How to use ffuf - Hacker Toolbox
Вставка
- Опубліковано 1 вер 2020
- ffuf is quickly becoming a key tool for bug bounty hunters, but how do you use it? In this video I start at the basics showing some really neat features of ffuf and how you can use some simple one-liners to do rather complex fuzzing!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
ffuf is well known as a brute-forcing tool, but did you know it can be used for so much more than directory discovery?? I didn't! The FUZZ keyword is so powerful you can use it to fuzz headers, parameters, and add filters to cut down false positives. With the right wordlist ffuf can become the go-to tool for bug hunting.
Resources
- ffuf : github.com/ffuf/ffuf
- Installing ffuf into the PATH OSX : superuser.com/questions/7150/...
- Installing ffuf into the PATH Windows : superuser.com/questions/15560...
- SecLists : github.com/danielmiessler/Sec...
- TomNomNom's talk : • Who, What, Where, When...
- Here are the one-liners I use: gist.github.com/InsiderPhD/5c...
- My ffuf translator: insiderphd.dev/tools/ffuf.html
- 0xatul's jq translator: jqplay.org/s/x8xFbIk6S8
- Patrik's jq translator: / 1301086393108758528
Connect with me
- Twitter : / insiderphd
- InsiderPhD Discord : / discord
- Patreon : / insiderphd - Розваги
Oh my god!!! THIS VIDEO DESERVES A HUGE ROUND OF APPLAUSE from the BUG BOUNTY community!! I ABSOLUTELY LOVED IT Katie!!
Is very clear and concise info tbf, great job, Katie!
thank you for your content, it's logical to read docs for any tools, but watching a pro like you using a tool and getting inside your mindset and feeling your enthusiasm is much better learning process, this channel is a gold mine!
You are just awesome explaining everything with so much detail and in-depth knowledge. Thank you for making stuff. More power to you
Awesome video thanks for sharing! BTW One of the coolest things about teaching about a new subject is how much new stuff you end up learning about said subject. That's probably why teaching is the best way to learn!
Amazing explanation and examples of the features. I was struggling with too many code 200, this video helped me get that filtered out properly.
I don't know how anyone could downvote this. Amazing content! Thank you so much!
I really like the way you explain things .... the accent, the tone and all ... smooth
thanks for keeping it short and sweet! :) I love me a conciese and easy to follow explanation
That replay proxy option blew my mind. Thank you!
SAME TBH
love these kind of tuts, well done
The way you explain is amazing, keep goin'
The content is great and easy to understand! Thanks 🙏🏼
Claps! This is what I was waiting for! I hope you'll soon cover other tools such as gau,gf,etc!
I'm thinking the next videos will be recon: subdomain enum and then a standalone video on amass! But I'll note these down !
Such a awesome knowledge sharing video. Thanks a lot ❤️. love from India .
What an insanely good video! Thank you!
Oh WOW!!!!!! This is amazingggg. Ffuf dream tool.
A very informative video. thank you very much 😊😊
Super great content! Thank you so much!
Great as usual , Thanks.
Great video katie, thanks 🚀
Thank you for the great video !
Thanks for the video, love it!💛
You're so welcome!
Really great Video and detailed aswell. Thanks, that helped me alot
Awesome video, thanks so much!
Thanks for the tutorial
thank you it was super cool video i learn more with u ..
Katie you Rock!
Cool vid! any info on the steps between ffuf finds the errors and claiming a bounty?
very useful and informative video
Concept of using ffuf replay proxy is amazing. Thanks for introducing a great tool .
Is there any method to pipeline the output of crunch/any wordlist generator to ffuf ??🙄
thanks for this video. THIS VIDEO AMAZING
Nice explanation
Mam..Please...... can you create a video on how to implement business logic in bug hunting and money practically on a real websites or web apps???????????
I really want to do some live hacking on a real target! But I'm still trying to speak to other hackers/program managers to figure out what the best way might be to demo without breaking confidentiality!
@@InsiderPhD Ok mam... so please i highly request you to make more videos on business logic for bug...
I waited for this ♥️
I hope it was worth the wait!
@@InsiderPhD yes 🙂
I know about some bugs like spf, cors, xss, clickjacking, subdomain takeover.
How to know this website has those vulnerabilities ..... Automatically...
Then please recommend me to where to learn vulnerabilities ....
I hope you reply
Amazing video 👌👌👌
hey katie help with what should we look on which type of target
Excellent video as always, love your enthusiasm!
PS: you should do a video together with Stök :D
One day I hope so! We haven't found a good time for us both yet :) though we have had a chat and got a concept of what we wanna do!
Thanks a lot.
Thanks, Katie for creating such awesome content.
Thanks for watching!
Is the playlist Everything API Hacking up to date, are all API videos in this channel in this list?
