Ffuf - Fuzz faster you fool#
| Original author | Sara Jokela |
| Last checked by | - |
| Status | In progress |
| Last updated | 19.5.2025 |
Overview#
Ffuf is an open source web fuzzer. It is described to be faster than other web fuzzers. Ffuf can be used to discover items and content in web applications. It can also fuzz eg. parameters and POST data in order to find vulnerabilities and other weaknesses. Unlike some other fuzzers, Ffuf does not generate or mutate inputs - it relies on wordlists. Ffuf is a command line application, and it can be run with a single command.
Requirements & environment#
- Ffuf depends on Go 1.16 or later versions
- Ffuf can be run on Linux, Windows and macOS systems
Installation#
For Windows and Linux systems, you can install Ffuf with
git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
or you can download & unpack it from https://github.com/ffuf/ffuf/releases .
For macOS, use
brew install ffuf
Fuzzing PrestaShop web API with Ffuf#
Even though Ffuf can be used widely for web fuzzing, this guide will focus mainly on PrestaShop's webservice API fuzzing. Always remember that you must only fuzz targets that you have permission to test! Use fuzzers only in test environment, never in production.
Prerequisites#
- PrestaShop v1.7.8 - Installed locally on Kali Linux v6.11
- Before testing, familiarize yourself with PrestaShop webservice documentation.
- Read also about different API endpoints that PrestaShop has. You should have a general idea about what kind of data different resources have.
- Check out, what kind of wordlists already exist and if you could use some of them. SecLists has lots of different useful wordlists.
- Note, that PrestaShop has multiple different endpoints and countless options to fuzz. Fuzzing can be a time consuming task, so it is a good idea to prioritize what to test.
Setting up PrestaShop webservice#
You have to enable PrestaShop's webservice and add at least one access key. You can follow Presta's guide. You can add one key with lots of permissions for testing purposes. Keep in mind that this is bad practice and should not be used in production environment!
After enabling webservice and creating an access key, confirm everything works by going to https://yoursitehere/api/ .
The site will prompt username and password. Use your access key as username and leave password blank.
If everything seems to be working, you can start testing. Note, that you have to insert access key into your URL for fuzzing. This can be done either with
https://<youraccesskey>@<yoursite>.com/api
or
https://<yoursite>.com/api/?ws_key=<youraccesskey>
depending on what you are fuzzing.
Fuzzing examples#
The basic command to run Ffuf is
ffuf -w yourwordlist -u https://<yoursite>/FUZZ
- -w is your wordlist or path to it
- -u is the URL of your site
- Keyword FUZZ defines, where the inputs from wordlist will be placed
Ffuf will print the results to console. If you want to save results to a file, add
- -o yourfilename.txt or
- -o yourfilename.json
Your fuzz tests can result to lots of HTTP status codes that you are not interested in. You can filter those out. You can also match the status codes that you want to see. For example, if you want to filter out HTTP status code 401, add
- -fc 401
If you want to match eg. HTTP status code 200, add
- -mc 200
To demonstrate this basic command, let's discover what kind of endpoints Presta API has. SecLists api-endpoints-res.txt wordlist was chosen for this test.
ffuf -w SecLists-master/Discovery/Web-Content/api/api-endpoints-res.txt -u https://yourkeyhere@yoururlhere/api/FUZZ -o results.json -mc 200
From this, we can see different endpoints that were discovered with Ffuf. We can check if there's something that should not be there or could be exploited.
Fuzzing the access key#
It is a good idea to create a wordlist that contains different variations of the correct access key (eg. different encodings, too long / short, special characters, whitespaces...) You should also use some of the wordlists from SecLists. For example, you could test the access key parameter for SQLi and other malicious payloads, extremely long random strings etc.
Use the command:
ffuf -w yourwordlisthere -u https://yoursitehere/api/?ws_key=FUZZ
From this, we can observe if some of the improper inputs leads to gaining access or other problematic situations.
Fuzzing API endpoint data#
This is an example for fuzzing Customers resource. Start by preparing an XML file. For Customer resource, even a blank XML schema is long. For this guide, the XML schema is shortened.
<prestashop xmlns:xlink="http://www.w3.org/1999/xlink">
<customer>
<id></id>
<passwd></passwd>
<lastname></lastname>
<firstname></firstname>
<email></email>
</customer>
</prestashop>
- The data that each tag expects can be found from PrestaShop's documentation. This information can be used to decide, what kind of wordlists are chosen. For this test, we will be focusing on the email tag.
- Note, that Ffuf can also be used for brute forcing credentials or to test eg. SQLi with designated wordlists.
Add the keyword FUZZ inside email tag.
<prestashop xmlns:xlink="http://www.w3.org/1999/xlink">
<customer>
<id></id>
<passwd></passwd>
<lastname></lastname>
<firstname></firstname>
<email>FUZZ</email>
</customer>
</prestashop>
We will be using SecLists big-list-of-naughty-strings.txt for this. Using this wordlist can reveal input validation errors, injections, overflows etc. Now, prepare the command:
ffuf -w SecLists-master/Fuzzing/big-list-of-naughty-strings.txt -u https://yourkeyhere@youraddresshere/api/customers -X POST -H "Content-Type: application/xml" -d '<prestashop xmlns:xlink="http://www.w3.org/1999/xlink">
<customer>
<id></id>
<passwd></passwd>
<lastname></lastname>
<firstname></firstname>
<email>FUZZ</email>
</customer>
</prestashop>' -o results.txt
- Remember to use correct URL! In this example, /api/customers .
- -X POST defines, that we want to use POST method
- -H is used to define headers. - Since we are sending XML data, do not forget to use "Content-Type: application/xml"
- -d defines the actual POST data that we want to send
