How to use ffuf - Hacker Toolbox
Рет қаралды 45,846
Күн бұрынffuf is quickly becoming a key tool for bug bounty hunters, but how do you use it? In this video I start at the basics showing some really neat features of ffuf and how you can use some simple one-liners to do rather complex fuzzing!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.co... I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
ffuf is well known as a brute-forcing tool, but did you know it can be used for so much more than directory discovery?? I didn't! The FUZZ keyword is so powerful you can use it to fuzz headers, parameters, and add filters to cut down false positives. With the right wordlist ffuf can become the go-to tool for bug hunting.
Resources
ffuf : github.com/ffu...
Installing ffuf into the PATH OSX : superuser.com/...
Installing ffuf into the PATH Windows : superuser.com/...
SecLists : github.com/dan...
TomNomNom's talk : • Who, What, Where, When...
Here are the one-liners I use: gist.github.co...
My ffuf translator: insiderphd.dev...
0xatul's jq translator: jqplay.org/s/x...
Patrik's jq translator: / 1301086393108758528
Connect with me
Twitter : / insiderphd
InsiderPhD Discord : / discord
Patreon : / insiderphd
@dhruvkandpal9909 4 жыл бұрын
Oh my god!!! THIS VIDEO DESERVES A HUGE ROUND OF APPLAUSE from the BUG BOUNTY community!! I ABSOLUTELY LOVED IT Katie!!
@richardjones9598 4 жыл бұрын
Is very clear and concise info tbf, great job, Katie!
@hashimmajid7905 Жыл бұрын
thank you for your content, it's logical to read docs for any tools, but watching a pro like you using a tool and getting inside your mindset and feeling your enthusiasm is much better learning process, this channel is a gold mine!
@jawadsaqib1260 4 жыл бұрын
You are just awesome explaining everything with so much detail and in-depth knowledge. Thank you for making stuff. More power to you
@Abhijitkamath14 2 жыл бұрын
I really like the way you explain things .... the accent, the tone and all ... smooth
@InfoSecIntel 4 жыл бұрын
That replay proxy option blew my mind. Thank you!
@InsiderPhD 4 жыл бұрын
SAME TBH
@carp6509 3 жыл бұрын
I don't know how anyone could downvote this. Amazing content! Thank you so much!
@Ragab0t 3 жыл бұрын
Awesome video thanks for sharing! BTW One of the coolest things about teaching about a new subject is how much new stuff you end up learning about said subject. That's probably why teaching is the best way to learn!
@wnmetal666 2 жыл бұрын
Amazing explanation and examples of the features. I was struggling with too many code 200, this video helped me get that filtered out properly.
@kon5791 2 жыл бұрын
thanks for keeping it short and sweet! :) I love me a conciese and easy to follow explanation
@RUFAID 4 жыл бұрын
Thanks for making this type of video. And it is begginer friendly . Plz one favor Plz incress the voice sound little more . Don't take tress, but increase it plz plz please
@InsiderPhD 4 жыл бұрын
I've addressed this problem in the video pipeline and it should be fixed now for future videos
@theblackzeini9004 Жыл бұрын
The way you explain is amazing, keep goin'
@jasonmikinskiwallet4308 4 жыл бұрын
Oh WOW!!!!!! This is amazingggg. Ffuf dream tool.
@arman-ez3ir 4 ай бұрын
love these kind of tuts, well done
@d-rey1758 Жыл бұрын
Cool vid! any info on the steps between ffuf finds the errors and claiming a bounty?
@fenilshah9221 4 жыл бұрын
Claps! This is what I was waiting for! I hope you'll soon cover other tools such as gau,gf,etc!
@InsiderPhD 4 жыл бұрын
I'm thinking the next videos will be recon: subdomain enum and then a standalone video on amass! But I'll note these down !
@varunmehta3230 3 жыл бұрын
Such a awesome knowledge sharing video. Thanks a lot ❤️. love from India .
@rosa3709 Жыл бұрын
The content is great and easy to understand! Thanks 🙏🏼
@sumanparajuli229 4 жыл бұрын
Mam..Please...... can you create a video on how to implement business logic in bug hunting and money practically on a real websites or web apps???????????
@InsiderPhD 4 жыл бұрын
I really want to do some live hacking on a real target! But I'm still trying to speak to other hackers/program managers to figure out what the best way might be to demo without breaking confidentiality!
@sumanparajuli229 4 жыл бұрын
@@InsiderPhD Ok mam... so please i highly request you to make more videos on business logic for bug...
@DeLFeTube 2 жыл бұрын
What an insanely good video! Thank you!
@TheEasternCoder 3 жыл бұрын
Concept of using ffuf replay proxy is amazing. Thanks for introducing a great tool . Is there any method to pipeline the output of crunch/any wordlist generator to ffuf ??🙄
@akshaydeodare6149 4 жыл бұрын
the video is very dark ! It takes effort to look whats written on the screen ! content : Awesome as always
@InsiderPhD 4 жыл бұрын
Thank you for the feedback!
