What is ffuf and how does it differ from other directory scanners like gobuster?

ffuf (Fuzz Faster U Fool) is a fast web fuzzer written in Go, primarily designed for web content discovery, parameter fuzzing, and subdomain enumeration. It differs from gobuster in flexibility: ffuf treats the insertion point as an arbitrary FUZZ placeholder that can be placed anywhere in the URL, headers, POST body, or subdomain position. Gobuster is more opinionated and faster for pure directory enumeration. For complex fuzzing scenarios — parameter discovery, virtual host enumeration, header injection testing — ffuf's FUZZ model is more versatile. For this demo, ffuf was used for path-based endpoint discovery at 4,621 requests/2 seconds (approximately 2,310 requests/second), comparable to gobuster's throughput on the same wordlist.

Why is /backup.zip on a web server such a serious finding?

Backup files on web servers represent complete source code and data exposure. A typical backup.zip of a web application contains: full application source code (exposing business logic, API endpoints, hardcoded credentials, encryption keys), database dump files (complete user tables, hashed passwords, PII), configuration files (database connection strings, AWS credentials, OAuth secrets, API keys), and deployment scripts that reveal infrastructure details. The developer who created backup.zip was almost certainly running a local copy, testing a deployment, or preserving state before an update. The file was left accessible — not because it was intended to be public, but because web server root directories accumulate files that no one audited. Once downloaded, the attack chain branches in every direction simultaneously.

What is wordlist-based fuzzing and what does 'not in wordlist' actually mean for coverage?

ffuf's content discovery works by sending a request for every path in a wordlist and recording which HTTP responses indicate a real endpoint (typically 200, 301, 403 — anything other than 404). The scanner can only find paths that appear in the wordlist. This is the fundamental limitation of wordlist-based discovery. In this demo, /api/v2/internal returned a 200 response but the path didn't appear in our wordlist (SecLists content_discovery_top_25k.txt). It was invisible to the scan. Real applications frequently use custom, application-specific paths that don't appear in any public wordlist. Comprehensive coverage requires: multiple wordlists (SecLists, FuzzDB, custom application-specific lists), recursive scanning (discover /api/, then fuzz /api/* separately), and response analysis to identify paths that hint at further structure. A clean ffuf scan means no publicly-known paths are exposed — not that no hidden paths exist.

What is the complete attack chain from backup.zip to admin access?

Step 1: ffuf discovers /backup.zip (2.0s scan). Step 2: Download backup.zip — typically contains database dump, config files, source code. Step 3: Extract credential hashes from database dump (users table, password column). Step 4: Run hashcat against extracted hashes using rockyou.txt wordlist — common password hashes crack in seconds to minutes (MD5/NTLM sub-second, bcrypt hours). Step 5: Use cracked credentials against /admin endpoint — same password often used for admin panel access. Step 6: Admin access achieved — full application control, user data access, potential server-side execution. Each step in this chain is a separate SecurityClaw skill (ffuf → hashcat → hydra). The D15+D16 combination demonstrates why surface-area reduction (removing backup.zip) is more effective than any single defensive control in isolation.

How do backup files end up on production web servers?

Several common failure modes: (1) Manual deployment workflows where developers SCP or FTP files to the server and also transfer backups 'temporarily'. (2) Automated backup scripts that write to the web root directory instead of a protected location. (3) Version control artifacts — .git directories exposed, allowing full repo clone and history download. (4) Editor temp files — Vim creates backup.bak, nano creates backup~, many editors leave recovery files. (5) Database admin tools (phpMyAdmin, Adminer) that export to the web root for browser download convenience and leave the file behind. (6) CPanel/cPanel-like control panels that create automatic backups in predictable locations. The common thread: each of these is a workflow shortcut that becomes a permanent exposure.

SecurityClaw Found the Backup File Your Developer Left Behind

March 13, 2026 · SecurityClaw Demo D16 · Web Scanning

7 hidden endpoints. 2.0 seconds. 4,621 HTTP requests. SecurityClaw's ffuf skill found everything the developer thought was hidden — including /admin and /backup.zip. The backup file contains the application database. The database contains password hashes. The hashes crack in under a second. The admin panel is now open. This is Demo D16, and it's the attack chain your deployment checklist missed. Plus one honest miss we're documenting in full.

Date:March 13, 2026

Tool:ffuf v2.1.0

Category:Web Scanning

Result:✅ Pass — 7/7 endpoints found (2.0s)

Requests:4,621 @ ~2,310 req/s

Methodology note: Controlled demo against a sandboxed test server with 7 planted hidden paths. We used SecLists content_discovery_top_25k.txt (25,000 entries) as the wordlist — a standard first-pass choice for web reconnaissance. One endpoint was intentionally planted outside the wordlist to demonstrate coverage limits. ffuf was run with status code filtering (show 200, 301, 302, 403 — hide 404). No recursive scanning was run in this demo. This is Demo D16 — Campaign 31 in SecurityClaw's web-scanning category.

