View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005098 | Kali Linux | [All Projects] Queued Tool Addition | public | 2018-11-14 22:31 | 2020-11-11 23:50 |
| Reporter | joohoi | Assigned To | sbrun | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Target Version | Fixed in Version | 2020.3 | |||
| Summary | 0005098: ffuf - a very fast webfuzzer written in Go | ||||
| Description | I would like to get ffuf included in Kali Linux to provide people easier access to it. Ffuf is a fast webfuzzer that combines the best parts of tools like wfuzz and gobuster into one. It has drastic speed improvements over even the fastest fuzzers / busters along with fine grained matcher / filter architecture. It aims to be intuitive to work with by using command line flags similar to tools like curl, gobuster and wfuzz. Ffuf allows the user to fuzz different parts of URL, including GET parameter names and values, HTTP headers and POST data. It should be easy to package for Kali, as the only dependency is Go 1.11 and no third party libraries are used starting from upcoming version v0.6. Go binaries can be easily crosscompiled (as no CGO libraries are used) for different architectures and platforms. Ffuf is available in GitHub at https://github.com/ffuf/ffuf/ | ||||
|
|
To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us): - [Name] - The name of the tool - [Version] - What version of the tool should be added? --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag) - [Homepage] - Where can the tool be found online? Where to go to get more information? - [Download] - Where to go to get the tool? either a download page or a link to the latest version - [Author] - Who made the tool? - [Licence] - How is the software distributed? What conditions does it come with? - [Description] - What is the tool about? What does it do? - [Dependencies] - What is needed for the tool to work? - [Similar tools] - What other tools are out there? - [Activity] - When did the project start? Is is still actively being deployed? - [How to install] - How do you compile it? --- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version. - [How to use] - What are some basic commands/functions to demonstrate it? |
|
|
- [Name] - ffuf - [Version] - v0.6 - [Homepage] - https://github.com/ffuf/ffuf/ - [Download] - https://github.com/ffuf/ffuf/releases/latest - [Author] - Joona Hoikkala <joona@kuori.org> - [Licence] - MIT - [Description] - ffuf is a very fast webfuzzer that allows fuzzing of different parts of URL - including GET parameters, POST data and HTTP headers. - [Dependencies] - None (Go 1.11 for building the binary) - [Similar tools] - wfuzz - [Activity] - In very active development. First release 8.11.2018 - [How to install] - From source code: curl -LO https://github.com/ffuf/ffuf/archive/v0.6.zip && unzip v0.6.zip && cd ffuf-0.6 && go build - [How to install] - From prebuilt binary: curl -LO https://github.com/ffuf/ffuf/releases/download/v0.6/ffuf_0.6_linux_amd64.tar.gz && tar -zxf ffuf_0.6_linux_amd64.tar.gz - [How to use] - Basic resource discovery: ffuf -w /path/to/wordlist -u https://target/FUZZ GET parameter name fuzzing, filtering out responses of 4242 bytes: ffuf -w /path/to/paramnames_list -u https://target/script.php?FUZZ=test_value -fs 4242 HTTP header value fuzzing, colored output, filtering out responses that contain value "something" in data: ffuf -w /path/to/wordlist -u https://target/ -H "Headername: FUZZ" -c -fr "something" POST data fuzzing, colored output, matching output that contains "success" ffuf -w /path/to/passwordlist -X POST -u https://target/login.php -d "username=admin\&password=FUZZ" -c -mr "success" |
|
|
Oh, and when I say very fast, I mean statistics like gobuster (the fastest equivalent available) choking at 0000426:0000600 requests / second while ffuf is chugging away with around 7k req/sec if the target is able to respond that fast. The speed is affected by concurrent threads command line flag: -t |
|
|
Markup played a trick on me. it was supposed to be 600 requests / second. on the note above (instead of the internal link). |
|
|
Update: version 0.7 is out: - [Name] - ffuf - [Version] - v0.7 - [Homepage] - https://github.com/ffuf/ffuf/ - [Download] - https://github.com/ffuf/ffuf/releases/latest - [Author] - Joona Hoikkala <joona@kuori.org> - [Licence] - MIT - [Description] - ffuf is a very fast webfuzzer that allows fuzzing of different parts of URL - including GET parameters, POST data and HTTP headers. - [Dependencies] - None (Go 1.11 for building the binary) - [Similar tools] - wfuzz - [Activity] - In very active development. First release 8.11.2018 - [How to install] - From source code: curl -LO https://github.com/ffuf/ffuf/archive/v0.6.zip && unzip v0.6.zip && cd ffuf-0.6 && go build - [How to install] - From prebuilt binary: curl -LO https://github.com/ffuf/ffuf/releases/download/v0.6/ffuf_0.6_linux_amd64.tar.gz && tar -zxf ffuf_0.6_linux_amd64.tar.gz - [How to use] - Basic resource discovery: ffuf -w /path/to/wordlist -u https://target/FUZZ GET parameter name fuzzing, filtering out responses of 4242 bytes: ffuf -w /path/to/paramnames_list -u https://target/script.php?FUZZ=test_value -fs 4242 HTTP header value fuzzing, colored output, filtering out responses that contain value "something" in data: ffuf -w /path/to/wordlist -u https://target/ -H "Headername: FUZZ" -c -fr "something" POST data fuzzing, colored output, matching output that contains "success" ffuf -w /path/to/passwordlist -X POST -u https://target/login.php -d "username=admin\&password=FUZZ" -c -mr "success" |
