ffuf
Directory Fuzzing
# Basic directory brute force
ffuf -u <url>/FUZZ -w <wordlist>
# With extensions
ffuf -u <url>/FUZZ -w <wordlist> -e .php,.html,.txt,.bak,.old,.zip,.tar.gz
# Specific extensions
ffuf -u <url>/FUZZ.php -w <wordlist>
# Output to file
ffuf -u <url>/FUZZ -w <wordlist> -o results.json -of json
# Rate limited
ffuf -u <url>/FUZZ -w <wordlist> -rate 50
# With threads
ffuf -u <url>/FUZZ -w <wordlist> -t 50
# With proxy (Burp)
ffuf -u <url>/FUZZ -w <wordlist> -x http://127.0.0.1:8080
# Ignore SSL errors
ffuf -u <url>/FUZZ -w <wordlist> -k
# Follow redirects
ffuf -u <url>/FUZZ -w <wordlist> -r
# Custom timeout
ffuf -u <url>/FUZZ -w <wordlist> -timeout 10
Filter Options
# Filter by HTTP status code (hide 404)
ffuf -u <url>/FUZZ -w <wordlist> -fc 404
# Filter multiple codes
ffuf -u <url>/FUZZ -w <wordlist> -fc 404,403,500
# Match only specific codes
ffuf -u <url>/FUZZ -w <wordlist> -mc 200,301,302
# Filter by response size (bytes)
ffuf -u <url>/FUZZ -w <wordlist> -fs 1234
# Filter by number of words
ffuf -u <url>/FUZZ -w <wordlist> -fw 10
# Filter by number of lines
ffuf -u <url>/FUZZ -w <wordlist> -fl 42
# Filter by response time (ms)
ffuf -u <url>/FUZZ -w <wordlist> -ft 100
# Match by size
ffuf -u <url>/FUZZ -w <wordlist> -ms 1234
# Match by words
ffuf -u <url>/FUZZ -w <wordlist> -mw 50
# Match by regex
ffuf -u <url>/FUZZ -w <wordlist> -mr "admin|panel|dashboard"
VHost Fuzzing
# VHost enumeration
ffuf -u <url> -H "Host: FUZZ.<domain>" -w <wordlist> -fc 200 -fs 1234
# With different base response size (filter known size)
ffuf -u http://<ip> -H "Host: FUZZ.<domain>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
# HTTPS vhost
ffuf -u https://<ip> -H "Host: FUZZ.<domain>" -w <wordlist> -k -fc 404
# VHost with specific match
ffuf -u http://<ip> -H "Host: FUZZ.<domain>" -w <wordlist> -mc 200,301,302,400
# Find first valid vhost size then filter
ffuf -u http://<ip> -H "Host: test.<domain>" -w /dev/null # get baseline size
ffuf -u http://<ip> -H "Host: FUZZ.<domain>" -w <wordlist> -fs <baseline_size>
Subdomain Fuzzing
# DNS subdomain fuzzing
ffuf -u http://FUZZ.<domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Filter by size
ffuf -u http://FUZZ.<domain> -w <wordlist> -fs 0 -fc 404
# With SSL
ffuf -u https://FUZZ.<domain> -w <wordlist> -k
# Custom resolver
ffuf -u http://FUZZ.<domain> -w <wordlist> -H "Host: FUZZ.<domain>"
GET Parameter Fuzzing
# Fuzz GET parameter value
ffuf -u "<url>?id=FUZZ" -w <wordlist>
# Fuzz parameter name
ffuf -u "<url>?FUZZ=test" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# Multiple GET params
ffuf -u "<url>?page=FUZZ&id=1" -w <wordlist>
# Filter default response
ffuf -u "<url>?id=FUZZ" -w <wordlist> -fs 1234
# LFI fuzzing
ffuf -u "<url>?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 0
# SQLi parameter
ffuf -u "<url>?id=FUZZ" -w /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
POST Parameter Fuzzing
# POST body fuzzing
ffuf -u <url> -X POST -d "username=FUZZ&password=test" -w <wordlist>
# POST with JSON body
ffuf -u <url> -X POST -H "Content-Type: application/json" -d '{"username":"FUZZ","password":"test"}' -w <wordlist>
# Fuzz POST parameter name
ffuf -u <url> -X POST -d "FUZZ=test" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# Password spray
ffuf -u <url> -X POST -d "username=<username>&password=FUZZ" -w <wordlist> -fc 200 -mc 302
# JSON API fuzzing
ffuf -u <url>/api/FUZZ -X POST -H "Content-Type: application/json" -d '{}' -w <wordlist>
