Ffuf (Fuzz Faster U Fool)
A fast web fuzzer written in Go that allows various types of fuzzing operations.
Command | Description |
---|---|
ffuf -h |
Display ffuf help |
ffuf -V |
Display ffuf version |
Basic Usage
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ |
Directory Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ |
Extension Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php |
Page Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v |
Recursive Fuzzing |
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.squid.com/ |
Sub-domain Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://squid.com:PORT/ -H 'Host: FUZZ.squid.com' -fs xxx |
VHost Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php?FUZZ=key -fs xxx |
Parameter Fuzzing - GET |
ffuf -w wordlist.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
Parameter Fuzzing - POST |
ffuf -w ids.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
Value Fuzzing |
Multiple Wordlists & FUZZ Keywords
Command | Description |
---|---|
ffuf -w users.txt:USER -w pass.txt:PASS -u http://target/login -X POST -d "username=USER&password=PASS" |
Multiple wordlists for different positions |
ffuf -w wordlist.txt:FUZZ1 -w wordlist2.txt:FUZZ2 -u http://target/FUZZ1/FUZZ2 |
Multiple positions with different wordlists |
ffuf -w hosts.txt:HOST -w wordlist.txt:FUZZ -u http://HOST/FUZZ |
Subdomain + directory fuzzing together |
HTTP Methods & Headers
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/ -X POST |
Use POST method |
ffuf -w wordlist.txt:FUZZ -u http://target/ -X PUT |
Use PUT method |
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "X-Forwarded-For: 127.0.0.1" -H "User-Agent: Mozilla/5.0" |
Custom headers |
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "Cookie: sessid=FUZZ" |
Fuzzing cookies |
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "Authorization: Bearer FUZZ" |
Fuzzing authorization tokens |
Filtering Results
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fc 404 |
Filter HTTP status code 404 |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -mc 200,301 |
Match HTTP status codes 200 and 301 |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fs 12345 |
Filter by response size 12345 bytes |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ms 0,100 |
Match response size between 0-100 bytes |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fw 57 |
Filter by word count in response |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fl 22 |
Filter by line count in response |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fr "Not Found" |
Filter by regex pattern in response |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -mr "admin" |
Match by regex pattern in response |
Rate Limiting & Threads
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -p 0.1 |
Add 0.1 second delay between requests |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -rate 10 |
Rate limiting - 10 requests per second |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -t 5 |
Limit to 5 concurrent threads |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -timeout 10 |
Request timeout of 10 seconds |
Advanced Options
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -e .php,.html,.txt |
Multiple extensions fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -maxtime 60 |
Stop after 60 seconds |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -maxtime-job 30 |
Stop specific job after 30 seconds |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ac |
Auto-calibrate filtering (reduce false positives) |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ignore-body |
Don’t fetch response body (faster) |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -replay-proxy http://127.0.0.1:8080 |
Replay requests through a proxy |
Authentication
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -replay-proxy http://127.0.0.1:8080 |
Forward requests through proxy |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -x http://127.0.0.1:8080 |
Use proxy for all requests |
ffuf -w wordlist.txt:FUZZ -u https://target/FUZZ -x https://username:password@proxy:port |
Proxy with authentication |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -b "session=1234567890" |
Set cookie values |
Output Options
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -v |
Verbose output |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -o results.json |
Output to JSON file |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of html -o results.html |
Output to HTML file |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of csv -o results.csv |
Output to CSV file |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of ejson -o results.ejson |
Output to elaborated JSON |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of md -o results.md |
Output to Markdown file |
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -s |
Silent mode (only show results) |
JSON Web Token (JWT) Fuzzing
Command | Description |
---|---|
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" |
Fuzzing with static JWT token |
ffuf -w jwt-payloads.txt:FUZZ -u http://target/ -H "Authorization: Bearer FUZZ" |
Fuzzing with different JWT tokens |
Wordlists
Command | Description |
---|---|
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt |
Directory/Page Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt |
Extensions Wordlist |
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt |
Domain Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt |
Parameters Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/api/api-endpoints.txt |
API Endpoints Wordlist |
/opt/useful/SecLists/Fuzzing/fuzz-Bo0oM.txt |
General Fuzzing Wordlist |
Misc Helper Commands
Command | Description |
---|---|
sudo sh -c 'echo "SERVER_IP squid.com" >> /etc/hosts' |
Add DNS entry |
for i in $(seq 1 1000); do echo $i >> ids.txt; done |
Create Sequence Wordlist |
curl http://admin.squid.com:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' |
curl w/ POST |
ffuf -w <(seq 1 100) -u http://target/FUZZ |
Using bash process substitution |
Example Workflow
- Directory Discovery
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target/FUZZ -c
- Find files with specific extensions in discovered directories
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target/admin/FUZZ -e .php,.txt,.html,.bak -c
- Discover API endpoints
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/api/api-endpoints.txt:FUZZ -u http://target/api/FUZZ -c
- Find parameters for discovered endpoints
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://target/api/users?FUZZ=1 -fs 123
- Fuzz parameter values after finding valid parameters
ffuf -w ids.txt:FUZZ -u http://target/api/users?id=FUZZ -mc 200