ffuf - Fuzz Faster U Fool cheatsheet

Basic usage

Fuzz file/paths

ffuf -w wordlist.txt -u https://host.name:PORT/FUZZ

Fuzz file extensions

ffuf -w wordlist.txt -u https://host.name/indexFUZZ

File names

ffuf -w wordlist.txt -u https://host.name/blog/FUZZ.php

Use command output as a word list, for example fuzz user IDs with seq command

ffuf -c -w <(seq 1 1000) -u https://host.name/api/users/FUZZ

Recursive fuzzing

ffuf -recursion -recursion-depth 3 -w wordlist.txt -u https://host.name/FUZZ

Set cookies

ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u https://host.name/FUZZ

Subdomains and vhosts

Subdomains

ffuf -w wordlist.txt -u https://FUZZ.host.name/

VHosts

ffuf -w wordlist.txt -u http://host.name/ -H 'Host: FUZZ.host.name'

HTTP Parameters

Parameter names - GET

ffuf -w wordlist.txt -u http://host.name/index.php?FUZZ=key

Parameter names - POST

ffuf -w wordlist.txt -u https://host.name/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'

Parameter value - POST

ffuf -w ids.txt -u https://host.name/index.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'

Rate limits

Rate limit to 50 rq/s

ffuf -rate 50 -w wordlist.txt -u https://host.name/FUZZ

Set number of threads

ffuf -t 5 -w wordlist.txt -u https://host.name/FUZZ

Filters

Filter 301 and 302 HTTP codes

ffuf -fc 301,302 -w wordlist.txt -u https://host.name/FUZZ

Filter by response size of 203 bytes

ffuf -fs 2003 -w wordlist.txt -u https://host.name/FUZZ

Filter by lines

ffuf -fl 5 -w wordlist.txt -u https://host.name/FUZZ

Filter by word count

ffuf -fw 10 -w wordlist.txt -u https://host.name/FUZZ

Automatically calibrate filtering options

ffuf -ac -w wordlist.txt -u https://host.name/FUZZ

Other useful options

Ignore wordlist comments

ffuf -ic -w wordlist.txt -u https://host.name/FUZZ

Proxy

HTTP proxy

ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZ

Socks proxy

ffuf -x socks5://127.0.0.1:1080 -w wordlist.txt -u https://host.name/FUZZ

Replay proxy

ffuf -replay-proxy http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZ

Setting HTTP headers

Change user agent

ffuf -w wordlist.txt -u https://host.name/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"

Set Content-type header

ffuf -w wordlist.txt -u https://host.name/FUZZ -H "Content-Type: application/json" -X POST

Time limits

Set maximum time limit

ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime 60

Time limit per job

ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime-job 60