hi @joohoi,

Thank you for working on this, just noticed this error for few times now with random targets.

ffuf -t 50 -fs 0 -k -mc 200 -w word.txt -u https://test.site.com/FUZZ

Error in runner: Get https://test.site.com//config/locales/ja.yml: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//config/locales/simple_form.en.yml: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//config/newrelic.yml: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php.save: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configs/: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.jsp: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php.bak: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php.dist: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php.old: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//connect.php: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php.txt: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration.php~: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configuration/: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//configure/: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//conflg.php: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//console/login/LoginForm.jsp: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//console/: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files
Error in runner: Get https://test.site.com//content/: dial tcp: lookup test.site.com on 10.1.94.9:53: dial udp 10.1.94.9:53: socket: too many open files

It would be nice to have an feature similar to curl's --max-time option to bail out if ffuf has been running for more than N seconds.

how can I use -u flag with url "https://example.com?para1=test&FUZZ=test1".

Hi!

As a first stage, a simple parameter into .json output that takes the last line sent would be great to support resuming sessions.

In an ideal world, storing the captured data and being able to reprocess it as wfpayload does in wfuzz would be awesome.

I'm just writing ideas, don't expect anything to be implemented, I really appreciate what you guys are doing.

Thanks!

Hello,

It would be nice if ffuf would have an option to URL encode FUZZ input as many lists contain spaces or other special characters.

It could accept a list of characters to auto-URL encode for instance:

-url-encode " #&"

Hello Fuff Author, I just want to display and export requests with specified strings in the response. What should I write? Trying to use - Mr does not seem to work, and requests that do not contain a "test" string in the response are also shown.

This is the output of ffuf, anyone has any idea why it will act like this?

OS is ubuntu 18.04 vps

The output seems to be written at the end of the discovery, leading to a loss of data if the program is stopped manually.

Sometimes could be interesting to grep partial data and use it to readjust a new fuzzing session.

For now, an approach to don't loose findings is to split up in two steps using ffuf -s | tee output and then running < output | ffuf -w -.

Thanks :)!

Hi, I think It would be nice if you add DataTable (https://datatables.net/) for html output. We can use it to short Status code or find something.

Would it be possible to allow HTTP verb fuzzing with -X FUZZ ?

This feature would be awesome.

Thanks for your work.

Now calibration is made using randomstr/ but fails when FUZZ is in a non-directory context. E. g.

echo file.php | ffuf -u https://www/example.com/FUZZ -c -ac -w -                                                                        ✘ 1
Error in autocalibration, exiting: Get https://www/example.com/adminXVlBzgbaiCMRAjWw/: dial tcp: lookup www: Temporary failure in name resolution

Would be an improvement if -ac allows a list of calibrations, a command could be:

-ac 'adminXVlBzgbaiCMRAjWw/','adminXVlBzgbaiCMRAjWw.jWw','adminXVlBzgbaiCMRAjWw.php'

Or with multiple parameters:

-ac 'adminXVlBzgbaiCMRAjWw/' -ac 'adminXVlBzgbaiCMRAjWw.jWw' -ac 'adminXVlBzgbaiCMRAjWw.php'

Hey, when I run ffuf for some hosts I got the error showed below
Unfortunately I can't share the exaclty host.
When I run it without -ac flag I just get tons of error (error for each request)

./ffuf -c -k -w common.txt -mc all -mr ".* " -t 80 -u 'https://mydomain.omega.bf1.yahoo.com/FUZZ' -ac -k

