Ffuf has a unique feature that saves configuration for all the runs and with that it allows every payload to have an unique hash. This is exposed to the user through FFUFHASH keyword variable that can be used just like other keywords in the runtime configuration.

The main reason for this feature is the ability to have a unique identifier for each request sent out that can be later mapped back to its origins. Think of sending out thousands of different blind payloads and after some time getting a callback from one of them. Which request was the one that triggered the vulnerability?

By using FFUFHASH as a part of the callback subdomain you will be able to map the hash back to the original request.

Simply add FFUFHASH keyword to any part of the request you would use other keywords in; headers or body. The keyword doesn't have to be defined separately in command line, it's just automatically calculated and always exists.

When you have a hash value that you want to map back to the initial request, you can just call ffuf with parameter -search HASHVALUE

For example:

➜ ffuf -search 853a7ff                    
Request candidate(s) for hash 853a7ff
-------------------------------------------
ffuf job started at: 2023-02-04T13:07:31+02:00

GET /example?url=//853a7ff.callbackdomain.tld HTTP/1.1
Host: ffuf.io.fi
User-Agent: Fuzz Faster U Fool v2.0-dev
Accept-Encoding: gzip

Because saving all the outgoing requests would consume disk space like no other, another approach has been chosen: reproducible simulated re-invocation. This means that the wordlists and other static file paths you use as a part of the ffuf command line need to stay there for the remapping to work properly.

This also means that unfortunately wordlists read from stdin ( using -w - ) cannot be mapped back.

Example hash: 853a7ff

Te hash consists of two parts.

Each run configuration gets has its own SHA256 hash that is saved to $XDG_CONFIG_HOME/ffuf/history directory with all the command line options for the invocation. For the sake of this example, the configration is saved to a subdirectory 853a7a41400e25a138be44707ccdeff2bef4c29bac4ee9746f97d05d89a2b2ce and first five bytes of the SHA256 hash are used for the first half of the FFUFHASH value.

The second part of the hash ( ff in this example ) is simply a hex value of the input position.