### Install FFUF (Go, Homebrew, Binary) Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Instructions for installing the FFUF tool using Go, Homebrew on macOS, or by downloading pre-compiled binaries from the GitHub releases page. ```bash # Using Go go install github.com/ffuf/ffuf/v2@latest # Using Homebrew (macOS) brew install ffuf # Binary download # Download from: https://github.com/ffuf/ffuf/releases/latest ``` -------------------------------- ### Install SecLists for FFUF Wordlists Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md Provides instructions for installing the SecLists repository, a collection of wordlists and other security-focused lists, which are essential for effective fuzzing with FFUF. It covers both cloning the repository and using a package manager. ```bash # Clone the repository git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists # Or install via package manager (Kali) sudo apt install seclists # Then reference in ffuf: ffuf -w /opt/SecLists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ -ac ``` -------------------------------- ### Parameter Fuzzing with FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Examples of fuzzing GET request parameters, including parameter names, parameter values, and using multiple wordlists with different modes (e.g., clusterbomb) for complex scenarios. ```bash # GET parameter names ffuf -w /path/to/params.txt -u https://target.com/script.php?FUZZ=test_value -fs 4242 # GET parameter values ffuf -w /path/to/values.txt -u https://target.com/script.php?id=FUZZ -fc 401 # Multiple parameters ffuf -w params.txt:PARAM -w values.txt:VAL -u https://target.com/?PARAM=VAL -mode clusterbomb ``` -------------------------------- ### FFUF IDOR Testing with Sequential IDs Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md An example of FFUF used for IDOR (Insecure Direct Object Reference) testing. It utilizes a request file containing a path with a placeholder for the ID and pipes the output of the 'seq' command as the wordlist to test sequential IDs. ```bash # req.txt contains: GET /api/users/FUZZ/profile ffuf --request req.txt \ -w <(seq 1 10000) \ -ac -mc 200 \ -o idor_results.json ``` -------------------------------- ### Header Fuzzing with FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Examples of fuzzing custom HTTP headers, such as User-Agent or custom headers, and how to specify multiple headers in a single FFUF command. ```bash # Custom headers ffuf -w /path/to/wordlist.txt -u https://target.com -H "X-Custom-Header: FUZZ" # Multiple headers ffuf -w /path/to/wordlist.txt -u https://target.com -H "User-Agent: FUZZ" -H "X-Forwarded-For: 127.0.0.1" ``` -------------------------------- ### Directory and File Discovery with FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Examples of using FFUF for discovering directories and files on a target web server. Includes basic fuzzing, adding file extensions, enabling colored and verbose output, and performing recursive directory scanning. ```bash # Basic directory fuzzing ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ # With file extensions ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -e .php,.html,.txt,.pdf # Colored and verbose output ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -c -v # With recursion (finds nested directories) ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -recursion -recursion-depth 2 ``` -------------------------------- ### Subdomain Enumeration with FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Demonstrates how to use FFUF for subdomain enumeration by fuzzing the Host header. Includes an example of filtering out responses of a specific size, which is often used to ignore default or non-existent host responses. ```bash # Virtual host discovery ffuf -w /path/to/subdomains.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242 # Note: -fs 4242 filters out responses of size 4242 (adjust based on default response size) ``` -------------------------------- ### FFUF Auto-Calibration Usage Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Demonstrates the use of FFUF's auto-calibration feature (`-ac`), which automatically detects and filters repetitive false positive responses. Includes examples for per-host calibration and custom calibration strings. ```bash # Auto-calibration - ALWAYS USE THIS ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ac # Per-host auto-calibration (useful for multiple hosts) ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -ach # Custom auto-calibration string (for specific patterns) ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -acc "404NotFound" ``` -------------------------------- ### Generate Number-Based Wordlist for IDOR Testing Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Creates a wordlist consisting of a range of numbers, specifically designed for testing Insecure Direct Object References (IDOR) vulnerabilities. Users can specify the output file, number type, start, and end values. ```bash python3 ffuf_helper.py wordlist -o ids.txt -t numbers -s 1 -e 10000 ``` -------------------------------- ### Generate Sequential and Padded IDs for FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md Demonstrates how to generate lists of sequential and padded numerical IDs using the 'seq' command, commonly used for IDOR testing in FFUF. These lists can be piped directly into FFUF's wordlist input. ```bash # Generate sequential IDs seq 1 1000 > ids.txt # Generate with padding seq -w 0001 9999 > padded_ids.txt # Generate UUIDs (common pattern) # Use custom scripts or existing UUID lists ``` -------------------------------- ### Best Practice: Raw Requests for Authentication in ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md For complex authentication scenarios, use raw HTTP requests captured from tools like Burp Suite or browser DevTools instead of struggling with command-line flags. ```bash # 1. Capture authenticated request from Burp/DevTools # 2. Save to req.txt with FUZZ keyword in place ``` -------------------------------- ### Create Authenticated Request Template for ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Generates a req.txt template file for authenticated requests, supporting various HTTP methods, headers, and data payloads. This is useful for fuzzing authenticated endpoints. ```bash python3 ffuf_helper.py create-req -o req.txt -m POST -u "https://api.target.com/users" \ -H "Authorization: Bearer TOKEN" -d '{"action":"FUZZ"}' ``` -------------------------------- ### FFUF Authenticated API Fuzzing Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md This FFUF pattern demonstrates authenticated API fuzzing. It requires saving an authenticated request to a file (e.g., req.txt) and then using FFUF with a specific wordlist for API endpoints, filtering for successful HTTP status codes. ```bash # 1. Save authenticated request to req.txt # 2. Run: ffuf --request req.txt \ -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \ -ac -mc 200,201,204 \ -o api_results.json ``` -------------------------------- ### POST Data Fuzzing with FFUF Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Illustrates how to fuzz data sent in POST requests, covering basic form data, JSON payloads, and fuzzing multiple fields simultaneously using different wordlists and modes. ```bash # Basic POST fuzzing ffuf -w /path/to/passwords.txt -X POST -d "username=admin&password=FUZZ" -u https://target.com/login.php -fc 401 # JSON POST data ffuf -w entries.txt -u https://target.com/api -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "key": "value"}' -fr "error" # Fuzzing multiple POST fields ffuf -w users.txt:USER -w passes.txt:PASS -X POST -d "username=USER&password=PASS" -u https://target.com/login -mode pitchfork ``` -------------------------------- ### FFUF Initial Directory Discovery Scan Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md A common FFUF pattern for performing an initial directory discovery scan. It utilizes a large directory list from SecLists and the '-ac' flag for automatic calibration, along with '-c' for colorized output and '-v' for verbose mode. ```bash ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt \ -u https://target.com/FUZZ \ -ac -c -v \ -o initial_scan.json ``` -------------------------------- ### Using Raw HTTP Requests with ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Leverage raw HTTP requests for advanced fuzzing, especially for authenticated endpoints. This involves saving a full request to a file and using the --request flag. ```bash # From a file containing raw HTTP request ffuf --request req.txt -w /path/to/wordlist.txt -ac ``` ```http POST /api/v1/users/FUZZ HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Cookie: session=abc123xyz; csrftoken=def456 Content-Type: application/json Content-Length: 27 {"action":"view","id":"1"} ``` ```bash # Common authenticated fuzzing patterns ffuf --request req.txt -w user_ids.txt -ac -mc 200 -o results.json # With multiple FUZZ positions using custom keywords ffuf --request req.txt -w endpoints.txt:ENDPOINT -w ids.txt:ID -mode pitchfork -ac ``` -------------------------------- ### Output Formats in ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Configure ffuf to output results in various formats, including JSON, HTML, and CSV. Options for silent mode and piping output are also available. ```bash # JSON output ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -o results.json # HTML output ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of html -o results.html # CSV output ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of csv -o results.csv # All formats ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -of all -o results # Silent mode (no progress, only results) ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s # Pipe to file with tee ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -s | tee results.txt ``` -------------------------------- ### Cookie and Client Certificate Authentication in ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Manage authentication using cookies or client certificates. This allows ffuf to interact with protected resources. ```bash # Using cookies ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -b "sessionid=abc123; token=xyz789" # Client certificate authentication ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -cc client.crt -ck client.key ``` -------------------------------- ### Best Practice: Auto-Calibration in ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Always use the -ac (auto-calibration) flag for productive pentesting. It automatically adjusts settings to optimize scan performance and accuracy. ```bash ffuf -w wordlist.txt -u https://target.com/FUZZ -ac ``` -------------------------------- ### Batch Processing Multiple Targets in ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Process multiple target URLs efficiently using shell commands like 'xargs' or 'for' loops. This automates scanning across a list of targets. ```bash # Process multiple URLs cat targets.txt | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -ac' # Loop through multiple targets with results for url in $(cat targets.txt); do ffuf -w wordlist.txt -u $url/FUZZ -ac -o "results_$(echo $url | md5sum | cut -d' ' -f1).json" done ``` -------------------------------- ### FFUF Parameter Discovery Scan Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/resources/WORDLISTS.md This FFUF pattern is used for discovering URL parameters. It employs a wordlist of common parameter names and fuzzes the parameter section of a URL, while filtering out 404 responses. ```bash ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt \ -u "https://target.com/page?FUZZ=test" \ -ac -fc 404 ``` -------------------------------- ### Vulnerability Testing with ffuf Source: https://github.com/jthack/ffuf_claude_skill/blob/main/ffuf-skill/SKILL.md Utilize ffuf to test for common web vulnerabilities like SQL injection, XSS, and command injection by providing specific payload wordlists and matching criteria. ```bash # SQL injection testing ffuf -w sqli_payloads.txt -u https://target.com/page.php?id=FUZZ -fs 1234 # XSS testing ffuf -w xss_payloads.txt -u https://target.com/search?q=FUZZ -mr "