ffuf / ffuf

Fast web fuzzer written in Go
MIT License
12.79k stars 1.3k forks source link

Feature Request: audit logging / complete request-response logging #759

Open denandz opened 11 months ago

denandz commented 11 months ago

ffuf currently does not have an 'audit logging' or similar flag to spool out every sent request and every received response to a file.

This becomes an issue when trying to keep a detailed log of traffic sent to a specific target, say a particularly sensitive or brittle target. The best we can do at this point is to either feed ffuf via another intercepting proxy to log all requests, or to note the command invocation and parameters along with the start time. Both of these solutions are kind of clunky.

An -audit-log or similar flag that spooled out all requests sent and all responses received to a json file, regardless of filter configuration, would be helpful in this case.

Once an audit log is able to be generated, it would be possible to implement something like an -input-log feature to apply filters and display results based of the previously written audit log. Now modifying filter and matcher parameters doesn't require a re-run of the fuzzing requests as we already have that data.

The above would assist in hunting for one-time outliers during fuzzing. For example, a response that takes a measurably longer time the first time a request is issued, then takes the average time on subsequent requests. The initial fuzz run would catch the temporal outlier, but by the time the matchers are tweaked and the fuzz run is performed again the outlier is missed.

bsysop commented 9 months ago

Hi @denandz, Actually, you can check the received response using the -od argument and also -of in JSON format to check what arguments were used in FFUF, that's not exactly an Audit option, especially because that would be a super huge file/folder with many GB's

Does -od + the json output helps you?

denandz commented 9 months ago

Unfortunately it does not. -od and -of wont log all request/responses sent by FFUF pre-matcher. It doesn't help with auditing or the hunting for one-time outliers during fuzzing.

As far as audit logs being super huge, it's not really that big a deal in the most cases. EG, the HTTP response for this github issue is about 180kb. You'd need to do a fuzz run with >5000 requests to break a GB in responses. Naturally the audit log option wouldn't be enabled by default. You can look at something like Burp Intruder when fuzzing, which logs all requests and allows filtering after-the-fact.

It's on my todo list to get a pull request together for this feature. A complete audit log, plus a way to feed that audit log back into FFUF for matcher refinement, would help a bunch when using FFUF for vulnerability hunting.