Skip to content

Guide to Using ffuf

Published: at 11:00 AM


Ffuf (Fuzz Faster U Fool) is a versatile and powerful tool for fuzzing web applications, helping you discover hidden files, directories, subdomains, and more. This guide provides detailed examples for using ffuf in various scenarios.


You can find a shorter cheat sheet version of this article here.

Table of contents

Open Table of contents

Fuzzing Files and Paths

Fuzzing files and paths is a fundamental technique in web security testing, enabling the discovery of hidden files, directories, and endpoints that are not publicly listed. By using a wordlist, you can automate the process of probing a web server for these hidden resources, uncovering potentially interesting files.

Basic File/Path Fuzzing

To fuzz files and paths, using a wordlist:

ffuf -w wordlist.txt -u

This command will try each entry in wordlist.txt as a replacement for FUZZ in the URL, testing for potential files and directories. For example, if your wordlist contains admin, login, and test, ffuf will test URLs like,, and

Fuzzing Extensions

To find files with different extensions:

ffuf -w wordlist.txt -u

This command appends each wordlist entry to index, allowing you to discover files with various extensions. For instance, if the wordlist includes .php, .html, and .js, ffuf will test,, and

Fuzzing File Name with Different Extension

To find specific file names with given extension:

ffuf -w wordlist.txt -u

This will replace FUZZ with each word in the wordlist and append .php, helping you locate specific PHP files like or You can create a wordlist of files without the extension and use it across targets using different technologies - .php, .asp, .js etc.

Recursive Fuzzing

To perform recursive fuzzing with a specified depth:

ffuf -recursion -recursion-depth 3 -w wordlist.txt -u

This command recursively searches up to 3 levels deep, increasing the chances of discovering deeply nested files and directories. For example, it might find, then, and further into By default recursive fuzzing is disabled.

Setting Cookies

To include cookies in your fuzzing requests:

ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u

This is useful for authenticated fuzzing where cookies are required for access. For example, if you need to authenticate with SESSIONID=12345 and USER=admin, you can include these cookies in your fuzzing attempts.

Subdomains and VHosts

Subdomain and virtual host (VHost) fuzzing is an essential practice for uncovering additional entry points into a target domain. By identifying subdomains and VHosts, you can discover additional services, applications, and potential vulnerabilities that may not be immediately visible.

Subdomain Fuzzing

To discover subdomains:

ffuf -w wordlist.txt -u

This replaces FUZZ with each wordlist entry, helping identify subdomains under If your wordlist contains api, mail, and dev, ffuf will test,, and

Virtual Hosts (VHosts) Fuzzing

To fuzz virtual hosts:

ffuf -w wordlist.txt -u -H 'Host:'

This command changes the Host header, testing for virtual host-based sites. For example, testing api, staging, and beta as virtual hosts could reveal,, and

HTTP Parameters

Fuzzing HTTP parameters is a crucial aspect of web application security testing. By probing different parameter names and values, you can discover new parameters and uncover hidden functionalities - entry points with potential vulnerabilities.

Fuzzing Parameter Names - GET

To fuzz GET parameter names:

ffuf -w wordlist.txt -u

This helps find parameter names that might accept a specific key. If your wordlist includes id, user, and token, ffuf will test,, and

Fuzzing Parameter Names - POST

To fuzz POST parameter names:

ffuf -w wordlist.txt -u -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'

This sends POST requests to discover parameter names. For instance, it will test parameters like username, password, and email in the POST data.

Fuzzing Parameter Values - POST

To fuzz values of a specific POST parameter:

ffuf -w ids.txt -u -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'

This helps identify valid parameter values. For example, if ids.txt contains 123, 456, and 789, ffuf will test values like id=123, id=456, and id=789.

Rate Limits

Managing the rate of requests is essential when fuzzing web applications to avoid overloading the server or triggering WAF. Rate limiting helps control the number of requests sent per second or the number of threads used during fuzzing. In this section, we’ll look at how to use ffuf to set rate limits and configure the number of threads, ensuring your testing is efficient and respectful of the target server’s resources. By fine-tuning these parameters, you can perform thorough and responsible fuzzing without causing unnecessary disruption.

