Fuzzing By FFUF
Integrating FFUF with Other Tools

Integrating FFUF with Other Tools

JENISH PAGHADAL's photo
JENISH PAGHADAL
·

6 min read

FFUF is a powerful web fuzzing tool, but its true potential is unlocked when integrated with other security tools. By combining FFUF with Burp Suite, Nmap, Metasploit, OWASP ZAP and Automating fuzzing workflows, penetration testers can automate web fuzzing, vulnerability scanning, and exploitation more effectively.

Using FFUF with Burp Suite

Why Integrate FFUF with Burp Suite?

  • FFUF is great for discovering hidden directories, parameters, and endpoints.
  • Burp Suite allows manual and automated testing of web vulnerabilities.
  • Combining both tools helps in identifying and exploiting security weaknesses effectively.

Steps to Use FFUF with Burp Suite

Capture a Request in Burp Suite

  1. Open Burp Suite and go to the Proxy tab.
  2. Enable Intercept and capture a request from the target website.
  3. Right-click the request and select "Send to Repeater".
  4. Click "Save Item" and export the request as a raw text file (e.g., request.txt).

Use FFUF with the Exported Burp Request

Now, use FFUF to fuzz parameters or directories using the saved request:

ffuf -request request.txt -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200

Fuzz Parameters with Burp Request

To fuzz for hidden GET parameters:

ffuf -request request.txt -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -mc 200

Analyze FFUF Results in Burp Suite

  • Import the FFUF results into Burp Suite's Target or Intruder for further testing.
  • Use Burp Intruder to automate attacks like SQL Injection, XSS, or Authentication Bypass.

Using FFUF with Nmap

Why Integrate FFUF with Nmap?

  • Nmap is great for discovering open ports and services, while FFUF helps to enumerate directories, files, APIs, and hidden paths.
  • Automating web fuzzing after detecting live web servers saves time and effort in penetration testing.
  • Helps in identifying potential attack surfaces by chaining network scanning and fuzzing.

How to Integrate Nmap with FFUF

Run Nmap to Detect Live Web Servers

Before fuzzing, we need to find web servers running on port 80, 443, or other custom ports.

nmap -p 80,443 --open -oG nmap_scan.txt target.com

Explanation:

  • -p 80,443 → Scans HTTP(S) ports.
  • --open → Shows only open ports.
  • -oG nmap_scan.txt → Saves results in greppable format.

Extract Live Hosts and Fuzz with FFUF

Once Nmap identifies live web servers, use FFUF to fuzz directories.

cat nmap_scan.txt | grep "80/open" | awk '{print $2}' | xargs -I {} ffuf -u "http://{}/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt

Explanation:

  • cat nmap_scan.txt | grep "80/open" → Finds IPs with port 80 open.
  • awk '{print $2}' → Extracts only the IP addresses.
  • xargs -I {} ffuf -u "http://{}/FUZZ" → Runs FFUF against each live web server.

Pro Tip: Modify the script to include HTTPS (https://{}/FUZZ) for scanning secure servers.

Fuzz Custom Web Ports

Sometimes, web servers run on non-standard ports (e.g., 8080, 8443). Modify Nmap to find them:

nmap -p 80,443,8080,8443 --open -oG web_ports.txt target.com

Then, automate FFUF:

cat web_ports.txt | grep "open" | awk '{print $2 ":" $3}' | tr -d "/tcp" | xargs -I {} ffuf -u "http://{}/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt

This will fuzz all detected web services on multiple ports!

Automating the Process with a Bash Script

To automate Nmap scanning + FFUF fuzzing, create a script:

#!/bin/bash
TARGET=$1

# Run Nmap scan
echo "[*] Scanning for open web ports..."
nmap -p 80,443,8080,8443 --open -oG web_scan.txt $TARGET

# Extract live web servers and fuzz with FFUF
echo "[*] Running FFUF on discovered hosts..."
cat web_scan.txt | grep "open" | awk '{print $2 ":" $3}' | tr -d "/tcp" | xargs -I {} ffuf -u "http://{}/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200

Usage: 

chmod +x nmap_ffuf.sh
./nmap_ffuf.sh target.com

Using FFUF with Metasploit

Why Integrate FFUF with Metasploit?

  • FFUF helps find hidden directories, admin panels, login pages, and APIs, while Metasploit can be used to exploit discovered vulnerabilities.
  • Automates the path from discovery to exploitation, saving time in penetration testing.
  • Useful for brute-forcing credentials, testing for exploits, and automating post-fuzzing attacks.

How to Integrate FFUF with Metasploit

Finding Hidden Admin Panels & Login Pages

  • First, use FFUF to find admin login panels and sensitive paths: 
ffuf -u "http://target.com/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/admin-panels.txt -mc 200

Explanation:

  • -u "http://target.com/FUZZ" → Fuzzes the target URL.
  • -w admin-panels.txt → Uses a wordlist for admin pages.
  • -mc 200 → Matches only valid responses (status code 200).

