One of the areas we’re most passionate about here at Bugcrowd is hacker education, and elevating the Crowd to new heights. This extends beyond our roles and is something many of us are passionate about in our personal time as well.
I love to teach hacking and penetration testing concepts. I recently spent over a month putting together an ultimate guide to FFUF – a web directory fuzzing tool. I am excited to share this with you and hope you find it beneficial and useful for expanding your hacking expertise.
My video is included below and there will be more to come on my Youtube channel, so definitely check it out at https://www.youtube.com/codingo.
Additionally, you can find a written guide on Codingo.io which I’m sure will help you better understand FFUF and give you some tips for finding Bug Bounties!
What is FFUF?
FFUF, or “Fuzz Faster you Fool” is an open source web fuzzing tool, intended for discovering elements and content within web applications or web servers.
What does this mean?
Often when visiting a website you are presented with content the owner of the website wants to serve you with. This could be hosted at a page such as index.php
. Within security, often the challenges in a website, that need to be corrected, exist outside of that page. For example, the owner of the website may have content hosted at admin.php
that you both want to know about and test. FFUF is a tool for uncovering those items for your perusal!
FFUF is maintained as public open source, and can be found at: https://github.com/ffuf/ffuf
This means anybody who wishes to contribute to FFUF can do so, provided the maintainer (joohoi) accepts and “merges” the contributed changes back to the main project!
Understandably, putting this guide and the associated video content together has taken quite a long time and was my first step into creating video content! Additionally, I would like to recommend other great creators and content I recommend you check out and were helpful for me through this process.
First, I recommend watching Katie Paxton-Fear’s How to Use FFUF YouTube video along with my content on this topic. I also recommend Luke Stephens, Bugcrowd head of Quality Assurance, YouTube channel which Luke posts great content regularly at https://www.youtube.com/hakluke.
Notably, and a video I’d recommend watching in addition to my own for a more complete picture, is Katie Paxton-Fear’s How to Use FFUF YouTube video. Lastly, I would like to give a big shout out to Jason Haddix, STÖK, hakluke, InsiderPHD, and Joohoi for helping answer my numerous questions and being a soundboard as I pulled this together. Their content has inspired this project, and it would not be what it is without their input.
I hope you enjoy this FFUF content.
– Codingo
Follow Michael on Twitter @codingo_ to keep up with his latest content! Want to discuss this guide with the Crowd? Join our Discord and sign up for a Researcher Account to get involved!