Fuzzing for beginners! FFuF - Hacker Tools
Summary
TLDRIn this educational video, the concept of fuzzing is introduced as an automated process for sending data to a server to discover endpoints and potential vulnerabilities. The tool Ff (Fast and Furious), developed by Finnish hacker Juhoy, is highlighted for its effectiveness in fuzzing. The tutorial covers basic commands, including using wordlists, filtering responses, and handling POST requests. It also touches on ethical considerations like rate limiting and respecting target server load. Advanced features like recursion, redirects, and matcher options are briefly explored, encouraging viewers to delve deeper into the tool's capabilities.
Takeaways
- π Fuzzing is an automated process used to discover endpoints by sending various data inputs to a server and observing its responses.
- π The tool 'ff' (short for 'fuzz') is a popular choice for fuzzing, created by Finnish hacker juhoy.
- π Fuzzing can be used to find valid endpoints, vhosts, and even POST data by sending requests with different payloads.
- π Ff can be used with a wordlist to try various words or paths to discover new endpoints on a server.
- π The '-f' flag in ff is used to specify the position in the URL where the wordlist entries will be inserted.
- π« To avoid overloading the server, it's important to filter out requests that return the same size or status code, which might indicate non-existent endpoints.
- π The '-x' flag allows users to specify the HTTP method, such as GET or POST, to be used in fuzzing requests.
- π The '-d' flag is used to supply POST data, which can include variables from the wordlist for dynamic testing.
- π·οΈ Ff offers 'bug bounty' options like '-t' for controlling the number of threads and '-r' for setting the request rate to adhere to ethical testing practices.
- π Recursion can be enabled with the '-recursion' flag to explore directories and files further by adding new levels to the discovered endpoints.
- π The '-m' matcher options in ff allow filtering and matching responses based on status codes, line numbers, regex patterns, response sizes, and word counts.
Q & A
What is fuzzing in the context of cybersecurity?
-Fuzzing is an automated process where data is sent to a server to observe its reactions. It's used to discover endpoints, test APIs, and identify potential vulnerabilities by sending a wide range of inputs to see how the system responds.
How can fuzzing help in identifying endpoints on an API?
-Fuzzing can help identify endpoints by sending various requests to an API and observing the server's responses. Different status codes like 404 or 200 can indicate whether an endpoint exists or not, allowing further exploration of valid endpoints.
What is the role of a wordlist in fuzzing?
-A wordlist in fuzzing contains a collection of words or terms that are used as inputs to test endpoints. It helps in discovering valid endpoints, vhosts, or other resources by replacing parts of the URL or request with these words.
Why is ff (fast fuzzer) a popular tool for fuzzing?
-ff, created by the Finnish hacker juhoy, is popular because of its speed and efficiency in fuzzing. It quickly sends a large number of requests to a server using wordlists, making it easy to identify endpoints and potential vulnerabilities.
How does ff handle the placement of fuzzed words in a URL?
-ff uses a specific syntax to define where the fuzzed words from the wordlist should be placed in a URL. By using a slash followed by 'F' in capital letters, ff knows where to insert the words from the wordlist into the URL.
What is the purpose of filtering in fuzzing with ff?
-Filtering in fuzzing with ff is used to narrow down the results by specific criteria such as response size, status codes, or other attributes. This helps in focusing on potentially interesting endpoints that may indicate vulnerabilities or valid resources.
How can ff be used to send POST requests during fuzzing?
-ff can be configured to send POST requests by using the -X flag followed by 'POST' and the -d flag to supply the post data. This allows for fuzzing of APIs that accept POST requests and may reveal endpoints or resources that handle POST data.
What are 'book bounty options' in ff and why are they important?
-Book bounty options in ff are settings that help adhere to the rules of ethical hacking programs. They include controlling the rate of requests and the number of threads to avoid overloading the server, which is important for responsible and legal fuzzing.
How does recursion in fuzzing with ff work?
-Recursion in fuzzing with ff allows for the scanning of directories or files recursively. When a valid endpoint is found, ff can add another 'F' keyword to continue fuzzing deeper into the directory structure, potentially discovering more endpoints.
What are matcher options in ff and how do they help in fuzzing?
-Matcher options in ff help in identifying responses that match specific criteria such as status codes, response size, or regex patterns. They allow for more targeted fuzzing by showing only the results that meet the defined conditions, making it easier to spot potential vulnerabilities or interesting endpoints.
Why is it important to follow redirects during fuzzing?
-Following redirects during fuzzing is important because it allows the discovery of the final destination of a URL that may be redirected. This can reveal additional endpoints or resources that may not be immediately apparent from the initial request.
Outlines
π Introduction to Fuzzing with FF
This paragraph introduces the concept of fuzzing as an automated process for sending data to a server to observe its reactions. It explains how fuzzing can be used to discover API endpoints by sending requests and interpreting the server's responses, such as 404 for non-existent endpoints or 200 for existing ones. The paragraph introduces FF (Fast Fuzzing), a tool created by a Finnish hacker named Juhoy, and sets the stage for a demonstration of how to use FF for fuzzing.
