Ethical Hacking: Active Recon – Fuzzing Web Applications Using the FFUF Fuzzer

Introducing Web Application Reconnaissance and Fuzzing

Web application reconnaissance is the explorative and information-gathering phase that generally occurs prior to hacking a web application. Web application reconnaissance is typically performed by penetration testers and bug bounty hunters, but can also be an effective way for software developers and engineers to find vulnerabilities and misconfigurations in a web application. The goal is to fix these security issues before a malicious threat actor finds them.

As you progress through this lab, you will learn how to build up a map and attack plan that represents the structure, organization, and functionality of a web application. With time, you will develop your own techniques and your own methods of recording and organizing the information you find as you become more proficient at web application reconnaissance.

Components of a Modern Web Application

The tools, frameworks, and architectures available for building web applications have advanced significantly in the last few years. Historically, web applications were built using server-side frameworks that rendered an HTML/JS/CSS page that would then be sent to the client. When the web client needed an update, it would simply request another page from the server to be rendered and “piped” over HTTP. Web applications then began to use HTTP more frequently with the rise of Ajax (asynchronous JavaScript and XML), allowing network requests to be made from within a page session via JavaScript.

Fast-forward several years and today many applications are represented as two or more microservices communicating via a network protocol, versus a single monolithic application. This is one major architectural difference between the web applications of today and the web applications of years ago. Modern web applications are comprised of several microservices connected with one or more Representational State Transfer (REST) APIs.

Many client (UI) applications run in the browser in somewhat similar ways to a traditional desktop application. These client applications manage their own life cycle loops, request their own data, and do not require a page reload after the initial bootstrap is complete.

The average modern-day web application often uses one or more of the following technologies:

  • REST APIs
  • JSON or XML
  • JavaScript
  • SPA framework (React, Vue, EmberJS, AngularJS)
  • An authentication and authorization system
  • One or more web servers (typically on a Linux server)
  • One or more web server software packages (ExpressJS, Apache, NginX)
  • One or more databases (MySQL, MongoDB, etc.)
  • A local data store on the client (cookies, web storage, IndexDB)

What is Web Application Reconnaissance?

In short, web application reconnaissance (recon) is the act of finding interesting directories, files, frameworks, API endpoints, and any other underlying construct of a web application.

What is Fuzzing?

Fuzz testing or Fuzzing is a testing technique that is used to find input validation vulnerabilities and other implementation bugs using malformed or semi-malformed data injection in an automated fashion. A “fuzzer” is a piece of software that is used to perform the aforementioned techniques to find input validation issues, but they can also be used for recon.

The following are the three generic categories of fuzzers:

  • generation-based: the fuzzer generates inputs from scratch.
  • mutation-based: the fuzzer leverages an existing corpus of seed inputs.
  • evolutionary: allows the fuzzer to use feedback from each test case to learn the format of the input over time.

Fuzzing Vectors and Wordlists

What is a wordlist? A wordlist is a text file containing a collection of words to use in different attacks including, but not limited to password cracking, recon, and fuzzing.

The following references are provided as input sources for fuzzing and related testing activities.

Introducing ffuf

ffuf or “Fuzz Faster U Fool” is a web application fuzzer written in Go. It is a very popular tool among penetration testers, ethical hackers, and bug hunters to perform web application reconnaissance.

In the next section, you will learn how to install ffuf.

Installing the ffuf Fuzzer

If you already have Go installed, the easiest option to install ffuf is to use the following command:

go get -u github.com/ffuf/ffuf

NOTE: We already have Go installed in the O’Reilly Katacoda environment.

ffuf should now be installed in the system. Execute the following command to see the installed version of ffuf:

ffuf -V

Accessing the Source Code

You can access the ffuf fuzzer source code at the following GitHub repository: https://github.com/ffuf/ffuf

Alternatively, you can install ffuf using the following steps:

  1. Clone the repository: git clone https://github.com/ffuf/ffuf
  2. Navigate to the ffuf directory: cd ffuf
  3. Execute go get && go build

Pre-built Binaries

You can also use any of the pre-built binaries from the ffuf GitHub repository release page

In the following section, you will learn how to find directories and files in a web application or website using ffuf.

Finding Directories and Files using ffuf

The following is the topology used in this lab.

┌──────────────┐
│              │
│  Attacker    ├───────┐
│              │       │
└──────────────┘       │
                       │
                       ├──── Gateway ───── Internet
┌──────────────┐       │     10.6.6.1
│              │.8     │
│   Victim     ├───────┘
│              │
└──────────────┘

The target web application (Victim) is running on a container named “unsc_infinity” configured with the IP address 10.6.6.8.

Use the docker ps --format "table {{.Names}}\t{{.Status}}" command to verify that the container is running.

Downloading the wordlist

As mentioned in Step 1ffuf uses wordlists to discover directories and files, as well as to fuzz a web application. Let’s download a common wordlist from https://hackingscenarios.com to enumerate directories in the target web application.

wget https://hackingscenarios.com/wordlists/dir_enum

Directory and File Enumeration

Use the following command to enumerate directories and files in the target web application.

ffuf -w dir_enum -u http://10.6.6.8/FUZZ

The -w option is used to specify the wordlist (dir_enum) and the -u option is used to specify the URL of the target application. You must include the FUZZ keyword wherever you would like the fuzzer to iterate through the words in the wordlists and find directories or files.

