FFUF.me

Content Discovery - Pipes

Sometimes there's situations where the wordlists that we have aren't useful for the job required.

For instance you might want to test something for an IDOR vulnerability and try some integers against it.

Instead of creating a wordlist with the required integers for the job we can use the linux seq command instead and pipe the result straight into ffuf.

The above command should discover a valid result of 657

What if the ID's are hashed in base64 or md5, this is a common way for developers to try and obfuscate the input to make it appear more random.

Unfortunately Linux doesn't have a good built in way to do this when piping in multiple lines so I developed the below bash script which can be altered to your own requirements. You'll need to save it in the /usr/local/bin with execute permissions so it's available from any directory.

Try the below to find the base64 encoded ID

The above command should discover a valid result of ODg4Cg== which is integer 888

And lastly the below to find the md5 hashed ID

The above command should discover a valid result of 4daa3db355ef2b0e64b472968cb70f0d which is integer 934