Brute-Forcing Login Credentials with Metasploit

  • Once an admin panel or login page is found (e.g., /admin/login.php), use Metasploit to brute-force credentials: 
msfconsole
use auxiliary/scanner/http/http_login
set RHOSTS target.com
set RPORT 80
set TARGETURI /admin/login.php
set USERNAME admin
set PASSWORD_FILE /usr/share/wordlists/rockyou.txt
run

Explanation:

  • set RHOSTS target.com → Sets the target host.
  • set TARGETURI /admin/login.php → Specifies the login page.
  • set PASSWORD_FILE rockyou.txt → Uses RockYou wordlist for password guessing.
  • run → Executes the brute-force attack.

Finding API Endpoints & Exploiting with Metasploit

  • Use FFUF to find API endpoints: 
ffuf -u "http://target.com/api/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200
  • Once an API is discovered, check if it's vulnerable to SQL Injection, Command Injection, or File Upload attacks.

Example: Exploiting an API with SQL Injection (SQLi) in Metasploit 

msfconsole
use auxiliary/scanner/http/sqlmap
set RHOSTS target.com
set TARGETURI /api/vulnerable-endpoint
run

This automates SQL Injection testing on the found API!

Automating the Process with a Script

  • To automate FFUF + Metasploit, create a bash script: 
#!/bin/bash
TARGET=$1

echo "[*] Running FFUF to find admin panels..."
ffuf -u "http://$TARGET/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/admin-panels.txt -mc 200 -o admin_results.txt

ADMIN_PATH=$(cat admin_results.txt | grep -oE "/[a-zA-Z0-9/_-]+")
if [ -n "$ADMIN_PATH" ]; then
    echo "[*] Admin panel found at $ADMIN_PATH"
    echo "[*] Launching Metasploit brute-force attack..."
    msfconsole -q -x "use auxiliary/scanner/http/http_login; set RHOSTS $TARGET; set TARGETURI $ADMIN_PATH; set PASSWORD_FILE /usr/share/wordlists/rockyou.txt; run"
else
    echo "[!] No admin panel found."
fi

Usage: 

chmod +x ffuf_msf.sh
./ffuf_msf.sh target.com

Automating Fuzzing Workflows with FFUF

  • Saves time by automating repetitive fuzzing tasks.
  • Helps discover vulnerabilities faster without manual intervention.
  • Enables integration with other security tools like Nmap, Metasploit, and Burp Suite.
  • Supports batch processing for multiple targets.

🖥️ Bash Script for Automating FFUF

This Bash script automates:

  • Directory fuzzing
  • Subdomain enumeration
  • API endpoint discovery

Bash Script: ffuf_automation.sh

#!/bin/bash

# Check if a target is provided
if [ -z "$1" ]; then
    echo "Usage: $0 <target>"
    exit 1
fi

TARGET=$1

echo "[*] Starting automated fuzzing on $TARGET..."

# 1️⃣ **Fuzz directories and files**
echo "[*] Fuzzing directories..."
ffuf -u "http://$TARGET/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200 -o dirs.txt

# 2️⃣ **Fuzz subdomains**
echo "[*] Finding subdomains..."
ffuf -u "http://FUZZ.$TARGET" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200 -o subdomains.txt

# 3️⃣ **Fuzz API endpoints**
echo "[*] Fuzzing API endpoints..."
ffuf -u "http://$TARGET/api/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200 -o apis.txt

echo "[*] Fuzzing complete! Check dirs.txt, subdomains.txt, and apis.txt for results."

Usage:

chmod +x ffuf_automation.sh
./ffuf_automation.sh example.com

Python Script for Automating FFUF

This Python script does the same but allows for:

  • Better error handling
  • Multi-threading for faster execution
  • JSON parsing of FFUF results

Python Script: ffuf_automation.py

import subprocess
import json
import sys

# Check if target is provided
if len(sys.argv) < 2:
    print("Usage: python ffuf_automation.py <target>")
    sys.exit(1)

TARGET = sys.argv[1]

# Define fuzzing tasks
tasks = {
    "directories": [f"http://{TARGET}/FUZZ", "/usr/share/seclists/Discovery/Web-Content/common.txt"],
    "subdomains": [f"http://FUZZ.{TARGET}", "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt"],
    "api_endpoints": [f"http://{TARGET}/api/FUZZ", "/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt"]
}

# Function to run FFUF and save results
def run_ffuf(name, url, wordlist):
    print(f"[*] Running FFUF for {name}...")
    cmd = [
        "ffuf",
        "-u", url,
        "-w", wordlist,
        "-mc", "200",
        "-o", f"{name}.json",
        "-of", "json"
    ]
    subprocess.run(cmd)
    print(f"[✔] {name.capitalize()} fuzzing complete! Results saved in {name}.json")

# Run fuzzing tasks
for task, params in tasks.items():
    run_ffuf(task, *params)

print("[✔] Fuzzing completed for all tasks! Check JSON files for results.")

Usage:

python3 ffuf_automation.py example.com