Recursive Fuzzing
# Recursive directory fuzzing
ffuf -u <url>/FUZZ -w <wordlist> -recursion
# Recursive with depth limit
ffuf -u <url>/FUZZ -w <wordlist> -recursion -recursion-depth 3
# Recursive with extensions
ffuf -u <url>/FUZZ -w <wordlist> -recursion -recursion-depth 2 -e .php,.html,.txt
# Recursive with filter
ffuf -u <url>/FUZZ -w <wordlist> -recursion -recursion-depth 2 -fc 404,403
Authentication
# Basic authentication
ffuf -u <url>/FUZZ -w <wordlist> -u <username>:<password>
# Bearer token
ffuf -u <url>/FUZZ -w <wordlist> -H "Authorization: Bearer <password>"
# Cookie authentication
ffuf -u <url>/FUZZ -w <wordlist> -H "Cookie: session=<password>"
# Multiple headers
ffuf -u <url>/FUZZ -w <wordlist> \
-H "Authorization: Bearer <password>" \
-H "X-Api-Key: abc123" \
-H "Accept: application/json"
# API key in parameter
ffuf -u "<url>/FUZZ?api_key=<password>" -w <wordlist>
Multiple Injection Points (Multiple Wordlists)
# Two FUZZ points with two wordlists
ffuf -u <url>/FUZZ1/FUZ2Z -w users.txt:FUZZ1 -w <wordlist>:FUZ2Z
# Username + password brute force
ffuf -u <url>/login -X POST -d "user=FUZZ&pass=FUZ2Z" \
-w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZ \
-w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:FUZ2Z \
-fc 200
# Credential stuffing from colon-delimited list
ffuf -u <url>/login -X POST -d "user=FUZZ&pass=FUZ2Z" \
-w creds.txt:FUZZ:FUZ2Z -ic
API Fuzzing
# REST API endpoint discovery
ffuf -u <url>/api/v1/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,204,400,401,403
# API version fuzzing
ffuf -u <url>/api/FUZZ/users -w <wordlist> -mc 200,201
# GraphQL introspection endpoint
ffuf -u <url>/FUZZ -w <wordlist> -mr "graphql|__schema"
# API parameter fuzzing with JSON
ffuf -u <url>/api/users -X POST -H "Content-Type: application/json" \
-d '{"FUZZ":"test"}' \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-mr '"id":|"user":|"success"'
# IDOR enumeration
ffuf -u <url>/api/users/FUZZ -w <(seq 1 1000) -mc 200
# Method fuzzing
ffuf -u <url>/api/users -X FUZZ -d '{}' \
-w <(echo -e "GET\nPOST\nPUT\nPATCH\nDELETE\nOPTIONS\nHEAD") -mc 200,201,204
# JSON output
ffuf -u <url>/FUZZ -w <wordlist> -o output.json -of json
# CSV output
ffuf -u <url>/FUZZ -w <wordlist> -o output.csv -of csv
# HTML report
ffuf -u <url>/FUZZ -w <wordlist> -o report.html -of html
# eJSONLines format
ffuf -u <url>/FUZZ -w <wordlist> -o output.ejson -of ejson
# Markdown
ffuf -u <url>/FUZZ -w <wordlist> -o output.md -of md
# All formats (use multiple -o)
ffuf -u <url>/FUZZ -w <wordlist> -o output.json -of json -of md -o output.md
Common Wordlists
# SecLists paths
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
# Dirbuster wordlists (sometimes better for specific apps)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Practical One-Liners
# Fast initial recon
ffuf -u <url>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -fc 404 -t 100 -c
# PHP app
ffuf -u <url>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -e .php,.html,.txt -fc 404
# API discovery
ffuf -u <url>/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,201,204,400,401,403,405
# Backup file hunt
ffuf -u <url>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -e .bak,.old,.orig,.swp,.~ -mc 200
# Auto-calibrate filter (send request with random path first)
ffuf -u <url>/FUZZ -w <wordlist> -ac
# Silent mode (no banner, only results)
ffuf -u <url>/FUZZ -w <wordlist> -s -fc 404