Error in autocalibration, exiting: Get https://mydomain.omega.bf1.yahoo.com/adminXVlBzgbaiCMRAjWw/: x509: certificate is valid for *.media.yahoo.com, *.data.yahoo.com, *.fantasysports.yahoo.com, *.finance.yahoo.com, *.flurry.com, *.fp.yahoo.com, *.geo.yahoo.com, *.io.yahoo.net, maw.ouroath.com, *.maw.ouroath.com, *.media.yql.yahoo.com, *.mobile.yahoo.com, *.paas.ec.yahoo.com, *.protrade.com, *.publishing.oath.com, *.query.yahoo.com, *.query.yahooapis.com, *.search.yahoo.com, *.sports.yahoo.com, *.video.yahoo.com, *.yahoo.com, *.yql.yahoo.com, *.yql.yahooapis.com, *.canary1-bf1.media.yahoo.com, *.canary1-gq1.media.yahoo.com, *.canary1-ir2.media.yahoo.com, *.canary1-ne1.media.yahoo.com, *.canary1-sg3.media.yahoo.com, *.canary1-tp2.media.yahoo.com, *.canary1-tw1.media.yahoo.com, *.prod1-bf1.media.yahoo.com, *.prod1-gq1.media.yahoo.com, *.prod1-ir2.media.yahoo.com, *.prod1-ne1.media.yahoo.com, *.prod1-sg3.media.yahoo.com, *.prod1-tp2.media.yahoo.com, *.prod1-tw1.media.yahoo.com, *.alpha1-bf1.media.yahoo.com, *.beta1-bf1.media.yahoo.com, *.stage1-bf1.media.yahoo.com, actservices.oath.com, adspecs.oath.com, *.adspecs.oath.com, *.adspecs.yahoo.com, *.admanagerplus.yahoo-inc.com, admanagerplus.yahoo-inc.com, *.admanagerplus.yahoo.com, *.datatables.org, *.entertainment.yahoo.com, query.yahooapis.com, subs.communications.yahoo.com, *.virtualstudio.yahoo.com, *.yax.yahoo.com, *.yql.yimg.com, api.lps.cp.yahoo.com, *.vads.yahoo.com, *.developer.yahoo.com, ad.com, *.ad.com, *.ad.yahoo.com, adspecs.verizonmedia.com, *.adspecs.verizonmedia.com, *.verizonmedia.com, *.canary1-bf1.omega.yahoo.com, *.canary1-gq1.omega.yahoo.com, *.canary1-ir2.omega.yahoo.com, *.canary1-ne1.omega.yahoo.com, *.canary1-sg3.omega.yahoo.com, *.canary1-tp2.omega.yahoo.com, *.canary1-tw1.omega.yahoo.com, *.prod1-bf1.omega.yahoo.com, *.prod1-gq1.omega.yahoo.com, *.prod1-ir2.omega.yahoo.com, *.prod1-ne1.omega.yahoo.com, *.prod1-sg3.omega.yahoo.com, *.prod1-tp2.omega.yahoo.com, *.prod1-tw1.omega.yahoo.com, *.alpha1-bf1.omega.yahoo.com, *.beta1-bf1.omega.yahoo.com, *.stage1-bf1.omega.yahoo.com, *.test1-gq1.omega.yahoo.com, *.digits.vzbuilders.com, *.vzbuilders.com, *.v2-canary1-gq1.omega.yahoo.com, *.v2-canary1-bf1.omega.yahoo.com, *.v2-canary1-ne1.omega.yahoo.com, *.v2-canary1-ir2.omega.yahoo.com, *.v2-canary1-sg3.omega.yahoo.com, *.v2-canary1-tp2.omega.yahoo.com, *.v2-canary1-tw1.omega.yahoo.com, *.v2-prod1-gq1.omega.yahoo.com, *.v2-prod1-bf1.omega.yahoo.com, *.v2-prod1-ne1.omega.yahoo.com, *.v2-prod1-ir2.omega.yahoo.com, *.v2-prod1-sg3.omega.yahoo.com, *.v2-prod1-tp2.omega.yahoo.com, *.v2-prod1-tw1.omega.yahoo.com, *.tp.vzbuilders.com, *.mmi.vzbuilders.com, *.tripod.yahoo.com, not mydomain.omega.bf1.yahoo.com

Hi, I see you are just replacing %EXT%, some wordlists using %ext% too.

Thanks for your work, FFuF is now my favorite tool for Web discovery/fuzzing.

Would it be possible to allow -e without -D and %EXT% in the wordlist ?

I have the wordlist Web-Content/common.txt who doesn't contains extensions or %EXT%.
For exemple fuuf -w common.txt -e .php,.html -u https://target/FUZZ would test login.php and login.html.
And maybe implement -E who would try with and without the extension, so login.php, login.html AND login.

can you alter the order of column fields while saving in md format

FUZZ | URL | Redirectlocation | Position | Status Code | Content Length | Content Words | Content Lines |

this is the default order

Status Code | Content Length | Content Words | Content Lines | FUZZ | URL | Redirectlocation | Position |

if you change it into this the output will be more pretty as first 4 columns will be be straight and the structure will be more easier to look at.
Let me know what you think

Flag: -e, Default: (none)
Commandline: -e .aspx,.php,nodot
Generator logic (FUZZ = current entry from wordlist): /FUZZ /FUZZ.aspx /FUZZ.php /FUZZnodot

v0.9 (386 version) worked fine in Windows
v0.10 does not start

Program 'ffuf.exe' failed to run: Access is deniedAt line:1 char:1

Also it seems that since v0.10 Windows considers ffuf to be dangerous.