Ffuf fails with zero-size responses

[gnunez88]

Hello,

This is the second time I encounter this situation where I have to fuzz a RESTful API just to show a PoC and I find out ffuf fails to show the correct result.

The thing is the API returns a JSON in the response body, but there is no Content-Length, which might be taken as 0, hence there is no way to filter the correct response because -fs, -fw, -fl and -fs seem to expect a non-zero body size.

The problem is in the response, rather in the request, so it is not a Content-Type thing, as you see:

I can sort this out proxying the traffic through BurpSuite, since it seems it does not rely on the Content-Length header:

Thank you!

BTW, since ffuf has many options similar to curl, is it possible to specify files for POST requests? As you can see in the first image, I have to use "$(cat auth.login_with_options)", because -d @auth.login_with_options would send one request with @auth.login_with_options as the payload, instead of the contents of the file.

[bsysop]

Hi @gnunez88,
Please try again removing -mc all, if still doesn't work, can you send me a DM so I can debug?

For the second question, please open another issue since those are different topics and a feature request.

[gnunez88]

DM

Hi @bsysop,

I have removed the -mc all, same result (as expected):

I'll DM you.

[gnunez88]

@bsysop, sorry to bother you. How can I send you a message? I can only see you on X, but since I'm not verified I cannot message you.

[bsysop]

What is your X handler, so I can follow you?

[gnunez88]

Edited:

And yes, it is my handler, the ones I wanted there weren't available :-p.

[bsysop]

Followed