Mastering FFUF's Multi-Wordlist Modes for Deeper Web Fuzzing (Clusterbomb, Pitchfork, Sniper)
Effective web fuzzing goes beyond single-wordlist directory brute-forcing. To uncover elusive vulnerabilities and hidden endpoints, leveraging FFUF's multi-wordlist modes—Clusterbomb, Pitchfork, and Sniper—is essential for a pentester's toolkit. These modes dictate how FFUF combines and injects payloads from multiple wordlists into target requests, enabling highly targeted and efficient attack scenarios.
FFUF Multi-Wordlist Fundamentals
FFUF uses placeholder keywords, typically FUZZ, to mark injection points in a URL, header, or POST data. When using multiple wordlists, each wordlist needs its own unique keyword, specified after the wordlist path with a colon, for example, -w /path/to/users.txt:USER. This allows for granular control over where each wordlist's payloads are inserted. Without an explicitly set mode, FFUF defaults to Clusterbomb when multiple wordlists are provided.
Clusterbomb Mode: Exhaustive Permutations
The Clusterbomb mode is FFUF's most comprehensive multi-wordlist option. It tests every possible combination of values from all specified wordlists. If you have two wordlists, one with N entries and another with M entries, Clusterbomb will generate N * M requests. This exponential growth in requests means Clusterbomb can be resource-intensive, but it's invaluable for scenarios demanding complete coverage.
Use Cases for Clusterbomb
- **Login Brute-Forcing:** The quintessential use case for Clusterbomb involves testing all username and password combinations against a login form. This ensures no valid credential pair is missed if it exists within your provided lists.
- **Multi-Parameter Vulnerability Discovery:** When testing for vulnerabilities that might arise from specific combinations of two or more input parameters, Clusterbomb is ideal. Think of a search API where
categoryandstatusparameters interact in unexpected ways. - **Header Fuzzing with Path Fuzzing:** Combining a wordlist for common paths with another for interesting HTTP header values (e.g.,
X-Forwarded-For,User-Agent) to uncover bypasses or hidden functionality.
Clusterbomb Example: Login Brute-Force
Consider a login page expecting a username and password in a POST request. We'll use two wordlists: users.txt and passwords.txt.
#!/bin/bash
# Create dummy wordlists for demonstration
echo "admin" > users.txt
echo "testuser" >> users.txt
echo "root" >> users.txt
echo "password" > passwords.txt
echo "12345" >> passwords.txt
echo "admin123" >> passwords.txt
echo "Running FFUF in Clusterbomb mode for login..."
ffuf -w users.txt:USER -w passwords.txt:PASS \
-u https://example.com/login \
-X POST -d "username=USER&password=PASS" \
-H "Content-Type: application/x-www-form-urlencoded" \
-mode clusterbomb \
-fc 200,302 \
-o clusterbomb_results.json -of json
rm users.txt passwords.txt # Clean up dummy files
In this command, USER will be replaced by entries from users.txt, and PASS by entries from passwords.txt. Every combination of USER and PASS will be attempted. We are filtering out successful login redirects (302) or 200 OK responses that might indicate a successful authentication, providing a robust approach to identify valid credentials. For comprehensive web security testing and automated vulnerability scanning, Secably offers platforms that can complement such targeted fuzzing efforts by providing broader coverage and continuous monitoring.
Simulated Output (Clusterbomb)
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ _ /\ \__/
\ \ ,__\\ \ ,__\/\ \ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \_/
\ \_\ \ \_\ \ \____/\ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0-35-g870a440
:: Method : POST
:: URL : https://example.com/login
:: Wordlists : 2
:: Mode : clusterbomb
:: Threads : 40
:: Matcher : Response status: 200,302 (default: 200,204,301,302,307,401,403,405,500)
:: Filter : Response status: 200,302
======================================================
[Status: 403, Size: 1245, Words: 21, Lines: 25]
[Status: 403, Size: 1245, Words: 21, Lines: 25]
...
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 123ms] | URL: https://example.com/login -> https://example.com/dashboard (USER: admin, PASS: password)
...
[Status: 403, Size: 1245, Words: 21, Lines: 25]
Pitchfork Mode: Synchronized Fuzzing
Pitchfork mode operates by taking one entry from each wordlist simultaneously, pairing them up and sending them in a single request. This means the first entry from wordlist 1 is paired with the first entry from wordlist 2, the second with the second, and so on. If wordlists have different lengths, the fuzzing stops when the shortest wordlist is exhausted. This mode is useful when there's an expected correlation or alignment between the wordlist entries.
Use Cases for Pitchfork
- **Known Credential Pairs:** When you have a list of known username:password pairs that you want to test, possibly from a breach or a specific internal policy.
- **Correlated Data Injection:** Testing parameters where the values are expected to be linked, such as injecting a user ID and a corresponding session token if you have aligned lists.
- **Path and Extension Fuzzing:** Trying a list of filenames with a corresponding list of extensions (e.g.,
indexwith.php,adminwith.bak), assuming your lists are ordered correctly.
Pitchfork Example: Testing Aligned Credential Pairs
Suppose you've compiled a list of potentially leaked credentials where usernames and passwords are known to correspond by line number in separate files, or even within a single CSV. For reconnaissance and preparing such targeted lists, tools like Zondex can be instrumental in discovering exposed services and data that might inform your wordlist creation.
#!/bin/bash
# Create dummy aligned wordlists
echo "user1" > users_aligned.txt
echo "user2" >> users_aligned.txt
echo "user3" >> users_aligned.txt
echo "pass1" > passwords_aligned.txt
echo "pass2" >> passwords_aligned.txt
echo "pass3" >> passwords_aligned.txt
echo "Running FFUF in Pitchfork mode for aligned credentials..."
ffuf -w users_aligned.txt:USER -w passwords_aligned.txt:PASS \
-u https://example.com/login \
-X POST -d "username=USER&password=PASS" \
-H "Content-Type: application/x-www-form-urlencoded" \
-mode pitchfork \
-fc 401,403 \
-o pitchfork_results.html -of html
rm users_aligned.txt passwords_aligned.txt # Clean up dummy files
Here, FFUF will try (user1, pass1), then (user2, pass2), and (user3, pass3). This significantly reduces the request count compared to Clusterbomb if only aligned pairs are relevant.
Simulated Output (Pitchfork)
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ _ /\ \__/
\ \ ,__\\ \ ,__\/\ \ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \_/
\ \_\ \ \_\ \ \____/\ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0-35-g870a440
:: Method : POST
:: URL : https://example.com/login
:: Wordlists : 2
:: Mode : pitchfork
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 401,403
======================================================
[Status: 403, Size: 1245, Words: 21, Lines: 25]
[Status: 403, Size: 1245, Words: 21, Lines: 25]
[Status: 200, Size: 567, Words: 15, Lines: 10] | URL: https://example.com/login (USER: user2, PASS: pass2)
[Status: 403, Size: 1245, Words: 21, Lines: 25]
Sniper Mode: Focused Single-Parameter Fuzzing
Sniper mode is typically the default behavior when only one fuzzing keyword is present, but it can be explicitly invoked with --mode sniper when using multiple wordlists. In multi-wordlist scenarios, Sniper works by fuzzing one placeholder with its corresponding wordlist while keeping all other placeholders static (taking their first value from their respective wordlists, or a default if none specified). Then, it moves to the next placeholder and repeats the process. This creates a series of independent single-parameter attacks.
Use Cases for Sniper
- **Individual Parameter Analysis:** When you suspect a vulnerability in a specific parameter, but the request has many parameters that need to remain constant for the application to function.
- **Sequential Discovery:** Testing a list of common file extensions after discovering a directory, but you want to ensure the directory itself doesn't change during the extension fuzz.
- **Header Fuzzing without Impacting Body/URL:** Isolating header-based attacks, such as fuzzing
X-Forwarded-Forvalues, while ensuring the URL and POST data remain stable.
Sniper Example: Fuzzing a Single Parameter in a Complex Query
Imagine an API endpoint /api/v1/data?id=123&type=json¶m=VALUE where id and type need to remain fixed, but you want to fuzz param. For controlled traffic routing during such targeted attacks, utilizing a tool like GProxy can be beneficial, especially when needing to observe or modify requests and responses through a proxy.
#!/bin/bash
# Create a dummy wordlist for the parameter
echo "inject1" > param_payloads.txt
echo "admin" >> param_payloads.txt
echo "test" >> param_payloads.txt
# Create dummy static wordlists (first entry will be used)
echo "123" > ids.txt
echo "json" > types.txt
echo "Running FFUF in Sniper mode for a specific parameter..."
ffuf -w ids.txt:ID -w types.txt:TYPE -w param_payloads.txt:VALUE \
-u "https://example.com/api/v1/data?id=ID&type=TYPE¶m=VALUE" \
--mode sniper \
-mc 200,400 \
-o sniper_results.csv -of csv
rm param_payloads.txt ids.txt types.txt # Clean up dummy files
In this example, FFUF will first iterate through ids.txt (while TYPE and VALUE are static from their first entries), then through types.txt (while ID and VALUE are static), and finally through param_payloads.txt (while ID and TYPE are static). This allows for isolated testing of each parameter's behavior.
Simulated Output (Sniper)
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ _ /\ \__/
\ \ ,__\\ \ ,__\/\ \ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \_/
\ \_\ \ \_\ \ \____/\ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0-35-g870a440
:: Method : GET
:: URL : https://example.com/api/v1/data?id=ID&type=TYPE¶m=VALUE
:: Wordlists : 3
:: Mode : sniper
:: Threads : 40
:: Matcher : Response status: 200,400
======================================================
[Status: 200, Size: 156, Words: 12, Lines: 5] | URL: https://example.com/api/v1/data?id=123&type=json¶m=inject1
[Status: 400, Size: 45, Words: 5, Lines: 2] | URL: https://example.com/api/v1/data?id=123&type=json¶m=admin
[Status: 200, Size: 156, Words: 12, Lines: 5] | URL: https://example.com/api/v1/data?id=123&type=json¶m=test
Refining Fuzzing with Filters and Proxies
Beyond the multi-wordlist modes, FFUF's filtering capabilities are crucial for sifting through noise and pinpointing actionable results. Flags like -mc (match status codes), -fc (filter status codes), -ms (match response size), and -fs (filter response size) help in focusing on relevant responses. For instance, filtering out default 404 pages by size often reveals legitimate, albeit hidden, endpoints. Using -fr with a regex can filter responses containing specific text, such as "Not Found" or "Error". Additionally, integrating FFUF with a proxy via the -proxy flag allows for detailed inspection of requests and responses, or routing traffic through specific network configurations for stealthier operations.
Mastering these multi-wordlist modes, combined with intelligent filtering and proxying, transforms FFUF into a highly adaptable and powerful web fuzzing tool. It moves beyond simple enumeration to facilitate complex, multi-variable attack simulations, significantly deepening your ability to discover vulnerabilities in modern web applications.