Skip to main content
Glama
SlanyCukr

Bug Bounty MCP Server

by SlanyCukr
OverviewInspectSchemaRelated ServersScoreDiscussions
Python
Remote

ffuf_scan

Execute web fuzzing scans to discover hidden directories, files, and endpoints using customizable wordlists and HTTP status code filtering for security testing.

Instructions

Execute FFuf for web fuzzing with enhanced logging.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
additional_argsNo
match_codesNo200,204,301,302,307,401,403
modeNodirectory
urlYes
wordlistNo/usr/share/wordlists/dirb/common.txt

Implementation Reference

  • src/mcp_server/app.py:991-1015 (handler)
    MCP tool handler for 'ffuf_scan': collects parameters and proxies the request to the REST API endpoint '/api/ffuf' for actual ffuf execution.
    def ffuf_scan( url: str, wordlist: str = "/usr/share/wordlists/dirb/common.txt", mode: str = "directory", match_codes: str = "200,204,301,302,307,401,403", additional_args: str = "", ) -> dict[str, Any]: """Execute FFuf for web fuzzing with enhanced logging.""" data = { "url": url, "wordlist": wordlist, "mode": mode, "match_codes": match_codes, "additional_args": additional_args, } logger.info(f"🔥 Starting FFuf web fuzzing on {url}") result = api_client.safe_post("api/ffuf", data) if result.get("success"): logger.info(f"✅ FFuf fuzzing completed on {url}") else: logger.error("❌ FFuf fuzzing failed") return result
  • src/rest_api_server/tools/ffuf/ffuf.py:291-305 (handler)
    REST API handler for ffuf tool execution: builds ffuf command, executes it via subprocess, parses JSON output into structured findings.
    @tool(required_fields=["url"]) def execute_ffuf(): """Execute FFuf web fuzzer.""" data = request.get_json() params = extract_ffuf_params(data) logger.info(f"Executing FFuf on {params['url']}") start_time = time.time() command = build_ffuf_command(params) execution_result = execute_command(command, timeout=params["timeout"] * 60) end_time = time.time() return parse_ffuf_result(execution_result, params, command, start_time, end_time)
  • src/rest_api_server/tools/ffuf/ffuf.py:57-57 (helper)
    Helper function to construct the ffuf CLI command based on input parameters.
    def build_ffuf_command(params: dict) -> str:
  • src/rest_api_server/tools/ffuf/ffuf.py:242-289 (helper)
    Helper function to parse ffuf execution results, deduplicate findings, and format the response.
    def parse_ffuf_result( execution_result: dict, params: dict, command: str, start_time: float, end_time: float, ) -> dict: """Parse ffuf execution result and format response.""" duration_ms = int((end_time - start_time) * 1000) if not execution_result["success"]: return { "success": False, "tool": "ffuf", "params": params, "started_at": datetime.fromtimestamp(start_time, UTC).isoformat(), "ended_at": datetime.fromtimestamp(end_time, UTC).isoformat(), "duration_ms": duration_ms, "error": execution_result.get("stderr", "Command execution failed"), "findings": [], "stats": {"findings": 0, "dupes": 0, "payload_bytes": 0}, } stdout = execution_result.get("stdout", "") findings = parse_ffuf_output(stdout) unique_findings = deduplicate_findings(findings) dupes_count = len(findings) - len(unique_findings) payload_bytes = len(stdout.encode("utf-8")) truncated = len(findings) > 100 stats = { "findings": len(unique_findings), "dupes": dupes_count, "payload_bytes": payload_bytes, "truncated": truncated, } return { "success": True, "tool": "ffuf", "params": params, "started_at": datetime.fromtimestamp(start_time, UTC).isoformat(), "ended_at": datetime.fromtimestamp(end_time, UTC).isoformat(), "duration_ms": duration_ms, "findings": unique_findings, "stats": stats, }
  • src/rest_api_server/tools/ffuf/ffuf.py:159-240 (helper)
    Helper function to parse ffuf JSON stdout into structured security findings.
    def parse_ffuf_output(stdout: str) -> list[dict]: """Parse ffuf JSON output into findings.""" findings = [] if not stdout.strip(): return findings try: data = json.loads(stdout) results = data.get("results", []) for result in results: if not isinstance(result, dict): continue url = result.get("url", "") status = result.get("status", 0) length = result.get("length", 0) words = result.get("words", 0) lines = result.get("lines", 0) input_data = result.get("input", {}) if not url: continue evidence = { "url": url, "status_code": status, "response_size": length, "word_count": words, "line_count": lines, "discovered_by": "ffuf", } if input_data: evidence["fuzzed_input"] = input_data if "redirectlocation" in result: evidence["redirect_location"] = result["redirectlocation"] parsed_url = urlparse(url) target = parsed_url.netloc severity = "info" confidence = "medium" tags = ["directory-enum", f"status-{status}"] if status == 200: tags.append("found") elif status in [301, 302, 307]: tags.append("redirect") elif status in [401, 403]: tags.append("restricted") elif status >= 500: tags.append("server-error") if length > 10000: tags.append("large-response") elif length == 0: tags.append("empty-response") finding = create_finding( finding_type="endpoint", target=target, evidence=evidence, severity=severity, confidence=confidence, tags=tags, raw_ref=f"ffuf_{len(findings)}", ) findings.append(finding) except json.JSONDecodeError as e: logger.error(f"Failed to parse ffuf JSON output: {e}") except Exception as e: logger.error(f"Error processing ffuf results: {e}") if len(findings) > 100: findings = findings[:100] return findings

This server cannot be installed

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/SlanyCukr/bugbounty-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server