debian/ffuf.1 - ffuf (6d12500)

Tree @6d12500 (Download .tar.gz)

ffuf.1 @6d12500 — raw · history · blame

.\" Text automatically generated by txt2man
.TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands"  
.SH NAME
\fBffuf \fP- Fast web fuzzer written in Go
\fB
.SH SYNOPSIS
.nf
.fam C
     \fBffuf\fP [\fBoptions\fP]

.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
\fBffuf\fP is a fast web fuzzer written in Go that allows typical directory
discovery, virtual host discovery (without DNS records) and GET and POST
parameter fuzzing.
.RE
.SH OPTIONS
.PP
HTTP OPTIONS:
.RS
.TP
.B
\fB-H\fP
Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted.
.TP
.B
\fB-X\fP
HTTP method to use (default: GET)
.TP
.B
\fB-b\fP
Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
.TP
.B
\fB-d\fP
POST data
.TP
.B
\fB-r\fP
Follow redirects (default: false)
.TP
.B
\fB-recursion\fP
Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false)
\fB-recursion-depth\fP Maximum recursion depth. (default: 0)
.TP
.B
\fB-replay-proxy\fP
Replay matched requests using this proxy.
.TP
.B
\fB-timeout\fP
HTTP request timeout in seconds. (default: 10)
.TP
.B
\fB-u\fP
Target URL
.TP
.B
\fB-x\fP
HTTP Proxy URL
.RE
.PP
GENERAL OPTIONS:
.RS
.TP
.B
\fB-V\fP
Show version information. (default: false)
.TP
.B
\fB-ac\fP
Automatically calibrate filtering options (default: false)
.TP
.B
\fB-acc\fP
Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP
.TP
.B
\fB-c\fP
Colorize output. (default: false)
.TP
.B
\fB-maxtime\fP
Maximum running time in seconds. (default: 0)
.TP
.B
\fB-p\fP
Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
.TP
.B
\fB-s\fP
Do not print additional information (silent mode) (default: false)
.TP
.B
\fB-sa\fP
Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false)
.TP
.B
\fB-se\fP
Stop on spurious errors (default: false)
.TP
.B
\fB-sf\fP
Stop when > 95% of responses return 403 Forbidden (default: false)
.TP
.B
\fB-t\fP
Number of concurrent threads. (default: 40)
.TP
.B
\fB-v\fP
Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
.RE
.PP
MATCHER OPTIONS:
.RS
.TP
.B
\fB-mc\fP
Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
.TP
.B
\fB-ml\fP
Match amount of lines in response
.TP
.B
\fB-mr\fP
Match regexp
.TP
.B
\fB-ms\fP
Match HTTP response size
.TP
.B
\fB-mw\fP
Match amount of words in response
.RE
.PP
FILTER OPTIONS:
.RS
.TP
.B
\fB-fc\fP
Filter HTTP status codes from response. Comma separated list of codes and ranges
.TP
.B
\fB-fl\fP
Filter by amount of lines in response. Comma separated list of line counts and ranges
.TP
.B
\fB-fr\fP
Filter regexp
.TP
.B
\fB-fs\fP
Filter HTTP response size. Comma separated list of sizes and ranges
.TP
.B
\fB-fw\fP
Filter by amount of words in response. Comma separated list of word counts and ranges
.RE
.PP
INPUT OPTIONS:
.RS
.TP
.B
\fB-D\fP
DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false)
.TP
.B
\fB-e\fP
Comma separated list of extensions. Extends FUZZ keyword.
.TP
.B
\fB-ic\fP
Ignore wordlist comments (default: false)
.TP
.B
\fB-input-cmd\fP
Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP.
.TP
.B
\fB-input-num\fP
Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100)
.TP
.B
\fB-mode\fP
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
.TP
.B
\fB-request\fP
File containing the raw http request
.TP
.B
\fB-request-proto\fP
Protocol to use along with raw request (default: https)
.TP
.B
\fB-w\fP
Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
.RE
.PP
OUTPUT OPTIONS:
.RS
.TP
.B
\fB-debug-log\fP
Write all of the internal logging to the specified file.
.TP
.B
\fB-o\fP
Write output to file
.TP
.B
\fB-od\fP
Directory path to store matched results to.
.TP
.B
\fB-of\fP
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json)
.RE
.PP
.SH EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
\fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP
.RS
.PP
Fuzz Host-header, match HTTP 200 responses.
\fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200
.PP
Fuzz POST JSON data. Match all responses not containing text "error".
\fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \
\fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error"
.PP
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
\fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP
.PP
More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP
.PP
.SH AUTHOR
This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos <[email protected]> for the Debian project (but may be used by others).