@akshaydeodare6149 4 жыл бұрын
InsiderPhD for example : the json part from 10:27
@InsiderPhD 4 жыл бұрын
It can sometimes be an issue since people might be watching my videos at a lower quality or on mobile and I'm a bit of an idiot and forget that sometimes! So esp as I try out the dark mode theme, it's useful to get this kind of feedback!
@super3d201 Жыл бұрын
Really great Video and detailed aswell. Thanks, that helped me alot
@joakimtauren1286 4 жыл бұрын
Super great content! Thank you so much!
@_0x01m 3 жыл бұрын
thank you it was super cool video i learn more with u ..
@d3vashishs0ni 4 жыл бұрын
A very informative video. thank you very much 😊😊
@kabirsuda 4 жыл бұрын
Thanks for the video, love it!💛
@InsiderPhD 4 жыл бұрын
You're so welcome!
@anshusharma5199 4 жыл бұрын
Someone told me today to use it and see how lucky I am, Thanks 🙏😊
@InsiderPhD 4 жыл бұрын
You're welcome 😊 I'm reading your mind obviously :P
@anshusharma5199 4 жыл бұрын
@@InsiderPhD thanks again I like the way you teach (10¹²³ * 👍)
@7he7hief95 4 жыл бұрын
Thanks Kate, you make things clearer as always and I love your enthusiasm. Kisses from 7he7hief * meow
@mi2has 4 жыл бұрын
Thank you for the great video !
@omerfarooqdemir9907 3 жыл бұрын
thanks for this video. THIS VIDEO AMAZING
@ardaucd Жыл бұрын
Is the playlist Everything API Hacking up to date, are all API videos in this channel in this list?
@hellb0y794 2 жыл бұрын
Great video katie, thanks 🚀
@sy-gamer9556 4 жыл бұрын
Your videos are really awesome love it.also I want to ask something I have a jail broken ios device everything setup and ready to go and also I know a little bit of iOS knowledge but I can’t decide by myself what to choose iOS bug bounty or web any suggestion pls..
@InsiderPhD 4 жыл бұрын
iOS has a big advantage and disadvantage: Almost no one is doing it, which means there's not as many resources BUT there's a lot more bugs to be found! I would focus on API hacking, it applies to both web+iOS and it's a good way to get started in iOS (EXACTLY the same bugs) without getting lost. I'm actually writing a video at the moment on how to hack on mobile APIs
@sy-gamer9556 4 жыл бұрын
InsiderPhD awesome thank u I was just confused a lot thank a lot Katie hugeeee love and thanks
@sy-gamer9556 4 жыл бұрын
And 1 more question what are the bugs to look for aside web bugs in iOS applications
@PhayulDigest 4 жыл бұрын
Awesome video, thanks so much!
@ygorsardinha5521 Жыл бұрын
Katie you Rock!
@orlyounotinbaires 4 жыл бұрын
Excellent video as always, love your enthusiasm! PS: you should do a video together with Stök :D
@InsiderPhD 4 жыл бұрын
One day I hope so! We haven't found a good time for us both yet :) though we have had a chat and got a concept of what we wanna do!
@picious 4 жыл бұрын
when Brute force is out of scope it means that you can't run FFUF or no?? , Thank you for the video !
@InsiderPhD 4 жыл бұрын
You can use ffuf! Brute force being out of scope usually means brute forcing user/password combos, they might ask for w delay though and a limit to x requests a second, so keep an eye out for that
@picious 4 жыл бұрын
@@InsiderPhD thank you for your reply :)
@brokeitguyio 4 жыл бұрын
Thanks for the tutorial
@maakthon5551 Жыл бұрын
Great as usual , Thanks.
@shayboual1892 3 жыл бұрын
very useful and informative video
@jozefwoo8079 Жыл бұрын
Very good video. If I may nitpick: it's intigrity and not integrity 🙂
@zeeshansaeed8997 4 жыл бұрын
Thanks, Katie for creating such awesome content.
@InsiderPhD 4 жыл бұрын
Thanks for watching!
@Thenileshpatil Жыл бұрын
hey katie help with what should we look on which type of target
@unknownerror58 2 жыл бұрын
It's not installing in Termux😥😥
@mastawitcha231 4 жыл бұрын
Does it do the same job as wfuzz in every aspect or is one better than the other? both are fuzzing tools
@InsiderPhD 4 жыл бұрын
Does the same job, it's written in go so it's a little faster, but it's personal preference. The cool thing about ffuf is the focus on bug bounties and how active the developer is in the community! But feature wise very very similar
@nowonder9466 4 жыл бұрын
At 18.02 you said that ME will come from the action wordlist and FUZZ will come from that wordlist while pointing at the second FUZZ. What did you mean by that? The FUZZ part.
@InsiderPhD 4 жыл бұрын
Basically if you do -w wordlist.txt:WORD you can use multiple wordlists, or fuzz in multiple areas, or do both!
@cyberindia1 4 жыл бұрын
Nice explanation
@haileleulgirma1087 6 ай бұрын
I wanted to be excited just like you, but I just can't find the reason to use it over burp intruder. Given the world lists, both can do the job
@InsiderPhD 6 ай бұрын
I also like intruder but I know a lot of people want speed w/o having to pay for pro, so ffuf is a good option
@remonsec 4 жыл бұрын
Thanks a lot.
@ashhadhats4842 4 жыл бұрын
Will u creste a video how to creste a custom word list i watching tomnomnom but please u can create your own
@InsiderPhD 4 жыл бұрын
This is actually coming soon :) it's something I'm working on a methodology for! But it'll be a while until it's ready!
@vanshajdhar9223 3 жыл бұрын
Amazing video 👌👌👌
@AkashwithUS 4 жыл бұрын
I waited for this ♥️
@InsiderPhD 4 жыл бұрын
I hope it was worth the wait!
@AkashwithUS 4 жыл бұрын
@@InsiderPhD yes 🙂 I know about some bugs like spf, cors, xss, clickjacking, subdomain takeover. How to know this website has those vulnerabilities ..... Automatically... Then please recommend me to where to learn vulnerabilities .... I hope you reply
@saminbinhumayun858 7 ай бұрын
If there is scope given in bb program do we need to do directory bruteforcing?
@InsiderPhD 6 ай бұрын
I don't, but some people do
@saminbinhumayun858 6 ай бұрын
@@InsiderPhD got it..thank you
@kandarpmishra6009 3 жыл бұрын
How do i know its an API request or response ??
@mazingerzeta2xx788 4 жыл бұрын
What is the difference between Ffuf and Amass? wich one id faster and less complicated to use?
@InsiderPhD 4 жыл бұрын
Ffuf is easier for most things, amass has a lot of uses and can be quite complex to use
@mazingerzeta2xx788 4 жыл бұрын
but they but they both perform same task right ?
@roninhacked2045 4 жыл бұрын
Hey katie , I am new to hacking WHAT is the best OS that you recommend to me Please reply soon
@InsiderPhD 4 жыл бұрын
Whatever you're using right now is fine! You don't need to use any OS to get into hacking!
@roninhacked2045 4 жыл бұрын
Even if it is windows But how to install them
@kevinnyawakira4600 4 жыл бұрын
thanks
@josephnimsara3169 4 жыл бұрын
awesome
@josephnimsara3169 4 жыл бұрын
can you add nest bug bounty series
@InsiderPhD 4 жыл бұрын
Nest?
@josephnimsara3169 4 жыл бұрын
@@InsiderPhD sorry next bug bounty series
@InsiderPhD 4 жыл бұрын
@@josephnimsara3169 Aha! I'm actually working on a video right now, spoiler alert on account takeovers, it's just not quittteeee ready to be released yet!
@InsiderPhD 4 жыл бұрын
It's almost done though, 90%-ish
@logmantarig 3 жыл бұрын
This actually an Awesome video and great tool with an invaluable information thanks a lot, probably dislikers are Gobuster users.
@moathaljmaan7331 3 жыл бұрын
🖐have fife for your explain
@recon0x7f16 2 жыл бұрын
how do u pipe with this
@ashleypursell9702 4 жыл бұрын
this is actually as close as command line burp intruder as you can get
@InsiderPhD 4 жыл бұрын
*cough* if you don't have premium it's better than command line burp intruder, it's not speed limited Wow what a weird cough, covid amiright?
@skyawesome7362 4 жыл бұрын
The command doesn’t work on mac
@InsiderPhD 4 жыл бұрын
You need to install ffuf first using the GitHub link :)
@saikiranlingadally1036 4 жыл бұрын
❤️
@InsiderPhD 4 жыл бұрын
First comment, very quick!
@saikiranlingadally1036 4 жыл бұрын
@@InsiderPhD yeah, hope i will get next one too😊😎
@DavidRawls-b9p Ай бұрын
Grady Inlet
@GregoryTripp-p7r Ай бұрын
Matilda Extension
@ricardotech 4 жыл бұрын
@MH-tw1qi 4 жыл бұрын
Hmm i will use ffuf instead dirsearch
@AkashwithUS 4 жыл бұрын
Hi mam I know only terminal and cmd what is this looks new..???
@InsiderPhD 4 жыл бұрын
Check out my video on API enumeration to get a better idea of why you might use a tool like ffuf
@AkashwithUS 4 жыл бұрын
@@InsiderPhD thanks for your reply 🙂 please make a live session on ffuf🔥
@InsiderPhD 4 жыл бұрын
I have insider knowledge that the video you seek is on it's way but by another creator ;)
@sechunter1903 4 жыл бұрын
😍 😛
@ДмитрийАстафьев-с1й 2 жыл бұрын
hgyug
@abelimathiasi7509 3 жыл бұрын
25+ mins and i ddnt even get to know what you where teaching ... i cnt even see the help menu of the TOOL SHAME ON YOU .....
@Sakuraigi 3 ай бұрын
She is great. You suck
Hmelkofm
Рет қаралды 63 МЛН
ГИПЕРБОРЕЙ
Рет қаралды 631 М.
Oscar's Funny World
Рет қаралды 51 МЛН
Heisenbug
Рет қаралды 3,8 М.
Точно Новости
Рет қаралды 3,7 МЛН
Nice Catkin
Рет қаралды 12 МЛН