Back to posts
Security

Practical Web Fuzzing with ffuf: Discovering and Exploiting Hidden API Endpoints

A hands-on walkthrough of using ffuf to fuzz HTTP APIs, discover hidden endpoints, and exploit a legacy authentication backdoor.

JB
Jayce BordelonSWE
8 min read
Security

Preface

This post is adapted from a fuzzing project I originally completed during my sophomore year at Washington University in St. Louis as part of a computer security course. While the project itself was academic, the techniques, tooling, and mindset it introduced have remained directly applicable in my day-to-day software development and security work. Web fuzzing—especially against APIs—continues to be one of the most effective ways to uncover unexpected behavior, legacy vulnerabilities, and unsafe assumptions in real systems.

What follows is a cleaned and updated write-up of that work, presented as a practical, real-world walkthrough.

What is Fuzzing?

Fuzzing is a software testing strategy that involves generating random or unexpected inputs to discover unintended or vulnerable behavior in a system. The main purpose of fuzzing is to explore edge cases that fall outside the system’s expected input space based on its design and usage.

Fuzzers are software tools that automate this process, allowing large input spaces to be tested efficiently.

How Are Fuzzers Used?

There are several fuzzing styles, chosen based on the system being tested:

Information About Input Structure

  • Smart fuzzing: Provides information about the structure of inputs, giving the fuzzer an advantage when generating effective test cases.
  • Dumb fuzzing: Provides no input structure information and instead tests broadly and randomly.

Types of Input Generation

  • Mutative fuzzing: Takes a valid input and randomly modifies it (e.g. bit-flipping).
  • Generative fuzzing: Creates entirely new inputs from scratch. Because these inputs are generated rather than mutated, generative fuzzing requires at least some knowledge of input structure.

Information About the System

  • Whitebox fuzzing: Has access to internal program structure and is often used to maximize code coverage.
  • Blackbox fuzzing: Has no knowledge of the system internals; this is the most common fuzzing approach.
  • Greybox fuzzing: A hybrid approach combining aspects of whitebox and blackbox fuzzing.

By combining these dimensions, fuzzing strategies can be tailored to the complexity and goals of the target system.

Applications

Fuzzing is commonly used for software that accepts structured input, including:

  • Web applications and APIs
  • Cloud services
  • Embedded and smart devices
  • Automotive and autonomous vehicle software

Fuzzers are effective at discovering crashes, logic bugs, race conditions, deadlocks, and memory management vulnerabilities.

What is ffuf?

ffuf (short for fuzz faster u fool) is a fast web fuzzer written in Go. It supports:

  • Directory and path discovery
  • Virtual host discovery
  • GET and POST parameter fuzzing
  • Header and request body fuzzing

ffuf is commonly used by penetration testers, security researchers, and developers performing security testing.

Installing ffuf

macOS (Homebrew)

brew install ffuf

Windows (Scoop)

Set-ExecutionPolicy RemoteSigned -scope CurrentUser
iwr -useb get.scoop.sh | iex
scoop install ffuf

Linux (via Go)

sudo apt install golang
go install github.com/ffuf/ffuf/v2@latest
export PATH=$PATH:$HOME/go/bin

Using ffuf

ffuf Capabilities

  1. Discovering hidden directories and paths via brute force
  2. Testing query parameters for bugs or injections
  3. Fuzzing request bodies (useful for login forms or APIs)
  4. Testing header-based bypasses or hidden secrets

To view all CLI options:

ffuf -h

Tutorial: Discovering and Exploiting a Hidden Login Endpoint

This walkthrough demonstrates how ffuf can be used to go from zero knowledge about an API to bypassing authentication by discovering a legacy backdoor.

Finding API Endpoints

Assume we know nothing about the target other than that it is an HTTP server with some API routes. We begin by fuzzing common endpoint paths using a public wordlist of known API routes.

ffuf -w ./word-lists/endpoints.txt -u http://localhost:8080FUZZ -fc 404,301 -v -r

Investigating Login Behavior

Login endpoints typically expect POST requests with credentials. Testing both routes confirms this behavior and reveals inconsistent error messaging that hints at legacy logic.

Brute-Forcing the Legacy Login

Using ffuf to brute-force the password field for an admin account quickly reveals a valid credential due to insecure, hardcoded logic left behind in a legacy route.

Root Cause: A Legacy Backdoor

Inspection of the server code confirms that an outdated login handler with hardcoded credentials was left exposed, allowing administrative access without proper authentication controls.

Conclusion

This example demonstrates how powerful even basic web fuzzing can be. With only a wordlist and a fuzzing tool, it is possible to uncover forgotten routes, legacy behavior, and insecure assumptions in real systems.

ffuf remains one of the most effective tools for quickly validating the security posture of web APIs and services.

Background PathsBackground Paths