firefly: advanced black-box fuzzer
Firefly
Firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
Advantages
- Heavy use of goroutines and internal hardware for great performance
- Built-in engine that handles each task for “x” response results inductively
- Highly customized to handle more complex fuzzing
- Filter options and request verifications to avoid junk results
- Friendly error and debug output
- Build in payloads (default list are mixed with the wordlist from seclists)
- Payload tampering and encoding functionality
Install
go install -v github.com/Brum3ns/firefly/cmd/firefly@latest
Use
Advanced Usage
Request
Different types of request input can be used
Basic
firefly -u ‘http://example.com/?query=FUZZ‘ –timeout 7000
Request with different methods and protocols
firefly -u ‘http://example.com/?query=FUZZ‘ -m GET,POST,PUT -p https,http,ws
Pipeline
echo 'http://example.com/?query=FUZZ' | firefly
HTTP Raw
This will send the HTTP Raw and auto detect all GET and/or POST parameters to fuzz.
Request Verifier
Request verifier is the most important part. This feature lets Firefly know the core behavior of the target your fuzz. It’s important to do quality over quantity. More verify requests will lead to better quality at the cost of internal hardware performance (depending on your hardware)
firefly -u ‘http://example.com/?query=FUZZ‘ -e
Payloads
Payload can be highly customized and with a good core wordlist, it’s possible to be able to fully adapt the payload wordlist within Firefly itself.
Payload debug
Display the format of all payloads and exit
firefly -show-payload
Tampers
List of all Tampers avalible
firefly -list-tamper
Tamper all payloads with given type (More than one can be used separated by a comma)
firefly -u ‘http://example.com/?query=FUZZ‘ -e s2c
Encode
firefly -u ‘http://example.com/?query=FUZZ‘ -e hex
Hex then URL encodes all payloads
firefly -u ‘http://example.com/?query=FUZZ‘ -e hex,url
Payload regex replace
firefly -u ‘http://example.com/?query=FUZZ‘ -pr ‘\([0-9]+=[0-9]+\) => (13=(37-24))‘
The Payloads: ' or (1=1)-- - and " or(20=20)or " Will result in: ' or (13=(37-24))-- - and " or(13=(37-24))or " Where the => (with spaces) inducate the “replace to“.
Filters
Filter options to filter/match requests that include a given rule.
Filter response to ignore (filter) status code 302 and line count 0
firefly -u ‘http://example.com/?query=FUZZ‘ -fc 302 -fl 0
Filter responses to include (match) regex, and status code 200
firefly -u ‘http://example.com/?query=FUZZ‘ -mr ‘[Ee]rror (at|on) line \d‘ -mc 200
firefly -u ‘http://example.com/?query=FUZZ‘ -mr ‘MySQL‘ -mc 200
Performance
Preformance and time delays to use for the request process
Threads / Concurrency
firefly -u ‘http://example.com/?query=FUZZ‘ -t 35
Time Delay in milliseconds (ms) for each Concurrency
FireFly -u ‘http://example.com/?query=FUZZ‘ -t 35 -dl 2000
Wordlists
Wordlist that contains the paylaods can be added separatly or extracted from a given folder
Single Wordlist with its attack type
firefly -u ‘http://example.com/?query=FUZZ‘ -w wordlist.txt:fuzz
Extract all wordlists inside a folder. Attack type is depended on the suffix <type>_wordlist.txt
firefly -u ‘http://example.com/?query=FUZZ‘ -w wl/
Example
Wordlists names inside folder wl :
- fuzz_wordlist.txt
- time_wordlist.txt
Output
JSON output is strongly recommended. This is because you can benefit from the jq tool to navigate throw the result and compare it.
(If Firefly is pipeline chained with other tools, standard plaintext may be a better choice.)
Simple plaintext output format
firefly -u ‘http://example.com/?query=FUZZ‘ -o file.txt
JSON output format (recommended)
firefly -u ‘http://example.com/?query=FUZZ‘ -oJ file.json
Source: https://github.com/Brum3ns/