|
|
Update: ffuf has seen a few releases since, currently 0.9 is the most recent one: - [Name] - ffuf - [Version] - v0.9 - [Homepage] - https://github.com/ffuf/ffuf/ - [Download] - https://github.com/ffuf/ffuf/releases/latest - [Author] - Joona Hoikkala <joona@kuori.org> - [Licence] - MIT - [Description] - ffuf is a very fast webfuzzer that allows fuzzing of different parts of URL - including GET parameters, POST data and HTTP headers. - [Dependencies] - None (Go 1.11 for building the binary) - [Similar tools] - wfuzz - [Activity] - In very active development. First release 8.11.2018 - [How to install] - From source code: curl -LO https://github.com/ffuf/ffuf/archive/v0.9.zip && unzip v0.9.zip && cd ffuf-0.9 && go build - [How to install] - From prebuilt binary: curl -LO https://github.com/ffuf/ffuf/releases/download/v0.9/ffuf_0.9_linux_amd64.tar.gz && tar -zxf ffuf_0.9_linux_amd64.tar.gz - [How to use] - Basic resource discovery: ffuf -w /path/to/wordlist -u https://target/FUZZ GET parameter name fuzzing, filtering out responses of 4242 bytes: ffuf -w /path/to/paramnames_list -u https://target/script.php?FUZZ=test_value -fs 4242 HTTP header value fuzzing, colored output, filtering out responses that contain value "something" in data: ffuf -w /path/to/wordlist -u https://target/ -H "Headername: FUZZ" -c -fr "something" POST data fuzzing, colored output, matching output that contains "success" ffuf -w /path/to/passwordlist -X POST -u https://target/login.php -d "username=admin\&password=FUZZ" -c -mr "success" |
|
|
Do you wish me to post a new note with updated information for each release during the evaluation process (before this is closed or accepted) @g0tmi1k ? |
|
|
@kali-team, please could this be packaged up. @author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging |
|
|
Update: version 1.0 released. - [Name] - ffuf - [Version] - v1.0 - [Homepage] - https://github.com/ffuf/ffuf/ - [Download] - https://github.com/ffuf/ffuf/releases/latest - [Author] - Joona Hoikkala <joona@kuori.org> - [Licence] - MIT - [Description] - ffuf is a very fast webfuzzer that allows fuzzing of different parts of URL - including GET parameters, POST data and HTTP headers. - [Dependencies] - None (Go 1.11 for building the binary) - [Similar tools] - wfuzz - [Activity] - In very active development. First release 8.11.2018 - [How to install] - From source code: curl -LO https://github.com/ffuf/ffuf/archive/v1.0.zip && unzip v1.0.zip && cd ffuf-1.0 && go build - [How to install] - From prebuilt binary: curl -LO https://github.com/ffuf/ffuf/releases/download/v1.0/ffuf_1.0_linux_amd64.tar.gz && tar -zxvf ffuf_1.0_linux_amd64.tar.gz - [How to use] - Basic resource discovery: ffuf -w /path/to/wordlist -u https://target/FUZZ GET parameter name fuzzing, filtering out responses of 4242 bytes: ffuf -w /path/to/paramnames_list -u https://target/script.php?FUZZ=test_value -fs 4242 HTTP header value fuzzing, colored output, filtering out responses that contain value "something" in data: ffuf -w /path/to/wordlist -u https://target/ -H "Headername: FUZZ" -c -fr "something" POST data fuzzing, colored output, matching output that contains "success" ffuf -w /path/to/passwordlist -X POST -u https://target/login.php -d "username=admin\&password=FUZZ" -c -mr "success" |
|
|
About helping with packaging: I'll look into the documentation and see what I can do. |
|
|
the package has been introduced in Debian. Version 1.0.2-2 is now in kali. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-11-14 22:31 | joohoi | New Issue | |
| 2018-11-15 08:22 | g0tmi1k | Note Added: 0009948 | |
| 2018-11-15 09:19 | joohoi | Note Added: 0009949 | |
| 2018-11-15 09:32 | joohoi | Note Added: 0009950 | |
| 2018-11-15 09:34 | joohoi | Note Added: 0009951 | |
| 2018-12-05 23:32 | joohoi | Note Added: 0010079 | |
| 2019-04-27 08:13 | joohoi | Note Added: 0010538 | |
| 2019-04-29 15:45 | joohoi | Note Added: 0010542 | |
| 2019-10-28 13:32 | g0tmi1k | Note Added: 0011238 | |
| 2019-10-28 13:33 | g0tmi1k | Category | New Tool Requests => Queued Tool Addition |
| 2019-10-28 16:01 | g0tmi1k | Severity | minor => feature |
| 2019-10-28 16:01 | g0tmi1k | Status | new => assigned |
| 2019-10-28 16:03 | g0tmi1k | Product Version | kali-dev => |
| 2020-01-06 13:07 | g0tmi1k | Status | assigned => acknowledged |
| 2020-01-06 13:19 | g0tmi1k | Note Edited: 0011238 | View Revisions |
| 2020-01-31 13:14 | joohoi | Note Added: 0011991 | |
| 2020-01-31 13:15 | joohoi | Note Added: 0011992 | |
| 2020-06-17 14:57 | g0tmi1k | Severity | feature => minor |
| 2020-07-30 12:00 | sbrun | Assigned To | => sbrun |
| 2020-07-30 12:00 | sbrun | Status | acknowledged => resolved |
| 2020-07-30 12:00 | sbrun | Resolution | open => fixed |
| 2020-07-30 12:00 | sbrun | Note Added: 0013154 | |
| 2020-11-11 23:50 | g0tmi1k | Fixed in Version | => 2020.3 |