ffuf - Fuzz Faster U Fool | Learn The Shell

Basic usage

Fuzz file/paths

ffuf -w wordlist.txt -u https://host.name:PORT/FUZZ

Fuzz file extensions

ffuf -w wordlist.txt -u https://host.name/indexFUZZ

File names

ffuf -w wordlist.txt -u https://host.name/blog/FUZZ.php

Use command output as a word list, for example fuzz user IDs with seq command

ffuf -c -w <(seq 1 1000) -u https://host.name/api/users/FUZZ

Recursive fuzzing

ffuf -recursion -recursion-depth 3 -w wordlist.txt -u https://host.name/FUZZ

Set cookies

ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u https://host.name/FUZZ

Multiple Wordlists

Clusterbomb

The clusterbomb mode attempts every combination of values from multiple wordlists.

Try different usernames and passwords

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode clusterbomb

Fuzz multiple parts of the JSON request

ffuf -w usernames.txt:U -w passwords.txt:P -X POST -d '{"username":"U","password":"P"}' -H 'Content-Type: application/json' -u https://example.com/api/login

Fuzz both directory and file names

ffuf -w dirs.txt:DIR -w files.txt:FILE -u https://example.com/DIR/FILE

Pitchfork

ffuf will take the first username from the users.txt list and the first password from the passwords.txt list, and send them together

ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode pitchfork

Subdomains and vhosts

Subdomains

ffuf -w wordlist.txt -u https://FUZZ.host.name/

VHosts

ffuf -w wordlist.txt -u http://host.name/ -H 'Host: FUZZ.host.name'

HTTP Parameters

Parameter names - GET

ffuf -w wordlist.txt -u http://host.name/index.php?FUZZ=key

Parameter names - POST

ffuf -w wordlist.txt -u https://host.name/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'

Parameter value - POST

ffuf -w ids.txt -u https://host.name/index.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'

Fuzzing JSON POST Data

ffuf -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "FUZZ"}' -w /path/to/wordlist.txt -u http://example.com/api/login

Headers

Change user agent

ffuf -w wordlist.txt -u https://host.name/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"

Set Content-type header

ffuf -w wordlist.txt -u https://host.name/FUZZ -H "Content-Type: application/json" -X POST

Setting Authorization header

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Authorization: Bearer mytoken"

Bearer token value

ffuf -w tokens.txt -H "Authorization: Bearer FUZZ" -u https://example.com/api/resource

Header value

ffuf -w /path/to/wordlist.txt -u http://example.com -H "X-Forwarded-For: FUZZ"

Rate limits

Rate limit to 50 rq/s

ffuf -rate 50 -w wordlist.txt -u https://host.name/FUZZ

Set number of threads

ffuf -t 5 -w wordlist.txt -u https://host.name/FUZZ

Delays

ffuf -w wordlist.txt -u https://example.com/FUZZ -t 2 -p 1

Filters

Filter 301 and 302 HTTP codes

ffuf -fc 301,302 -w wordlist.txt -u https://host.name/FUZZ

Filter by response size of 2003 bytes

ffuf -fs 2003 -w wordlist.txt -u https://host.name/FUZZ

Filter by response size in range between 2000 and 3000 bytes

ffuf -fs 2000-3000 -w wordlist.txt -u https://host.name/FUZZ

Filter by lines

ffuf -fl 5 -w wordlist.txt -u https://host.name/FUZZ

Filter by word count

ffuf -fw 10 -w wordlist.txt -u https://host.name/FUZZ

Automatically calibrate filtering options

ffuf -ac -w wordlist.txt -u https://host.name/FUZZ

Matchers

Matching Status Code

ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200

Matching Response Size

ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 1000

You can also match a range of response sizes:

ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 900-1100

Matching on Word Count

ffuf -u https://example.com/FUZZ -w wordlist.txt -mw 50

Matching by Response Lines

ffuf -u https://example.com/FUZZ -w wordlist.txt -ml 10

Regex Matching

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "success|welcome"

Output Options

Save results in JSON

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -o results.json -of json

Save results in CSV

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv

Save output in all supported formats:

ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all

Proxy

HTTP proxy

ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZ

Socks proxy

ffuf -x socks5://127.0.0.1:1080 -w wordlist.txt -u https://host.name/FUZZ

Replay proxy

ffuf -replay-proxy http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZ

Time limits

Set maximum time limit

ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime 60

Time limit per job

ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime-job 60

Other useful options

Ignore wordlist comments

ffuf -ic -w wordlist.txt -u https://host.name/FUZZ

ffuf - Fuzz Faster U Fool cheatsheet