Ffuf cheatsheet

Comprehensive cheatsheet for effective use of ffuf

Ffuf (Fuzz Faster U Fool)

A fast web fuzzer written in Go that allows various types of fuzzing operations.

Command Description
ffuf -h Display ffuf help
ffuf -V Display ffuf version

Basic Usage

Command Description
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.squid.com/ Sub-domain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://squid.com:PORT/ -H 'Host: FUZZ.squid.com' -fs xxx VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php?FUZZ=key -fs xxx Parameter Fuzzing - GET
ffuf -w wordlist.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Parameter Fuzzing - POST
ffuf -w ids.txt:FUZZ -u http://admin.squid.com:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Value Fuzzing

Multiple Wordlists & FUZZ Keywords

Command Description
ffuf -w users.txt:USER -w pass.txt:PASS -u http://target/login -X POST -d "username=USER&password=PASS" Multiple wordlists for different positions
ffuf -w wordlist.txt:FUZZ1 -w wordlist2.txt:FUZZ2 -u http://target/FUZZ1/FUZZ2 Multiple positions with different wordlists
ffuf -w hosts.txt:HOST -w wordlist.txt:FUZZ -u http://HOST/FUZZ Subdomain + directory fuzzing together

HTTP Methods & Headers

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/ -X POST Use POST method
ffuf -w wordlist.txt:FUZZ -u http://target/ -X PUT Use PUT method
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "X-Forwarded-For: 127.0.0.1" -H "User-Agent: Mozilla/5.0" Custom headers
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "Cookie: sessid=FUZZ" Fuzzing cookies
ffuf -w wordlist.txt:FUZZ -u http://target/ -H "Authorization: Bearer FUZZ" Fuzzing authorization tokens

Filtering Results

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fc 404 Filter HTTP status code 404
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -mc 200,301 Match HTTP status codes 200 and 301
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fs 12345 Filter by response size 12345 bytes
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ms 0,100 Match response size between 0-100 bytes
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fw 57 Filter by word count in response
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fl 22 Filter by line count in response
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -fr "Not Found" Filter by regex pattern in response
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -mr "admin" Match by regex pattern in response

Rate Limiting & Threads

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -p 0.1 Add 0.1 second delay between requests
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -rate 10 Rate limiting - 10 requests per second
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -t 5 Limit to 5 concurrent threads
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -timeout 10 Request timeout of 10 seconds

Advanced Options

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -e .php,.html,.txt Multiple extensions fuzzing
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -maxtime 60 Stop after 60 seconds
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -maxtime-job 30 Stop specific job after 30 seconds
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ac Auto-calibrate filtering (reduce false positives)
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -ignore-body Don’t fetch response body (faster)
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -replay-proxy http://127.0.0.1:8080 Replay requests through a proxy

Authentication

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -replay-proxy http://127.0.0.1:8080 Forward requests through proxy
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -x http://127.0.0.1:8080 Use proxy for all requests
ffuf -w wordlist.txt:FUZZ -u https://target/FUZZ -x https://username:password@proxy:port Proxy with authentication
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -b "session=1234567890" Set cookie values

Output Options

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -v Verbose output
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -o results.json Output to JSON file
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of html -o results.html Output to HTML file
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of csv -o results.csv Output to CSV file
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of ejson -o results.ejson Output to elaborated JSON
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -of md -o results.md Output to Markdown file
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -s Silent mode (only show results)

JSON Web Token (JWT) Fuzzing

Command Description
ffuf -w wordlist.txt:FUZZ -u http://target/FUZZ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" Fuzzing with static JWT token
ffuf -w jwt-payloads.txt:FUZZ -u http://target/ -H "Authorization: Bearer FUZZ" Fuzzing with different JWT tokens

Wordlists

Command Description
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt Directory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt Extensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Domain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt Parameters Wordlist
/opt/useful/SecLists/Discovery/Web-Content/api/api-endpoints.txt API Endpoints Wordlist
/opt/useful/SecLists/Fuzzing/fuzz-Bo0oM.txt General Fuzzing Wordlist

Misc Helper Commands

Command Description
sudo sh -c 'echo "SERVER_IP squid.com" >> /etc/hosts' Add DNS entry
for i in $(seq 1 1000); do echo $i >> ids.txt; done Create Sequence Wordlist
curl http://admin.squid.com:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' curl w/ POST
ffuf -w <(seq 1 100) -u http://target/FUZZ Using bash process substitution

Example Workflow

  1. Directory Discovery
    ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target/FUZZ -c
    
  2. Find files with specific extensions in discovered directories
    ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://target/admin/FUZZ -e .php,.txt,.html,.bak -c
    
  3. Discover API endpoints
    ffuf -w /opt/useful/SecLists/Discovery/Web-Content/api/api-endpoints.txt:FUZZ -u http://target/api/FUZZ -c
    
  4. Find parameters for discovered endpoints
    ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://target/api/users?FUZZ=1 -fs 123
    
  5. Fuzz parameter values after finding valid parameters
    ffuf -w ids.txt:FUZZ -u http://target/api/users?id=FUZZ -mc 200
    
******
Written by Shain Lakin on 06 July 2022