Once the ffuf fuzzer finished the discovery:

  • What directories and files were you able to discover?
  • Did you find the API?
  • What about the admin and login pages?

Recursion

The ffuf tool supports recursion to find additional files and directories under the discovered directories. For instance, you probably found the /admin directory. In order for you to find additional subdirectories, you will need to execute the following command:

ffuf -w dir_enum -u http://10.6.6.8/admin/FUZZ

Unfortunately, this doesn’t scale. During a penetration test or a bug hunting exercise, you may find dozens of directories. By using -recursion ffuf will try to find additional directories or files using the path of all discovered directories. You can also set the -recursion-depth to tell ffuf how many times to perform this action.

Run the following command to perform recursion:

ffuf -w dir_enum -u http://10.6.6.8/FUZZ -recursion

Additional Wordlists

In Step 1, you learned about additional sources where you can obtain wordlists for fuzzing, password cracking, and recon. One of the most comprehensive repositories of wordlists and payloads in SecLists.

  • Clone the repository with the following command: git clone --depth 1 https://github.com/danielmiessler/SecLists.git
  • Change to the SecLists directory: cd SecLists
  • Use ffuf with one or more of the wordlists included in the SecLists directory.
  • cd ~ back into the home directory to continue with the scenario.

In the next step, you will learn how to fuzz multiple locations.

Fuzzing Multiple Locations

The ffuf fuzzer only looks for a single location (where you put the word FUZZ) by default. However, you can fuzz multiple locations and even use multiple wordlists.

You can use the arguments W1W2, etc. to specify one or more wordlists in different URI locations, as demonstrated below:

ffuf -w ~/dir_enum:W1 -u http://10.6.6.8/W1

Execute the following command to use multiple wordlists:

ffuf -w /root/dir_enum:W1,/root/SecLists/Discovery/Web-Content/dirsearch.txt:W2 -u http://10.6.6.8/W1/W2

The first wordlist is the file you downloaded from https://hackingscenarios.com (/root/dir_enum) and the second is located in the /root/SecLists directory (the previously cloned repository).

Automating the scan of multiple domains or IP addresses

You can also create a wordlist with numerous domains or IP addresses of target applications and run ffuf as demonstrated below:

ffuf -u https://W2/W1 -w dir_enum:W1,domains.txt:W2

This tells ffuf to scan each of the domains in the domains.txt file using the wordlist dir_enum.

Saving the output to a JSON file

The -o option allows you to send the output to a JSON file (out.json in the example below).

ffuf -w dir_enum -u http://10.6.6.8/FUZZ -o out.json

Execute the following command to verify the new file:

cat out.json

In the next section, you will learn how to handle authentication in the web application.

Handling Authentication

Cookies

The -b option allows you to pass cookie data in the following format:

"NAME1=VALUE1; NAME2=VALUE2"

These options/values are not limited to authentication based cookies. Any elements of the cookie can also be fuzzed with a wordlist for additional discovery.

Header-Based Authentication

You can use the -H option to interact with applications that are using HTTP header-based authentication. This can be used to pass or fuzz any headers (not just for passing required elements for authentication).

Often, ethical hackers, pen testers, and bug bounty hunters use the -H flag when they are required to specify a custom header to allow the “blue team” (the incident response and InfoSec teams) to identify your traffic.

In the next section, you will learn different obfuscation and evasion techniques.

Obfuscation and Evasion Techniques

Ffuf uses 40 threads by defaults when you are executing a test. If you are just practicing your skills in a lab or participating in a “capture-the-flag” (CTF) event, you can configure ffuf to use even more threads. However, if you are doing a test in a production environment then you will likely be detected by the security operations team or incident response team (or even blocked). You should keep your thread count lower.

You can use the -t option to set the number of concurrent threads, as demonstrated below:

ffuf -t 2 -w dir_enum -u http://10.6.6.8/admin/FUZZ

You can also rate-limit the number of requests per second with the -rate option.

The -p option allows you to configure a “delay” (in seconds) between requests or a “range of random delay”. For example -p 0.1 or -p 0.1-2.0

In the next section, you will learn how to send the ffuf fuzzer results to a web proxy such as Burp Suite or the OWASP Zed Attack Proxy (ZAP).

Sending the Fuzzer Output to a Web Proxy

The -replay-proxy option allows you to send the paths of the directories found to a web proxy such as Burp Suite or the OWASP Zed Attack Proxy (ZAP).

Why is this useful? Well, the Burp Suite Community Edition does not allow automated scanning. Using the -replay-proxy option allows you to send all the successful results right into Burp Suite for further analysis.

We cannot run a web proxy such as Burp Suite or the OWASP Zed Attack Proxy (ZAP) in this lab. However, I am including the ffuf command options for your reference.

ffuf -w dir_enum -u http://10.6.6.8/FUZZ -replay-proxy http://127.0.0.1:8080

NOTE: By default, Burp Suite and the OWASP Zed Attack Proxy (ZAP) listen to proxy client transactions on port 8080.

Sending the results over a reverse SSH tunnel

You can also run a reverse SSH tunnel, so you can run your ffuf a remote system while sending the output to Burp Suite running on your local system.

Creating the SSH tunnel:

ssh -R 8888:localhost:8080 user@remotevps

Sending the output to the proxy over the SSH tunnel

ffuf -w dir_enum -u http://10.6.6.8/FUZZ -replay-proxy http://127.0.0.1:8888