Claude
Skills
Sign in
Back

dast-ffuf

Included with Lifetime
$97 forever

Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.

appsecdastfuzzingweb-fuzzerdirectory-enumerationparameter-fuzzingvhost-discoveryffufreconnaissanceassets

What this skill does


# ffuf - Fast Web Fuzzer

## Overview

ffuf is a fast web fuzzer written in Go designed for discovering hidden resources, testing parameters, and performing comprehensive web application reconnaissance. It uses the FUZZ keyword as a placeholder for wordlist entries and supports advanced filtering, multiple fuzzing modes, and recursive scanning for thorough security assessments.

## Installation

```bash
# Using Go
go install github.com/ffuf/ffuf/v2@latest

# Using package managers
# Debian/Ubuntu
apt install ffuf

# macOS
brew install ffuf

# Or download pre-compiled binary from GitHub releases
```

## Quick Start

Basic directory fuzzing:

```bash
# Directory discovery
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# File discovery with extension
ffuf -u https://example.com/FUZZ -w wordlist.txt -e .php,.html,.txt

# Virtual host discovery
ffuf -u https://example.com -H "Host: FUZZ.example.com" -w subdomains.txt
```

## Core Workflows

### Workflow 1: Directory and File Enumeration

For discovering hidden resources on web applications:

1. Start with common directory wordlist:
   ```bash
   ffuf -u https://target.com/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -mc 200,204,301,302,307,401,403 \
     -o results.json
   ```
2. Review discovered directories (focus on 200, 403 status codes)
3. Enumerate files in discovered directories:
   ```bash
   ffuf -u https://target.com/admin/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt \
     -e .php,.bak,.txt,.zip \
     -mc all -fc 404
   ```
4. Use recursive mode for deep enumeration:
   ```bash
   ffuf -u https://target.com/FUZZ \
     -w wordlist.txt \
     -recursion -recursion-depth 2 \
     -e .php,.html \
     -v
   ```
5. Document findings and test discovered endpoints

### Workflow 2: Parameter Fuzzing (GET/POST)

Progress:
[ ] 1. Identify target endpoint for parameter testing
[ ] 2. Fuzz GET parameter names to discover hidden parameters
[ ] 3. Fuzz parameter values for injection vulnerabilities
[ ] 4. Test POST parameters with JSON/form data
[ ] 5. Apply appropriate filters to reduce false positives
[ ] 6. Analyze responses for anomalies and vulnerabilities
[ ] 7. Validate findings manually
[ ] 8. Document vulnerable parameters and payloads

Work through each step systematically. Check off completed items.

**GET Parameter Name Fuzzing:**
```bash
ffuf -u https://target.com/api?FUZZ=test \
  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -fs 0  # Filter out empty responses
```

**GET Parameter Value Fuzzing:**
```bash
ffuf -u https://target.com/api?id=FUZZ \
  -w payloads.txt \
  -mc all
```

**POST Data Fuzzing:**
```bash
# Form data
ffuf -u https://target.com/login \
  -X POST \
  -d "username=admin&password=FUZZ" \
  -w passwords.txt \
  -H "Content-Type: application/x-www-form-urlencoded"

# JSON data
ffuf -u https://target.com/api/login \
  -X POST \
  -d '{"username":"admin","password":"FUZZ"}' \
  -w passwords.txt \
  -H "Content-Type: application/json"
```

### Workflow 3: Virtual Host and Subdomain Discovery

For identifying virtual hosts and subdomains:

1. Prepare subdomain wordlist (or use SecLists)
2. Run vhost fuzzing:
   ```bash
   ffuf -u https://target.com \
     -H "Host: FUZZ.target.com" \
     -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
     -fs 0  # Filter by response size to identify valid vhosts
   ```
3. Filter results by comparing response sizes/words
4. Verify discovered vhosts manually
5. Enumerate directories on each vhost
6. Document vhost configurations and exposed services

### Workflow 4: Authentication Endpoint Fuzzing

For testing login forms and authentication mechanisms:

1. Identify authentication endpoint
2. Fuzz usernames:
   ```bash
   ffuf -u https://target.com/login \
     -X POST \
     -d "username=FUZZ&password=test123" \
     -w usernames.txt \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -mr "Invalid password|Incorrect password"  # Match responses indicating valid user
   ```
3. For identified users, fuzz passwords:
   ```bash
   ffuf -u https://target.com/login \
     -X POST \
     -d "username=admin&password=FUZZ" \
     -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -fc 401,403  # Filter failed attempts
   ```
4. Use clusterbomb mode for combined username/password fuzzing:
   ```bash
   ffuf -u https://target.com/login \
     -X POST \
     -d "username=FUZZ1&password=FUZZ2" \
     -w usernames.txt:FUZZ1 \
     -w passwords.txt:FUZZ2 \
     -mode clusterbomb
   ```

### Workflow 5: Backup and Sensitive File Discovery

For finding exposed backup files and sensitive data:

1. Create wordlist of common backup patterns
2. Fuzz for backup files:
   ```bash
   ffuf -u https://target.com/FUZZ \
     -w backup-files.txt \
     -e .bak,.backup,.old,.zip,.tar.gz,.sql,.7z \
     -mc 200 \
     -o backup-files.json
   ```
3. Test common sensitive file locations:
   ```bash
   ffuf -u https://target.com/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/sensitive-files.txt \
     -mc 200,403
   ```
4. Download and analyze discovered files
5. Report findings with severity classification

## Fuzzing Modes

ffuf supports multiple fuzzing modes for different attack scenarios:

**Clusterbomb Mode** - Cartesian product of all wordlists (default):
```bash
ffuf -u https://target.com/FUZZ1/FUZZ2 \
  -w dirs.txt:FUZZ1 \
  -w files.txt:FUZZ2 \
  -mode clusterbomb
```
Tests every combination: dir1/file1, dir1/file2, dir2/file1, dir2/file2

**Pitchfork Mode** - Parallel iteration of wordlists:
```bash
ffuf -u https://target.com/login \
  -X POST \
  -d "username=FUZZ1&password=FUZZ2" \
  -w users.txt:FUZZ1 \
  -w passwords.txt:FUZZ2 \
  -mode pitchfork
```
Tests pairs: user1/pass1, user2/pass2 (stops at shortest wordlist)

**Sniper Mode** - One wordlist, multiple positions:
```bash
ffuf -u https://target.com/FUZZ \
  -w wordlist.txt \
  -mode sniper
```
Standard single-wordlist fuzzing.

## Filtering and Matching

Effective filtering is crucial for reducing noise:

**Match Filters** (only show matching):
- `-mc 200,301` - Match HTTP status codes
- `-ms 1234` - Match response size
- `-mw 100` - Match word count
- `-ml 50` - Match line count
- `-mr "success|admin"` - Match regex pattern in response

**Filter Options** (exclude matching):
- `-fc 404,403` - Filter status codes
- `-fs 0,1234` - Filter response sizes
- `-fw 0` - Filter word count
- `-fl 0` - Filter line count
- `-fr "error|not found"` - Filter regex pattern

**Auto-Calibration:**
```bash
# Automatically filter baseline responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
```

## Common Patterns

### Pattern 1: API Endpoint Discovery

Discover REST API endpoints:

```bash
# Enumerate API paths
ffuf -u https://api.target.com/v1/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,401,403 \
  -o api-endpoints.json

# Fuzz API versions
ffuf -u https://api.target.com/FUZZ/users \
  -w <(seq 1 10 | sed 's/^/v/') \
  -mc 200
```

### Pattern 2: Extension Fuzzing

Test multiple file extensions:

```bash
# Brute-force extensions on known files
ffuf -u https://target.com/admin.FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt \
  -mc 200

# Or use -e flag for multiple extensions
ffuf -u https://target.com/FUZZ \
  -w filenames.txt \
  -e .php,.asp,.aspx,.jsp,.html,.bak,.txt
```

### Pattern 3: Rate-Limited Fuzzing

Respect rate limits and avoid detection:

```bash
# Add delay between requests
ffuf -u https://target.com/FUZZ \
  -w wordlist.txt \
  -p 0.5-1.0  # Random delay 0.5-1.0 seconds

# Limit concurrent requests
ffuf -u https://target.com/FUZZ \
  -w wordlist.txt \
  -t 5  # Only 5 concurrent threads
```

### Pattern 4: Custom Header Fuzzing

Fuzz HTTP headers for security m
Files: 6
Size: 69.1 KB
Complexity: 67/100
Category: appsec
Source: https://github.com/aiskillstore/marketplace/tree/main/skills/agentsecops/dast-ffuf

Related in appsec

sca-blackduck

Included

Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.

appsec

sca-blackduck

Included

Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.

appsec

dast-nuclei

Included

Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.

appsec

dast-nuclei

Included

Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.

appsec

api-spectral

Included

API specification linting and security validation using Stoplight's Spectral with support for OpenAPI, AsyncAPI, and Arazzo specifications. Validates API definitions against security best practices, OWASP API Security Top 10, and custom organizational standards. Use when: (1) Validating OpenAPI/AsyncAPI specifications for security issues and design flaws, (2) Enforcing API design standards and governance policies across API portfolios, (3) Creating custom security rules for API specifications in CI/CD pipelines, (4) Detecting authentication, authorization, and data exposure issues in API definitions, (5) Ensuring API specifications comply with organizational security standards and regulatory requirements.

appsec

api-spectral

Included

API specification linting and security validation using Stoplight's Spectral with support for OpenAPI, AsyncAPI, and Arazzo specifications. Validates API definitions against security best practices, OWASP API Security Top 10, and custom organizational standards. Use when: (1) Validating OpenAPI/AsyncAPI specifications for security issues and design flaws, (2) Enforcing API design standards and governance policies across API portfolios, (3) Creating custom security rules for API specifications in CI/CD pipelines, (4) Detecting authentication, authorization, and data exposure issues in API definitions, (5) Ensuring API specifications comply with organizational security standards and regulatory requirements.

appsec
Sign up & unlock — $97