If you were annoyed by the recent multi-lines output bug in #ffuf in your #pentests and #bugbounty engagements, I've just fixed it: https://github.com/ffuf/ffuf/pull/656

It's not yet merged, but in the meantime you can apply the patch locally and recompile ffuf if needed! 🤗

Have you ever wanted to run FFUF or some other tool over proxychains and found that it just did not work?
Try setting up a proxy in a proxy as follows:

# Setup Dynamic Port Forwarding
sudo ssh -p 22 -N -D 127.0.0.1:9052 user@target -o "UserKnownHostsFile=/dev/null"

# ensure Proxychains points to our Port
# (verify Proxy DNS requirements and adjust on/off)
# socks5 127.0.0.1 9052
sudo vi /etc/proxychains4.conf

# Install Proxy.py https://pypi.org/project/proxy.py/
pip install proxy.py

# Run proxy.py over proxychains
$ proxychains proxy
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
2023-02-04 16:39:14,593 - pid:199836 [I] plugins.load:85 - Loaded plugin proxy.http.proxy.HttpProxyPlugin
2023-02-04 16:39:14,594 - pid:199836 [I] tcp.listen:80 - Listening on 127.0.0.1:8899
2023-02-04 16:39:14,604 - pid:199836 [I] pool.setup:105 - Started 2 acceptors in threadless (local) mode

# Use FFUF over proxy.py over proxychains

$ ffuf -x http://127.0.0.1:8899 -w /usr/share/wordlists/rockyou.txt -u http://localhost/login.php -X POST -H "Cookie: test_cookie=Cookie+check" -H "Content-Type: application/x-www-form-urlencoded" -d "log=admin&pwd=FUZZ"

#ffuf #proxychains #tunnel

✨ ffuf(Fuzz Faster U Fool)

▶️Fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing

GitHub link:
https://github.com/ffuf/ffuf

▶️ Resources

👉 Comprehensive Guide on ffuf
https://www.hackingarticles.in/comprehensive-guide-on-ffuf/

👉 How to Fuzz Web Applications using FFuf – Web Security Tutorial

https://www.freecodecamp.org/news/web-security-fuzz-web-applications-using-ffuf/

👉Top 25 Example Usage of ffuf Web Fuzzer
https://allabouttesting.org/top-25-example-usage-of-ffuf-web-fuzzer/

👉 HOW TO FIND ZERO-DAY VULNERABILITIES WITH ffuf
https://www.securitynewspaper.com/2022/06/11/how-to-find-zero-day-vulnerabilities-with-fuzz-faster-u-fool-ffuf-detailed-free-fuzzing-tool-tutorial/

#infosec #ffuf #pentesting #bugbounty #bugbountytip #redteamtip #zeroday #kalilinux

Just published part 3 of my blog series on #Java #Spring Actuators - today, I'm discussing how to find exposed Actuators using dynamic testing with my favorite swiss army knife for web security tests: ffuf.

https://blog.maass.xyz/spring-actuator-security-part-3-finding-exposed-actuators-using-dynamic-testing-with-ffuf

If you missed the previous articlesor don't know what I am talking about: In part 1, I discuss why Spring Actuators can be dangerous if you inadvertently expose them to the internet (https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators), and in part 2 I show you how to use #semgrep to analyze your code for common misconfigurations related to them (https://blog.maass.xyz/spring-actuator-security-part-2-finding-actuators-using-static-code-analysis-with-semgrep). This third article rounds out the attacker side with a look at dynamic testing using #ffuf. Now, on to writing a final article from the perspective of the defender.

#security #bugbounty #redteam

#ffuf - Fuzz Faster U Fool on multiple hosts

for i in cat urls.txt; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done

https://github.com/ffuf/ffuf

Pro Tip: If you are not finding any valid endpoints, try within a discovered path adding ..;/ to the url.

ie http://site.tld/somedir/..;/FUZZ

#bypass #payloads https://github.com/aufzayed/bugbounty/blob/main/403-bypass/403_url_payloads.txt

#bugbounty #bugbountytips #fuzzing #owasp #recon #osint

RT @ReconOne_bk@twitter.com

ffuf is used by hundreds of people

But only a few use the tool effectively.

Here are 9 tips you want to know right away 👇 🧵

#bugbountytips #bugbounty #recon #ffuf

🐦🔗: https://twitter.com/ReconOne_bk/status/1571803971030761473