Search/Fuzz faster with FFUF

"Some content on websites is seemingly hidden – that is, without their address, we are not able to access it. Often these are some remnants still from the stage of application development – the developer was supposed to remove them later, but forgot ̄_(ツ)_/ ̄ ." – it's a mention of DIRB. Mention, because with me he gave way to a new, incredibly fast tool – FFUF. The principle of operation is the same – enter the url and dictionary, and you may find some files /directories that should not be available. With any luck, it can also happen that you detect some kind of error or unusual behavior of the server.

A good dictionary that I use myself can be found here– click , and FFUFa can be downloaded from githuba creators – click .

It requires the Installed Golang compiler to work. Under Linux you can install it with the command – apt get install golang . Now we can install ffuf command – go get-u github.com/ffuf/ffuf.

Most often I use this tool with flswitch, responsible for filtering out server responses containing a certain number of lines. This is to get rid of false positivów, in other words, generic server responses when a given file/directory does not exist. The -w switch indicates the location of the dictionary, and -at the address of the test page where the word FUZZ should be inserted in the appropriate location. The ready-made sample command to run the tool looks like the following:

./ffuf -w /root/starter.txt -u https://my127001.pl/FUZZ -fl 1

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *