Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rodnt/bffuf

Burp bridge to FFUF
https://github.com/rodnt/bffuf

bugbounty bugs burp ffuf fuzzing pentest portswigger

Last synced: 4 days ago
JSON representation

Burp bridge to FFUF

Host: GitHub
URL: https://github.com/rodnt/bffuf
Owner: rodnt
License: gpl-3.0
Created: 2024-07-20T12:11:51.000Z (6 months ago)
Default Branch: main
Last Pushed: 2024-07-23T14:38:55.000Z (6 months ago)
Last Synced: 2024-07-23T23:40:51.080Z (6 months ago)
Topics: bugbounty, bugs, burp, ffuf, fuzzing, pentest, portswigger
Language: Java
Homepage:
Size: 39.2 MB
Stars: 5
Watchers: 2
Forks: 0
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# BFFUF ( Burp Extension for FFUF @ffuf )

BFFUF is an extension for Burp Suite that allows you to configure and run FFUF (Fuzz Faster U Fool) directly from Burp. This extension provides a graphical interface to set various FFUF options, save request configurations, and perform fuzzing attacks directly from the tool.

# IMPORTANT

- BETA VERSION!
- Sniper mode only work if you choose the proto flag!!! 🚨

## Features

- Configure wordlists for different fuzzing markers.
- Support for fuzzing modes: Cluster Bomb, Pitchfork, and Sniper.
- Additional options such as follow redirects, silent mode, verbose mode, and more.
- Save and load configurations in TOML format.
- Execute FFUF in a terminal with specified configurations.

## Installation

> Requires OpenJDK >= 21

```bash
# linux users
sudo apt install openjdk-21-jdk
# OSX With Brew
brew install openjdk@21
```

1. Compile the source code and generate a JAR file.
```bash
./gradlew shadowJar
```
2. In Burp Suite, go to the `Extender` tab and select `Add`.
4. Choose the generated JAR file and add the extension.

### Pocs

- Main Window
![](/static/painelv1.png)

- Repeater exec
![](/static/exec_repeater.png)

- Intruder Exec
![](/static/exec_intruder.png)

- Config
![](/static/configuration_terminal_request.png)

- PRO Version ONLY 💸 ( Issue scan finished )

### Configuration

1. In the `BFFFUF Config` tab, configure the wordlists for the fuzzing markers (FUZZ1, FUZZ2, FUZZ3, FUZZ4, SNIPER).
2. Set other options as needed, such as follow redirects, verbose mode, etc.
3. Click the `Save` button to save the configuration.

### Execution

1. Select the request you want to use for fuzzing.
2. Right-click to open the context menu and select `bfffuf`.
3. Choose the desired fuzzing mode: `Cluster Bomb`, `Pitchfork`, or `Sniper`.
4. The extension will save the request and run FFUF with the specified configurations.

#### Usage
1. `Cluster Bomb` and `Pitchfork` you can set the FUZZ1 and FUZZ2 .. FUZZ4 wordlist write at the repeater example:

```http
GET /FUZZ1?id=FUZZ2 HTTP/1.1
Host: foo
```

2. Sniper mode, only work you if set request at the main menu and write at the request the placeholder SNIPER

```http
GET /SNIPER HTTP/1.1
Host: foo
```

## Dependencies

- Burp Suite
- FFUF (Fuzz Faster U Fool)
- TOML library for Java (`com.moandjiezana.toml.Toml`)

## Configuration Example

The configuration is saved at `${HOME}/.config/bffuf/bffuf.config.toml`. An example TOML configuration is:

```toml
wordlist1 = "/path/to/wordlist1.txt"
wordlist2 = "/path/to/wordlist2.txt"
wordlist3 = "/path/to/wordlist3.txt"
wordlist4 = "/path/to/wordlist4.txt"
sniperWordlist = "/path/to/sniperWordlist.txt"
```

## Videos

![Config](/static/config_bffuf.gif)

![Running](/static/running.gif)

![WordLists](/static/multipleWordLists.gif)