The Results

Path	Status	Size	Severity	Finding
`/admin`	200	4.2KB	🔴 CRITICAL	Admin panel — no MFA, login form exposed
`/backup.zip`	200	18.4MB	🔴 CRITICAL	Full application backup — DB dump included
`/config.bak`	200	2.1KB	🟠 HIGH	Config file — DB credentials, API keys
`/.git/config`	200	186B	🟠 HIGH	Git config exposed — remote URL with credentials
`/api/v1/debug`	200	8.7KB	🟠 HIGH	Debug endpoint — env vars, stack traces, config dump
`/old`	301	—	🟡 MEDIUM	Redirect to legacy version — older, likely unpatched
`/test`	200	1.3KB	🟡 MEDIUM	Test environment — default credentials active
`/api/v2/internal`	Not found — not in wordlist			MISS — documented below

Two critical, three high, two medium. All seven intended targets found. One miss — /api/v2/internal — documented honestly in the gaps section. Total scan time: 2.0 seconds across 4,621 requests (25K wordlist minus entries filtered for file extension noise). That's approximately 2,310 requests per second on an ARM CPU against a local test target.

The Critical Findings

/backup.zip — 18.4MB, Unprotected

The most dangerous file on the server isn't the admin panel — it's the backup. An accessible admin panel requires credentials and a login bypass. An accessible backup.zip requires only a browser.

The 18.4MB backup contained (in the controlled demo):

Complete application source code — all business logic, route definitions, template files
Database dump (db_backup.sql) — full user table including email addresses and password hashes (MD5-stored in the demo, per the deployment era)
Configuration backup — database host, username, password; SMTP credentials; third-party API keys
Deployment notes — internal server architecture, infrastructure layout, admin account details

The password hashes are the critical asset. The demo used MD5-hashed passwords, consistent with many legacy applications still in production. SecurityClaw's hashcat skill (D14) cracks MD5 at 937,500 hashes per second. The admin account password was in rockyou.txt. Cracked in under a second.

/admin — Exposed, No MFA

An admin panel at a predictable path (/admin, /admin.php, /wp-admin, /administrator) is expected to exist. What makes this a critical finding is the combination: accessible panel + cracked credentials from backup.zip = immediate admin access. The scan doesn't create the vulnerability. It reveals the exposure that was always there.

The Attack Chain: backup.zip → hashcat → admin → Game Over

This is the full chain, combining D16 (ffuf) with D14 (hashcat) and D15 (hydra):

      Step 1 [2.0s]: ffuf finds /backup.zip

      Step 2 [~30s]: curl -O https://target/backup.zip && unzip backup.zip

      Step 3 [~60s]: grep -i "password\|hash\|pass" db_backup.sql → extract MD5 hashes

      Step 4 [<1s]: hashcat -m 0 hashes.txt rockyou.txt → admin hash cracked

      Step 5 [<5s]: Login to /admin with cracked credential

      Total time to admin access: approximately 2 minutes

The full chain — from "we know nothing about this server" to "admin console open" — runs in under two minutes, almost entirely automated. The human time is the 30 seconds to glance at the database dump and identify the admin hash.

Once inside the admin panel, the attack branches. In the demo environment, the admin panel had a file upload feature (for profile images), a database query interface (for reporting), and user management (create/delete accounts). Each of these is a post-exploitation vector. The backup.zip was the pivot that made all of them accessible.

"The backup file isn't a minor misconfiguration. It's a complete copy of your application handed to an attacker with no authentication required. Everything that followed — hashcat, admin access, data extraction — was a consequence of that single file being accessible."

The Other High-Severity Findings

/.git/config — Source Repo with Credentials

An exposed .git/ directory is one of the most common and most serious web misconfigurations seen in real-world pentests. When the git directory is accessible via HTTP, an attacker can reconstruct the entire repository — including the full commit history of every file that was ever tracked, including files that were deleted.

The .git/config file alone contained the remote URL in the format https://username:token@github.com/org/repo — hardcoded credentials providing read (and potentially write) access to the source repository. This is separate from the backup.zip exposure and provides a persistent access vector even after backup.zip is removed.

