Hacking DVWA on Kali Linux with ffuf fuzzing tool

An Introduction to Web Application Fuzzing

Hello, today we will be fuzzing a DVWA (OWASP Damn Vulnerable Web Application) inside of a Kali Linux VM. We will be using the ffuf (Fuzz Faster U Fool) Kali Linux tool to fuzz our self hosted (vulnerable) web application.

ffuf

First of all, we will start out with defining some basic terminology. What is “fuzzing”? Fuzzing is when we give random data to a target application in order to see how it behaves on each input. With web applications, this means seeing the GET/POST http header status (200 code means we have received the data). The ffuf fuzzing tool uses imputed data (sometimes read as a text file for input) in order to see which inputs receive a specific HTTP header status from a web application.

For this we will be using DVWA. You can download the source code here Using the terminal, we will cd into this (unzipped) directory to begin running the web application as localhost. The easiest way to do this is by using docker then run
docker version and
docker compose version in order to see that both are properly installed.
then when that has been verified, run
docker compose up -d and then you will navigate to a web browser to open DVWA at
http://localhost:4280

ogin to DVWA with default credential admin / password. Now you will be able to see the admin settings for our DVWA target.

Once we go back into our terminal, open up a new tab. We will begin using ffuf to fuzz our target (DVWA). For our fuzzing wordlists we can use Seclists. Be sure to copy+paste the correct file path when using a wordlist.

http://localhost:4280/login.php is the login page for DVWA. We will be fuzzing the directory for this path using the /path/to/wordlist/directory-list-2.3-medium.txt wordlist. By replacing ‘login’ with the argument ‘FUZZ’ we will target that domain path with our wordlist in order to find new directories. By passing the -mc 200 argument we will also filter out for the status code 200 response, like so:

ffuf -w /path/to/wordlist/directory-list-2.3-medium.txt -u http://localhost:4280/FUZZ.php -fs 0 -mc 200

Here we will see the results. One of the directories found is http://localhost:4280/setup.php. Let’s open that up.

We can see that we can create or reset the database on the web application, or change the credentials for our own use.

Links:

Hacking Websites with ffuf! (FUZZING)

Offensive Security Cheatsheet | ffuf

Github | ffuf/ffuf.git

Github | danielmiessler/SecLists

Thanks for reading.

Hacking DVWA on Kali Linux with ffuf fuzzing tool | An Introduction to Web Application Fuzzing

by Ian Galope
Home