Page cover
Edit

ffuf

Fuzz Faster U Fool

Install from source
go get github.com/ffuf/ffuf
Operators

  • -u -> Target URL.

  • -w -> Path to wordlist.

  • -r -> Follow Redirects.

  • -t -> Number of threads to run ( Normal : 50; Fast: 200).

  • -v -> Verbose Output.

  • -c -> Colorful output.

  • -e <extension> -> Scan for extensions.

  • -sf -> Stop in first found result.

  • -p -> Set a pause between request.

  • -rate <10> -> Set rate-requests per second.

  • -retries -> Number of retries for each request.

  • -timeout -> Timeout before giving up on a request.

  • -of <format> -> Output format (json, csv, html)

  • -x -> Use a proxy for requests.

  • -replay-proxy -> Routes only fuzzed requests through the proxy.

  • -H <"Header: Value"> -> Set a custom header.

  • -auth <username:password> -> Basic HTTP authentication.

  • -recursion -recursion-depth 1 -> Recursive fuzzing.

  • -request request.txt -> Specifies a custom HTTP request file that serves as a template (Add fuzzing points inside).

Matches/Filters

  • -mc -> Match specific status code.

  • -ms -> Match specific response size.

  • -mr <"regex"> -> Match by regex.

  • -ml -> Match amount of lines in the response.

  • -mw -> Match by words count in response.

  • -fw -> Filter by content length.

  • -fc -> Filter out specific status codes.

  • -ac -> Set Auto-calibration filter.

  • -acc -> Filter Custom-calibration.

  • -ic -> Ignores comments and copyright.

Directory Fuzzing
Basic Scan
ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ
Recursive Scan
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -recursion -recursion-depth 2
Scan for PHP pages
ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ.php
Scan for HTML pages
ffuf -c -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ.html
Fuzz Multiple locations
ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2

Extension fuzzing
Standard use
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi/FUZZ -e .bak, .zip
Extension + Recursion
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v -c
Subdomain fuzzing
Subdomains
ffuf -w ~/Documents/CTF/Wordlists/bitquark-subdomains-top100000.txt -u https://FUZZ.ffuf.fi/
VHOST Fuzzing
ffuf -c -w ~/Documents/CTF/Wordlists/bitquark-subdomains-top100000.txt -u https://ffuf.io.fi -H "Host: FUZZ.ffuf.io.fi"

Wordlists

bitquark-subdomains-top100000.txt
subdomains-top1million-20000.txt
HTTP Fuzzing
Cookie-based Authentication
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi -b "sessionId=cookie_val"
Fuzz from request template
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -u http://site.com
Request Template + Proxy
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -x http://127.0.0.1:8080
Request Template + Replay-proxy
ffuf -request ~/Desktop/request.txt -w ./wordlist.txt -replay-proxy http://127.0.0.1:8080

Parameter Fuzzing

GET Parameter Fuzzing
ffuf -c -w /path/to/wordlist -u https://ffuf.io.fi?FUZZ=test_value
POST Data Fuzzing
ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php
JSON POST data fuzzing
ffuf -c -w /path/to/wordlist -X POST -d "username=admin&password=FUZZ" -u https://ffuf.io.fi/login.php

Path Traversal fuzzing

Fuzz LFI
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287
Fuzz webroot path
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
PreviousWeb FuzzingNextferoxbuster

Last updated