/api/v1/debug — Environment Variables in JSON

Debug endpoints left enabled in production are a recurring source of credential exposure. The /api/v1/debug endpoint returned a JSON dump that included:

All environment variables — DATABASE_URL, AWS_ACCESS_KEY_ID, STRIPE_SECRET_KEY, SENDGRID_API_KEY
Application configuration (cache settings, feature flags, internal service URLs)
Recent error stack traces with file paths

A single HTTP GET to a path that "nobody knows about" returns every secret the application has loaded into its environment. Debug endpoints are typically added during development, inadequately protected, and forgotten.

/config.bak — The Configuration That Wasn't Deleted

Configuration backup files (.bak, .old, .orig, .backup, ~) are produced by text editors, manual editing workflows, and deployment scripts. The pattern: config.php was being edited, the editor saved config.php.bak as a safety copy, and the deployment process uploaded both. The original file is protected (the application reads it properly); the backup is served as a plain text file, bypassing any PHP execution, returning the raw configuration including database credentials.

The Honest Miss: /api/v2/internal

We planted a CRITICAL endpoint at /api/v2/internal that ffuf did not find. This endpoint returned a 200 response with internal API documentation including authenticated endpoints not visible in the public API spec. It would have been a significant finding. The scan missed it entirely.

Why It Was Missed

The SecLists content_discovery_top_25k.txt wordlist doesn't contain api/v2/internal as an entry. This isn't a surprising gap — the path is application-specific. No public wordlist will contain every custom path in every application.

What a more thorough scan would have done:

Recursive scanning — discover /api/ first, then fuzz /api/FUZZ with a focused wordlist, then /api/v2/FUZZ with another pass
Application-specific wordlists — once source code is accessible (via backup.zip, .git, or other means), extract all route definitions and generate a targeted wordlist
Multiple wordlists — supplement SecLists with FuzzDB, dirbuster's medium.txt, and custom lists built from the application's visible API surface
Spider + fuzz combination — crawl the application to discover linked paths, use these as seeds for further fuzzing

The miss is meaningful context for any security assessment: a clean ffuf scan does not mean no hidden endpoints exist. It means no publicly-known path patterns are exposed. Custom application paths require custom wordlists to find.

In a real assessment, /api/v2/internal would likely have been found through the backup.zip chain — the source code would contain the route definition, and an attacker with source code access builds their own wordlist rather than relying on public ones. Removing the backup.zip also removes this attack path.

Remediation Priority Order

The correct fix sequence isn't "remove all findings" — it's triage by actual risk:

Immediately remove backup.zip and config.bak from the web root. Assume they have been downloaded. Rotate any credentials contained in them. Treat all credentials in config.bak as compromised.
Rotate the git credential in .git/config and restrict .git/ directory access via web server config (Deny from all in .htaccess, or nginx location block). Audit git history for other sensitive files committed and deleted.
Disable /api/v1/debug in production. Debug endpoints should be gated by environment variable (DEBUG=false in production), not path obscurity. If the endpoint must exist, require authentication.
Restrict /admin to known IPs and add MFA. The admin panel path is not a secret — don't treat obscurity as protection.
Establish a web root audit process. Any file in the web root that isn't explicitly part of the deployed application should not be there. Add a post-deploy check that compares web root contents against the expected file manifest.

SecurityClaw's ffuf skill can scan your own web properties against an expanded wordlist set before an attacker does — producing a prioritised remediation list of everything currently exposed to enumeration.

For practical web security methodology, the content discovery and information-gathering chapters in The Web Application Hacker's Handbook cover this attack surface thoroughly. Bug Bounty Bootcamp by Vickie Li includes an excellent chapter on content discovery methodology including recursive fuzzing and wordlist construction — directly applicable to the /api/v2/internal miss scenario.

SecurityClaw Scorecard: D16

D16 extends SecurityClaw's web-scanning category, now running 4 campaigns across content discovery techniques (Gobuster D12, ffuf D16) and vulnerability scanning (Nikto, WPScan, Swagger scanner).

Metric	Value
Tool	ffuf v2.1.0
Requests sent	4,621
Scan duration	2.0 seconds (~2,310 req/s)
Endpoints planted	8 (7 in wordlist + 1 intentional miss)
Endpoints found	7/7 in-wordlist (100%)
Critical findings	2 (/admin, /backup.zip)
High findings	3 (/config.bak, /.git/config, /api/v1/debug)
Honest miss	/api/v2/internal — not in wordlist (documented)
Wordlist	SecLists content_discovery_top_25k.txt
Campaign result	PASS
Overall scorecard after D16	25/27 campaigns = 92.59%

2.0 seconds to find a backup file that breaks open the entire application. The backup.zip was there for months. The developer who created it has probably forgotten it exists. The attacker doesn't need to know it exists in advance — they just run the scan. The scan is cheaper than forgetting.