Limiting Request Rate

To set a rate limit of 50 requests per second:

ffuf -rate 50 -w wordlist.txt -u

This ensures that your fuzzing doesn’t overwhelm the target server, helping maintain stability and avoiding potential bans.

Setting Number of Threads

To specify the number of threads:

ffuf -t 5 -w wordlist.txt -u

This controls the concurrency of your fuzzing requests, balancing speed and server load.


Filters are an essential feature in ffuf that allow you to narrow down your fuzzing results to those most relevant to your testing objectives. By applying filters, you can exclude unwanted responses based on various criteria such as HTTP status codes, response size, number of lines, and word count. This helps in identifying significant findings more quickly and efficiently.

Filtering by HTTP Codes

To exclude 301 and 302 HTTP codes:

ffuf -fc 301,302 -w wordlist.txt -u

This filters out results with these status codes, focusing on other responses that might be more interesting, such as 200 OK or 500 Internal Server Error.

Filtering by Response Size

To filter responses of a specific size (e.g., 2003 bytes):

ffuf -fs 2003 -w wordlist.txt -u

This helps in identifying content of specific sizes, which might indicate certain types of files or responses.

Filtering by Lines and Word Count

To filter by the number of lines:

ffuf -fl 5 -w wordlist.txt -u

To filter by word count:

ffuf -fw 10 -w wordlist.txt -u

These filters refine your results based on response structure, allowing you to focus on responses that match specific patterns.

Automatic Calibration

To automatically calibrate filtering options:

ffuf -ac -w wordlist.txt -u

This helps ffuf determine appropriate filters based on initial responses, improving the accuracy of your fuzzing results.

Other Useful Options

Apart from basic fuzzing capabilities, ffuf offers a range of advanced features to enhance your testing workflow. These options allow you to customize requests, handle proxies, set headers, and impose time constraints, optimizing your fuzzing process for diverse testing scenarios.

Ignoring Wordlist Comments

To ignore comments in the wordlist:

ffuf -ic -w wordlist.txt -u

This treats all lines as potential fuzzing targets, even those starting with #.

Using Proxies

When direct access to the target is not feasible, or when inspection of ffuf requests is necessary, it can be utilized through a proxy server.

For HTTP proxy:

ffuf -x -w wordlist.txt -u

For SOCKS proxy:

ffuf -x socks5:// -w wordlist.txt -u

For replay proxy:

ffuf -replay-proxy -w wordlist.txt -u

With this option ffuf will repeat each matched request using given proxy. This is useful to inspect ffuf findings in other tools such as Burp Suite.

Setting HTTP Headers

Ffuf provides capability to manipulate headers, enabling users to tailor requests to specific requirements. This is useful to mimic different user agents, content types, or to tag your traffic with custom headers (which is often required by bug bounty programs). Below are some examples of configuring HTTP headers in ffuf.

To change the user agent:

ffuf -w wordlist.txt -u -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"

To set Content-Type header for POST requests:

ffuf -w wordlist.txt -u -H "Content-Type: application/json" -X POST

To set custom header:

ffuf -w wordlist.txt -u -H "X-Bug-Bounty: <bb-username>"

Time Limits

Ffuf allows to set time limits both globally and per job, allowing users to control the duration of their fuzzing sessions precisely.

To set a maximum time limit for the fuzzing process:

ffuf -w wordlist.txt -u -maxtime 60

To set a time limit per job:

ffuf -w wordlist.txt -u -maxtime-job 60

These limits prevent long-running fuzzing jobs from taking too much time, helping you manage your testing schedule effectively.


Ffuf is an essential tool for web security testing, offering a wide range of options to customize and optimize your fuzzing tasks. By leveraging these commands and options, you can effectively discover hidden vulnerabilities and improve the security posture of web applications.