π Exploring FF's Basic Fuzzing Process
This section provides a step-by-step guide on how to perform a basic fuzzing scan using FF. It details the process of initiating a scan by specifying a wordlist, using the 'cyclists' wordlist for discovering web content, and targeting a specific URL (www.integrity.com). The explanation includes the use of flags to define where in the URL the fuzzing words should be placed and how to interpret the server's response codes. It also discusses filtering out requests based on response size to identify potentially valid endpoints.
π Advanced Fuzzing Techniques with FF
This part of the script delves into more advanced fuzzing techniques using FF, such as sending POST requests with specific HTTP methods and data payloads. It discusses the use of flags like -x for HTTP methods and -d for data, which can include variables from the wordlist. The paragraph also covers 'bug bounty options' like controlling the number of threads and request rates to avoid overloading the server, and setting headers and cookies for requests.
π Recursion and Redirects in Fuzzing
The script explains how to use recursion in fuzzing to explore directories and files by adding 'first' keywords to the end of URLs and allowing FF to recursively scan deeper into the server's structure. It mentions setting recursion depth with the '-recursion depth' flag to control the depth of scanning. Additionally, it covers the use of the '-r' flag to follow redirects and the importance of this feature in fuzzing.
π― Matcher and Filter Options in FF
This section focuses on matcher options in FF, which allow users to specify criteria for displaying responses based on status codes, line numbers, regex patterns, response sizes, and word counts. It also discusses filter options that enable users to exclude specific entries from the results based on status codes, line numbers, regex, response sizes, and word counts. These options help in refining the fuzzing process to target relevant endpoints more effectively.
Mindmap
Keywords
π‘Fuzzing
π‘API
π‘Endpoints
π‘Status Codes
π‘Wordlist
π‘ff (fast fuzzer)
π‘Recursion
π‘Redirects
π‘Matcher Options
π‘Rate Limiting
Highlights
Introduction to fuzzing as an automated process for sending data to a server to observe its reactions.
Fuzzing can be used to discover API endpoints by sending requests and interpreting server responses.
The tool F5, created by Finnish hacker Juhoy, is introduced for fuzzing purposes.
A demonstration of a basic F5 scan using a wordlist to find endpoints.
Explanation of using different wordlists for fuzzing, such as 'cyclists' for web content discovery.
The use of the '-u' flag to supply a URL for fuzzing and the importance of defining the endpoint location with '/'.
Observation that a 200 status code might not indicate a valid endpoint due to server behavior.
Technique to filter requests based on response size to find more meaningful endpoints.
Introduction to advanced fuzzing options, including POST requests and supplying HTTP methods with '-x'.
The use of '-d' flag to supply POST data and the ability to include fuzzing keywords in the data.
Discussion on 'book bounty' options like controlling the rate of requests to avoid overloading servers.
Explanation of setting headers and cookies in fuzzing requests using '-h' and '-b' flags.
Introduction to recursion in fuzzing with the '-recursion' flag for directory and file discovery.
The use of '-r' flag to follow redirects and its importance in fuzzing.
Matcher options explained, including matching status codes, response size, and regex patterns.
Filtering options to refine fuzzing results, such as excluding specific status codes or response sizes.
Encouragement to explore F5's help page and GitHub for more advanced fuzzing techniques.
Conclusion summarizing the value of F5 in fuzzing for discovering endpoints, vhosts, and POST data.
Transcripts
hello everybody and welcome back to
another hacker tools video in today's
video we are going to be taking a look
at f5 and we're going to look at fuzzing
for beginners so let's jump straight
into it
what is fuzzing well fuzzing is an
automated process where we send data to
a server and we see how it reacts for
example we could have an api and we want
to find different endpoints on that api
that we can test
we can try to send a request saying okay
api.integrity.com
users how is integrity.com going to
react to that it can either react in for
example a 404 saying hey i did not find
that and then we know okay that's not a
valid endpoint but it could also react
in a 200 status code saying hey the user
id is not found in this case and you
know okay that endpoints exist
and i um can start looking into that
endpoint more so
fuzzing is that automated process where
we run through a whole word list with
all kinds of words and we try to find
end points but also v hosts at the
beginning of a url but you can even try
to first post the data or anything you
can really imagine
and now a very popular tool for fuzzing
is ff standing for first faster you
fool now f5 was created by the finnish
hacker juhoy and we are going to take a
look at how it works right now so let's
jump into this and let's let's take a
look at a simple ff scan so we're going
to start off by typing of course fff
and then we're going to supply a word
list but this is a word list containing
all the different words or
things it's going to try to find
i like to use cyclists for this which is
a great compilation of all kinds of word
lists and i have started git repository
in slash opt set lists i'm going to look
at discovery because i want to discover
things and i want to discover some web
content now there's a ton of web content
in here as you can see
but i like to use the raft
and then let's use
small directories in this case
okay with our word list set we can use
dash u to supply a url
now i'm going to supply http s
slash
www.integrity.com
and now i want to first end points that
are that come after this
this url so i'm going to type in capital
letters slash first and that is how you
define the place where ff is going to
place your words in the word lists so ff
is going to send a ton of http requests
with this url always replacing first by
the word in our word list and if i run
this we will see that we get a ton of
requests here and they all have the same
size the same status of 200 the same
amount of words and lines
and this probably means that the
