Editing Ffuf

= FFUF =

'''FFUF''' (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more.  
It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

== <span id="options"></span>Common Options ==

=== Target & Wordlist ===
{| class="wikitable"
! Option !! Description
|-
| [[#ex-u| -u [URL] ]] || Target URL with the keyword FUZZ where payloads will be injected
|-
| [[#ex-w| -w [FILE] ]] || Wordlist file to use for fuzzing
|-
| [[#ex-input-cmd| --input-cmd ]] || Use the output of a command as input (e.g. seq 1 100)
|-
| [[#ex-input-num| --input-num ]] || Fuzz with a range of numbers (e.g. 1-100)
|}

=== Filtering & Matching ===
{| class="wikitable"
! Option !! Description
|-
| [[#ex-fc| -fc [CODE] ]] || Filter out responses with the given HTTP status code
|-
| [[#ex-mc| -mc [CODE] ]] || Only show responses with specific HTTP status codes
|-
| [[#ex-fw| -fw [WORDS] ]] || Filter responses by word count
|-
| [[#ex-ml| -ml [LINES] ]] || Match only responses with specific number of lines
|-
| [[#ex-fs| -fs [BYTES] ]] || Filter by response size
|-
| [[#ex-filter-regex| --filter-regex ]] || Filter responses based on regular expression in the body
|}

=== Output & Format ===
{| class="wikitable"
! Option !! Description
|-
| [[#ex-o| -o [FILE] ]] || Save output to file
|-
| [[#ex-of| -of [FORMAT] ]] || Specify output format (json, html, csv, etc.)
|-
| [[#ex-or| -or ]] || Show redirect location in results
|}

=== Headers & Methods ===
{| class="wikitable"
! Option !! Description
|-
| [[#ex-H| -H "Header: Value" ]] || Add custom HTTP headers to the request
|-
| [[#ex-X| -X [METHOD] ]] || HTTP method to use (e.g. GET, POST)
|-
| [[#ex-d| -d "DATA" ]] || Data to include in request body (use FUZZ inside the string)
|}

=== Performance ===
{| class="wikitable"
! Option !! Description
|-
| [[#ex-t| -t [NUM] ]] || Number of concurrent threads
|-
| [[#ex-p| -p [SECONDS] ]] || Delay between each request
|-
| [[#ex-timeout| --timeout ]] || Set timeout for individual requests
|}

== Examples ==

=== <span id="ex-u"></span>Target URL ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-w"></span>Wordlist Option ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret          [Status: 403, Size: 512, Words: 22, Lines: 4]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-input-cmd"></span>Input from Command ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12              [Status: 200, Size: 900, Words: 100, Lines: 10]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-input-num"></span>Fuzz Numeric Range ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42       [Status: 200, Size: 1500, Words: 150, Lines: 20]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-fc"></span>Filter by Status Code ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hidden
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-mc"></span>Match Specific Status Code ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard       [Status: 200, Size: 2048, Words: 250, Lines: 25]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-fw"></span>Filter by Word Count ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shown
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-ml"></span>Match by Line Count ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help            [Status: 200, Size: 850, Words: 90, Lines: 10]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-fs"></span>Filter by Size ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about           [Status: 200, Size: 1234, Words: 140, Lines: 12]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-filter-regex"></span>Filter by Regex ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shown
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-o"></span>Output to File ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txt
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-of"></span>Specify Output Format ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.json
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-or"></span>Show Redirect Location ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page        [Status: 301, Redirect: /new-page]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-H"></span>Custom Header Fuzzing ===
<syntaxhighlight lang="bash">
ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com   [Status: 200, Size: 5120, Words: 500, Lines: 30]
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-X"></span>Use POST Method ===
<syntaxhighlight lang="bash">
ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-d"></span>POST Data with FUZZ ===
<syntaxhighlight lang="bash">
ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-t"></span>Threads for Speed ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrency
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-p"></span>Delay Between Requests ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)
</syntaxhighlight>
''[[#options|↑ Options]]''

=== <span id="ex-timeout"></span>Set Request Timeout ===
<syntaxhighlight lang="bash">
ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped
</syntaxhighlight>
''[[#options|↑ Options]]''


== See Also ==
* [[dirb]]
* [[gobuster]]
* [[wfuzz]]
* [[burpsuite]]
* [[httpx]]