ffuf - Fast Web Fuzzer
Overview
ffuf is a fast web fuzzer written in Go designed for discovering hidden resources, testing parameters, and performing comprehensive web application reconnaissance. It uses the FUZZ keyword as a placeholder for wordlist entries and supports advanced filtering, multiple fuzzing modes, and recursive scanning for thorough security assessments.
Installation
# Using Go
go install github.com/ffuf/ffuf/v2@latest
# Using package managers
# Debian/Ubuntu
apt install ffuf
# macOS
brew install ffuf
# Or download pre-compiled binary from GitHub releases
Quick Start
Basic directory fuzzing:
# Directory discovery
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# File discovery with extension
ffuf -u https://example.com/FUZZ -w wordlist.txt -e .php,.html,.txt
# Virtual host discovery
ffuf -u https://example.com -H "Host: FUZZ.example.com" -w subdomains.txt
Core Workflows
Workflow 1: Directory and File Enumeration
For discovering hidden resources on web applications:
- Start with common directory wordlist:
ffuf -u https://target.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/common.txt \ -mc 200,204,301,302,307,401,403 \ -o results.json - Review discovered directories (focus on 200, 403 status codes)
- Enumerate files in discovered directories:
ffuf -u https://target.com/admin/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt \ -e .php,.bak,.txt,.zip \ -mc all -fc 404 - Use recursive mode for deep enumeration:
ffuf -u https://target.com/FUZZ \ -w wordlist.txt \ -recursion -recursion-depth 2 \ -e .php,.html \ -v - Document findings and test discovered endpoints
Workflow 2: Parameter Fuzzing (GET/POST)
Progress: [ ] 1. Identify target endpoint for parameter testing [ ] 2. Fuzz GET parameter names to discover hidden parameters [ ] 3. Fuzz parameter values for injection vulnerabilities [ ] 4. Test POST parameters with JSON/form data [ ] 5. Apply appropriate filters to reduce false positives [ ] 6. Analyze responses for anomalies and vulnerabilities [ ] 7. Validate findings manually [ ] 8. Document vulnerable parameters and payloads
Work through each step systematically. Check off completed items.
GET Parameter Name Fuzzing:
ffuf -u https://target.com/api?FUZZ=test \
-w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-fs 0 # Filter out empty responses
GET Parameter Value Fuzzing:
ffuf -u https://target.com/api?id=FUZZ \
-w payloads.txt \
-mc all
POST Data Fuzzing:
# Form data
ffuf -u https://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-w passwords.txt \
-H "Content-Type: application/x-www-form-urlencoded"
# JSON data
ffuf -u https://target.com/api/login \
-X POST \
-d '{"username":"admin","password":"FUZZ"}' \
-w passwords.txt \
-H "Content-Type: application/json"
Workflow 3: Virtual Host and Subdomain Discovery
For identifying virtual hosts and subdomains:
- Prepare subdomain wordlist (or use SecLists)
- Run vhost fuzzing:
ffuf -u https://target.com \ -H "Host: FUZZ.target.com" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -fs 0 # Filter by response size to identify valid vhosts - Filter results by comparing response sizes/words
- Verify discovered vhosts manually
- Enumerate directories on each vhost
- Document vhost configurations and exposed services
Workflow 4: Authentication Endpoint Fuzzing
For testing login forms and authentication mechanisms:
- Identify authentication endpoint
- Fuzz usernames:
ffuf -u https://target.com/login \ -X POST \ -d "username=FUZZ&password=test123" \ -w usernames.txt \ -H "Content-Type: application/x-www-form-urlencoded" \ -mr "Invalid password|Incorrect password" # Match responses indicating valid user - For identified users, fuzz passwords:
ffuf -u https://target.com/login \ -X POST \ -d "username=admin&password=FUZZ" \ -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \ -H "Content-Type: application/x-www-form-urlencoded" \ -fc 401,403 # Filter failed attempts - Use clusterbomb mode for combined username/password fuzzing:
ffuf -u https://target.com/login \ -X POST \ -d "username=FUZZ1&password=FUZZ2" \ -w usernames.txt:FUZZ1 \ -w passwords.txt:FUZZ2 \ -mode clusterbomb
Workflow 5: Backup and Sensitive File Discovery
For finding exposed backup files and sensitive data:
- Create wordlist of common backup patterns
- Fuzz for backup files:
ffuf -u https://target.com/FUZZ \ -w backup-files.txt \ -e .bak,.backup,.old,.zip,.tar.gz,.sql,.7z \ -mc 200 \ -o backup-files.json - Test common sensitive file locations:
ffuf -u https://target.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/sensitive-files.txt \ -mc 200,403 - Download and analyze discovered files
- Report findings with severity classification
Fuzzing Modes
ffuf supports multiple fuzzing modes for different attack scenarios:
Clusterbomb Mode - Cartesian product of all wordlists (default):
ffuf -u https://target.com/FUZZ1/FUZZ2 \
-w dirs.txt:FUZZ1 \
-w files.txt:FUZZ2 \
-mode clusterbomb
Tests every combination: dir1/file1, dir1/file2, dir2/file1, dir2/file2
Pitchfork Mode - Parallel iteration of wordlists:
ffuf -u https://target.com/login \
-X POST \
-d "username=FUZZ1&password=FUZZ2" \
-w users.txt:FUZZ1 \
-w passwords.txt:FUZZ2 \
-mode pitchfork
Tests pairs: user1/pass1, user2/pass2 (stops at shortest wordlist)
Sniper Mode - One wordlist, multiple positions:
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-mode sniper
Standard single-wordlist fuzzing.
Filtering and Matching
Effective filtering is crucial for reducing noise:
Match Filters (only show matching):
-mc 200,301- Match HTTP status codes-ms 1234- Match response size-mw 100- Match word count-ml 50- Match line count-mr "success|admin"- Match regex pattern in response
Filter Options (exclude matching):
-fc 404,403- Filter status codes-fs 0,1234- Filter response sizes-fw 0- Filter word count-fl 0- Filter line count-fr "error|not found"- Filter regex pattern
Auto-Calibration:
# Automatically filter baseline responses
ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
Common Patterns
Pattern 1: API Endpoint Discovery
Discover REST API endpoints:
# Enumerate API paths
ffuf -u https://api.target.com/v1/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,401,403 \
-o api-endpoints.json
# Fuzz API versions
ffuf -u https://api.target.com/FUZZ/users \
-w <(seq 1 10 | sed 's/^/v/') \
-mc 200
Pattern 2: Extension Fuzzing
Test multiple file extensions:
# Brute-force extensions on known files
ffuf -u https://target.com/admin.FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt \
-mc 200
# Or use -e flag for multiple extensions
ffuf -u https://target.com/FUZZ \
-w filenames.txt \
-e .php,.asp,.aspx,.jsp,.html,.bak,.txt
Pattern 3: Rate-Limited Fuzzing
Respect rate limits and avoid detection:
# Add delay between requests
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-p 0.5-1.0 # Random delay 0.5-1.0 seconds
# Limit concurrent requests
ffuf -u https://target.com/FUZZ \
-w wordlist.txt \
-t 5 # Only 5 concurrent threads
Pattern 4: Custom Header Fuzzing
Fuzz HTTP headers for security mi