integrity the back-end server or the
server here
sends a 200 status code even if it's not
found because for example php underscore
uploads baskets email templates those
are probably not real endpoints here so
what we can do now is we can filter out
all the requests with this specific size
and to do that we're gonna go to our
original request again
and i'm gonna
do dash f for filter and then s for size
we're going to filter things out based
on size and i have to scroll up a bit to
see the size here that was 2 2
and 9 6 6 3 9 6 x 3 okay and now we can
run that again and we see that we get
some different results with different
sizes and things that make way more
sense for integrity such as uh programs
obviously um
so okay that's cool i'm gonna quit this
scan now to ask to not overload the
server of course
uh right now we looked at this simple
command that first end points we can
obviously also first v hosts or
posted and i'm gonna explain all of that
and all these flags and how they work
in a bit but you can obviously also run
ff-h for the help
and that will bring up all of the
different options but i'm gonna explore
some with you here in the next section
here
and let's look at some of these options
first of all we're going to talk about
some post request options because it's
obviously very useful to try to first in
post requests that can lead to idols to
all kind of interesting things in apis
for example
first of all we're going to look at the
dash capital x and that is
a means for you to supply an http method
so the default is get but you can also
say post there and then the server or ff
is going to send post requests to the
server
then you can also supply dash capital
lowercase d rather and that is to supply
some post data which is your json data
or any other kind of data and this data
can obviously include your first keyword
which is going to be used to replace uh
to put the things from your word list
the words from your word list in so very
useful if you want to first out post
requests
besides that you also have some what i
like to call book bounty options these
are options that you can use to adhere
to the rules of a program uh things like
dash t for the amount of threads that
are being used and dash rate for the
rate of requests per second because
obviously you don't want to overload a
program
requests because you can imagine if 100
researchers start doing that it will
become very cumbersome for the program
so adhere to the rules
but besides that you can also set the
dash capital h option to supply a header
value this is gonna have a header
injected in every request and the dash
lowercase b option can be used to set
some cookies
so say cookie name equals value
and that's it for the bug bounty options
now let's take a look at some recursion
and redirects now first of all with dash
recursion you can say okay scan this
recursively this is only going to work
if your first word is at the end of the
url so if you're fuzzing for directories
or files and what ff is going to do is
once it finds a valid or a working
endpoint it's going to add another slash
to that and add another first keyword to
that and it's going to try to first that
whole directory again then you can say
okay if it's fine if it finds something
there again it's going to do the same
again and that way you can keep on
recursively fuzzing into directory so
that you found find every file that
there is to be found on that server with
dash recursion depth you can then set
the depth that is going to be taken so
if you only want to go into two
directories and not into infinite amount
of directories you can set the
recursion depth to two
then we can also talk about redirects
and with dash r you can say that it's
gonna follow redirects
this can be very useful because
obviously you are gonna get 301 status
quotes back
301 meaning redirect to a specific page
and with this option it's going to
actually follow that redirect so that
you can you can see what it goes to
but that's it for recursion and
redirects now let's talk about matcher
options now what are these these are
options that are going to say okay if
the answer that we get back so the
response for a specific request if it
matches one of these it's going to be
shown so for example with dash mc we can
match status codes so for example if we
get a 200 bucks show it and by default
you have 200 204 301 and so on all of
these codes that are already being
matched um besides that you can also say
dash ml and that's going to say okay if
if this amount these amount of lines
that you supply so if you say okay 13
lines
if the server if ff gets a request back
from the server that contains 13 lines
and it's gonna show that entry in your
list you can also use regex with dash m
r uh the response size with dash m s and
then the amount of words in the response
with dash m w
now that is matching but we can also
filter out specific entries
and for example you can filter out
status quotes with dash fc
uh if you say fc200 it will not show you
any responses that have the status code
200 you can do dash fl for lines dash fr
to filter out
based on specific regex and fs the one
we used in the video
to filter out specific response sizes as
well as dash fw to filter out by the
amount of words in a response
now those were all the basic options
that ff has to offer now there are more
you can get really really
granular with this tool so definitely
check out the health help page and the
github
but that's all for now
i hope ff is going to be your new tool
of choice for fuzzing out
your targets and making sure that you
find every endpoint fee host
post data item
that you just found find everything and
can test everything on a specific
endpoint
now i hope you enjoyed this enjoyed this
video let us know what you think of it
below in the comments like it if you
like the video and also if you have any
suggestions for tools that you would
like to see us cover in the future then
definitely comment those below as well
that was it for the video i hope you
enjoyed it and take care
[Music]
Browse More Related Video
FUZZING FOR BEGINNERS (KUGG teaches STΓK American fuzzy lop)
Epic Wordlists for Bug Bounty content discovery and API bugs!
What is Postman and why everyone use it ?
Adding and Removing Roles and Features
Find endpoints in the blink of an eye! GoSpider - Hacker Tools
Asp.Net Core Web API Client/Server Application | Visual Studio 2019
5.0 / 5 (0 votes)