Thanks Kate, you make things clearer as always and I love your enthusiasm. Kisses from 7he7hief * meow
Thanks for making this type of video. And it is begginer friendly .
Plz one favor
Plz incress the voice sound little more . Don't take tress, but increase it plz plz please
I've addressed this problem in the video pipeline and it should be fixed now for future videos
the video is very dark ! It takes effort to look whats written on the screen ! content : Awesome as always
Thank you for the feedback!
InsiderPhD for example : the json part from 10:27
It can sometimes be an issue since people might be watching my videos at a lower quality or on mobile and I'm a bit of an idiot and forget that sometimes! So esp as I try out the dark mode theme, it's useful to get this kind of feedback!
Someone told me today to use it and see how lucky I am,
Thanks 🙏😊
You're welcome 😊 I'm reading your mind obviously :P
@@InsiderPhD thanks again I like the way you teach
(10¹²³ * 👍)
Your videos are really awesome love it.also I want to ask something I have a jail broken ios device everything setup and ready to go and also I know a little bit of iOS knowledge but I can’t decide by myself what to choose iOS bug bounty or web any suggestion pls..
iOS has a big advantage and disadvantage: Almost no one is doing it, which means there's not as many resources BUT there's a lot more bugs to be found! I would focus on API hacking, it applies to both web+iOS and it's a good way to get started in iOS (EXACTLY the same bugs) without getting lost. I'm actually writing a video at the moment on how to hack on mobile APIs
InsiderPhD awesome thank u I was just confused a lot thank a lot Katie hugeeee love and thanks
And 1 more question what are the bugs to look for aside web bugs in iOS applications
thanks
How do i know its an API request or response ??
Does it do the same job as wfuzz in every aspect or is one better than the other? both are fuzzing tools
Does the same job, it's written in go so it's a little faster, but it's personal preference. The cool thing about ffuf is the focus on bug bounties and how active the developer is in the community! But feature wise very very similar
At 18.02 you said that ME will come from the action wordlist and FUZZ will come from that wordlist while pointing at the second FUZZ. What did you mean by that? The FUZZ part.
Basically if you do -w wordlist.txt:WORD you can use multiple wordlists, or fuzz in multiple areas, or do both!
Will u creste a video how to creste a custom word list i watching tomnomnom but please u can create your own
This is actually coming soon :) it's something I'm working on a methodology for! But it'll be a while until it's ready!
awesome
If there is scope given in bb program do we need to do directory bruteforcing?
I don't, but some people do
@@InsiderPhD got it..thank you
Very good video. If I may nitpick: it's intigrity and not integrity 🙂
when Brute force is out of scope it means that you can't run FFUF or no?? , Thank you for the video !
You can use ffuf! Brute force being out of scope usually means brute forcing user/password combos, they might ask for w delay though and a limit to x requests a second, so keep an eye out for that
@@InsiderPhD thank you for your reply :)
🖐have fife for your explain
What is the difference between Ffuf and Amass? wich one id faster and less complicated to use?
Ffuf is easier for most things, amass has a lot of uses and can be quite complex to use
but they but they both perform same task right ?
how do u pipe with this
Hey katie , I am new to hacking
WHAT is the best OS that you recommend to me
Please reply soon
Whatever you're using right now is fine! You don't need to use any OS to get into hacking!
Even if it is windows
But how to install them
I wanted to be excited just like you, but I just can't find the reason to use it over burp intruder. Given the world lists, both can do the job
I also like intruder but I know a lot of people want speed w/o having to pay for pro, so ffuf is a good option
It's not installing in Termux😥😥
can you add nest bug bounty series
Nest?
@@InsiderPhD sorry next bug bounty series
@@josephnimsara3169 Aha! I'm actually working on a video right now, spoiler alert on account takeovers, it's just not quittteeee ready to be released yet!
It's almost done though, 90%-ish
this is actually as close as command line burp intruder as you can get
*cough* if you don't have premium it's better than command line burp intruder, it's not speed limited
Wow what a weird cough, covid amiright?
❤️
First comment, very quick!
@@InsiderPhD yeah, hope i will get next one too😊😎
The command doesn’t work on mac
You need to install ffuf first using the GitHub link :)
Hmm i will use ffuf instead dirsearch
Hi mam I know only terminal and cmd what is this looks new..???
Check out my video on API enumeration to get a better idea of why you might use a tool like ffuf
@@InsiderPhD thanks for your reply 🙂 please make a live session on ffuf🔥
I have insider knowledge that the video you seek is on it's way but by another creator ;)
😍 😛
hgyug
25+ mins and i ddnt even get to know what you where teaching ... i cnt even see the help menu of the TOOL SHAME ON YOU .....
This actually an Awesome video and great tool with an invaluable information thanks a lot, probably dislikers are Gobuster users.