Ffuf – URL Directory Finder/Fuzzer

Overview

Ffuf (Fuzz Faster U Fool) is a URL Fuzzer (a.k.a. URL Directory Finder/Browser). This tool can discover hidden, sensitive or vulnerable files and routes in web applications and servers. Essentially, you give the tool a wordlist and it will brute force directories, showing if it is a valid directory or not. And conveniently, it comes preinstalled on Kali Linux installations.

Some tools you may be similar to Ffuf are :

  • Wfuzz (very similar to Ffuf)
  • Dirb (single thread only)
  • Dirbuster (has a GUI but often crashes)
  • Gobuster

Generally, they all do the same thing, with slight differences like:

  • The reliability of the tool (the tool crashing)
  • The efficiency of the tool (single thread vs multi-thread)
  • The options provided (filtering capabilities)
  • The word list is used to brute force the directories (not all tools provide a word list)
  • Report layout produced

After testing and comparing the tools, I believe Ffuf is by far the best.

How to use Ffuf

To run Ffuf, use the command format:

ffuf -u <url/FUZZ >-w <wordlist> [other options]

To explain:

-u (is used to specify the URL target, and “FUZZ” is where you want to brute force)

-w (is used to provide the wordlist that will be used to brute-force at location “FUZZ”)

In the example below, the command used is:

ffuf -u https://tastyfix.com/FUZZ -w /usr/share/dirb/wordlists/common.txt -fs 0

Here we are targeting the website tastyfix.com, and to find its directories the “FUZZ” location is placed at the end. Tastyfix.com is a page that has many empty directories so we can use the “-fs 0”, which filters out pages with 0 bytes of data.

The wordlist used is from a file from the dirb tool. However, I suggest you use the wordlists created by danielmiessler on GitHub. It is an extensive file that contains all sorts of wordlists for pen-testing. For Ffuf, you could start with a decent wordlist like danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-medium-files-lowercase.txt. Do note that each wordlist has different sizes and usages, and a larger wordlist means a longer run time.

As seen above, the tool has found directories like robots.txt and privacy-policy.

Help Menu Overview:

Additional information

For more information, you can explore the Ffuf GitHub page. I also recommend you watch this video demonstration on Ffuf by HackerSploit, it is very comprehensive and he provides some good pointers/guidelines when using the tool.

Ffuf alternative (Wfuzz)

If you would like a different output format for URL fuzzing, I would recommend Wfuzz. It has the same features and a similar command format to Ffuf.

Here is an example output of Wfuzz:

Conclusion

Ffuf is a URL directory finder and it is a great tool to add to your arsenal to find hidden and vulnerable web directories. With the ability to take any wordlist and filter for only the information you want, you will be able to find vulnerabilities in no time.

Related Articles

5 Popular Open Source Tools for Reconnaissance

Wappalyzer – Website Technology Identifier for Pentesting

DNSrecon – DNS reconnaissance for Penetration Testing 

Sublist3r – Subdomain Finder for Pentesting

theHarvester – Email Harvesting & Social Engineering

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us on Twitter
Follow Us on LinkedIn
Follow Us on YouTube
Follow Us on Facebook