Editing
Ffuf
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= FFUF = '''FFUF''' (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases. == <span id="options"></span>Common Options == === Target & Wordlist === These two options are required to run ffuf. You must provide a target URL with the keyword FUZZ (`-u`) and a wordlist file (`-w`) for fuzzing to begin. {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code> |- | [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code> |} === Input Options === {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code> |- | [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code> |- | [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code> |- | [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code> |- | [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code> |- | [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code> |- | [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code> |- | [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code> |- | [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code> |} === Filtering & Matching === {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code> |- | [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code> |- | [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code> |- | [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code> |- | [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code> |- | [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code> |- | [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code> |- | [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by exact size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code> |- | [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code> |- | [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code> |- | [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"</code> |} === Headers, Cookies & Methods === {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code> |- | [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code> |- | [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code> |- | [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code> |- | [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code> |- | [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code> |- | [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code> |- | [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code> |- | [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code> |- | [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code> |- | [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code> |} === Output & Format === {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-o|<code>-o [FILE]</code>]] || Write output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code> |- | [[#ex-of|<code>-of [FORMAT]</code>]] || Output file format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code> |- | [[#ex-or|<code>-or</code>]] || Don't create output file if no results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or</code> |- | [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code> |- | [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code> |} === Performance === {| class="wikitable" ! Command !! Description !! Usage |- | [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code> |- | [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code> |- | [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code> |- | [[#ex-timeout|<code>--timeout [SEC]</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code> |- | [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code> |- | [[#ex-s|<code>-s</code>]] || Silent mode. Suppresses banner, progress bar, and stats output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code> |- | [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code> |} === Status Codes === HTTP status codes returned during fuzzing give insight into how the server responds to various inputs. Understanding these codes helps identify valid endpoints, error states, redirects, and more. {| class="wikitable" ! Status Code !! Description |- | 200 || OK β The request was successful. Often indicates a valid page or endpoint. |- | 204 || No Content β The server processed the request but returned no content. Often used to detect hidden but functional endpoints. |- | 301 || Moved Permanently β The resource has been permanently moved to a new URL. May indicate URL redirection behavior. |- | 302 || Found β The resource temporarily resides under a different URL. Can be used to detect login redirects or session handling. |- | 307 || Temporary Redirect β Similar to 302 but the method is preserved. Indicates temporary redirection. |- | 401 || Unauthorized β Authentication is required. Useful for identifying protected areas. |- | 403 || Forbidden β Access is denied. Often reveals restricted endpoints that exist but are off-limits. |- | 404 || Not Found β The requested resource does not exist. A common baseline for filtering invalid responses. |- | 405 || Method Not Allowed β The method (e.g., POST, GET) is not allowed for the requested resource. |- | 500 || Internal Server Error β The server encountered an unexpected condition. May indicate exploitable flaws. |- | 502 || Bad Gateway β The server received an invalid response from the upstream server. |- | 503 || Service Unavailable β The server is currently unavailable. May suggest rate limiting or maintenance. |- | 504 || Gateway Timeout β The upstream server failed to send a request in time. May indicate backend issues. |} == Examples == === <span id="ex-u"></span>Target URL === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt # Output: # /admin [Status: 301, Size: 0, Words: 1, Lines: 1] # /login [Status: 200, Size: 1024, Words: 132, Lines: 15] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-w"></span>Wordlist Option === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt # Output: # /secret [Status: 403, Size: 512, Words: 22, Lines: 4] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-input-cmd"></span>Input from Command === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100" # Output: # /12 [Status: 200, Size: 900, Words: 100, Lines: 10] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-input-num"></span>Fuzz Numeric Range === <syntaxhighlight lang="bash"> ffuf -u https://target.com/user?id=FUZZ --input-num 1-100 # Output: # user?id=42 [Status: 200, Size: 1500, Words: 150, Lines: 20] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-fc"></span>Filter by Status Code === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Output: # All 404 responses are hidden </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-mc"></span>Match Specific Status Code === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200 # Output: # /dashboard [Status: 200, Size: 2048, Words: 250, Lines: 25] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-fw"></span>Filter by Word Count === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0 # Output: # Only responses with more than 0 words are shown </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-ml"></span>Match by Line Count === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10 # Output: # /help [Status: 200, Size: 850, Words: 90, Lines: 10] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-fs"></span>Filter by Size === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234 # Output: # /about [Status: 200, Size: 1234, Words: 140, Lines: 12] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-filter-regex"></span>Filter by Regex === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found" # Output: # Only responses that do not contain "Not Found" in the body are shown </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-o"></span>Output to File === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt # Output: # Results saved to results.txt </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-of"></span>Specify Output Format === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json # Output: # Results saved in JSON format to results.json </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-or"></span>Show Redirect Location === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -or # Output: # /old-page [Status: 301, Redirect: /new-page] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-H"></span>Custom Header Fuzzing === <syntaxhighlight lang="bash"> ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt # Output: # Host: admin.target.com [Status: 200, Size: 5120, Words: 500, Lines: 30] </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-X"></span>Use POST Method === <syntaxhighlight lang="bash"> ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt # Output: # Password guess "letmein" returns Status: 302 (Login success redirect) </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-d"></span>POST Data with FUZZ === <syntaxhighlight lang="bash"> ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt # Output: # Payload "admin" produces search results page (Status: 200) </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-t"></span>Threads for Speed === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100 # Output: # Much faster scan due to increased concurrency </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-p"></span>Delay Between Requests === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5 # Output: # Slower scan with 0.5s delay between requests (useful to avoid rate limits) </syntaxhighlight> ''[[#options|β Options]]'' === <span id="ex-timeout"></span>Set Request Timeout === <syntaxhighlight lang="bash"> ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5 # Output: # Requests that take more than 5 seconds will be skipped </syntaxhighlight> ''[[#options|β Options]]'' == See Also == * [[dirb]] * [[gobuster]] * [[wfuzz]] * [[burpsuite]] * [[httpx]]
Summary:
Please note that all contributions to HackOps may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
HackOps:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Tools
What links here
Related changes
Special pages
Page information