Firefly – Black Box Fuzzer For Web Applications

June 17, 2023

0425142f085138337e062313a724982185c3ce30bb493dd7c0c10152c0559aeb

Firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.

Note:

Firefly is in a very new stage (v1.0) but works well for now, if the target does not contain too much dynamic content. Firefly still detects and filters dynamic changes, but not yet perfectly.

 

Advantages

  • Hevy use of gorutines and internal hardware for great preformance
  • Built-in engine that handles each task for “x” response results inductively
  • Highly cusomized to handle more complex fuzzing
  • Filter options and request verifications to avoid junk results
  • Friendly error and debug output
  • Build in payloads (default list are mixed with the wordlist from seclists)
  • Payload tampering and encoding functionality

Features

b8d2ac03fa528bc16fb56a00c7dfe46287ba1b93945eb2d56107cdc31a355546

Installation

go install -v github.com/Brum3ns/firefly/cmd/firefly@latest

If the above install method do not work try the following:

git clone https://github.com/Brum3ns/firefly.git
cd firefly/
go build cmd/firefly/firefly.go
./firefly -h

Usage

Simple

firefly -h
firefly -u 'http://example.com/?query=FUZZ'

Advanced usage

Request

Different types of request input that can be used

Basic

firefly -u 'http://example.com/?query=FUZZ' --timeout 7000

Request with different methods and protocols

firefly -u 'http://example.com/?query=FUZZ' -m GET,POST,PUT -p https,http,ws

Pipeline

echo 'http://example.com/?query=FUZZ' | firefly

HTTP Raw

firefly -r '
GET /?query=FUZZ HTTP/1.1
Host: example.com
User-Agent: FireFly'

This will send the HTTP Raw and auto detect all GET and/or POST parameters to fuzz.

firefly -r '
POST /?A=1 HTTP/1.1
Host: example.com
User-Agent: Firefly
X-Host: FUZZ

B=2&C=3' -au replace

Request Verifier

Request verifier is the most important part. This feature let Firefly know the core behavior of the target your fuzz. It’s important to do quality over quantity. More verfiy requests will lead to better quality at the cost of internal hardware preformance (depending on your hardware)

firefly -u 'http://example.com/?query=FUZZ' -e

Payloads

Payload can be highly customized and with a good core wordlist it’s possible to be able to fully adapt the payload wordlist within Firefly itself.

Payload debug

Display the format of all payloads and exit

firefly -show-payload

Tampers

List of all Tampers avalible

firefly -list-tamper

Tamper all paylodas with given type (More than one can be used separated by comma)

firefly -u 'http://example.com/?query=FUZZ' -e s2c

Encode

firefly -u 'http://example.com/?query=FUZZ' -e hex

Hex then URL encode all payloads

firefly -u 'http://example.com/?query=FUZZ' -e hex,url

Payload regex replace

firefly -u 'http://example.com/?query=FUZZ' -pr '\([0-9]+=[0-9]+\) => (13=(37-24))'

The Payloads: ' or (1=1)-- - and " or(20=20)or " Will result in: ' or (13=(37-24))-- - and " or(13=(37-24))or " Where the => (with spaces) inducate the “replace to“.

Filters

Filter options to filter/match requests that include a given rule.

Filter response to ignore (filter) status code 302 and line count 0

firefly -u 'http://example.com/?query=FUZZ' -fc 302 -fl 0

Filter responses to include (match) regex, and status code 200

firefly -u 'http://example.com/?query=FUZZ' -mr '[Ee]rror (at|on) line \d' -mc 200
firefly -u 'http://example.com/?query=FUZZ' -mr 'MySQL' -mc 200

Preformance

Preformance and time delays to use for the request process

Threads / Concurrency

firefly -u 'http://example.com/?query=FUZZ' -t 35

Time Delay in millisecounds (ms) for each Concurrency

FireFly -u 'http://example.com/?query=FUZZ' -t 35 -dl 2000

Wordlists

Wordlist that contains the paylaods can be added separatly or extracted from a given folder

Single Wordlist with its attack type

firefly -u 'http://example.com/?query=FUZZ' -w wordlist.txt:fuzz

Extract all wordlists inside a folder. Attack type is depended on the suffix <type>_wordlist.txt

firefly -u 'http://example.com/?query=FUZZ' -w wl/

Example

Wordlists names inside folder wl :

  1. fuzz_wordlist.txt
  2. time_wordlist.txt

Output

JSON output is strongly recommended. This is because you can benefit from the jq tool to navigate throw the result and compare it.

(If Firefly is pipeline chained with other tools, standard plaintext may be a better choice.)

Simple plaintext output format

firefly -u 'http://example.com/?query=FUZZ' -o file.txt

JSON output format (recommended)

firefly -u 'http://example.com/?query=FUZZ' -oJ file.json

Community

Everyone in the community are allowed to suggest new features, improvements and/or add new payloads to Firefly just make a pull request or add a comment with your suggestions!



Original Source

 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn

You may have missed

CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 18, 2024
CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 18, 2024
CISA Logo

CISA: Oracle Releases Quarterly Critical Patch Update Advisory for October 2024

November 18, 2024
CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 18, 2024
CISA Logo

CISA: CISA Releases One Industrial Control Systems Advisory

November 18, 2024