Latest revision as of 23:29, 29 May 2025

FFUF[edit | edit source]

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options[edit | edit source]

Target & Wordlist[edit | edit source]

These two options are required to run ffuf. You must provide a target URL with the keyword FUZZ (`-u`) and a wordlist file (`-w`) for fuzzing to begin.

Command	Description	Usage
`-u [URL]`	Target URL with the keyword FUZZ where payloads will be injected	`ffuf -u https://target.com/FUZZ`
`-w [FILE]`	Wordlist file to use for fuzzing	`ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt`

Input Options[edit | edit source]

Command	Description	Usage
`-D`	DirSearch wordlist compatibility mode, use with -e	`ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html`
`-e [EXT]`	Comma-separated list of extensions to append	`ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt`
`-ic`	Ignore comment lines in wordlist	`ffuf -u https://target.com/FUZZ -w dict.txt -ic`
`--input-cmd`	Use output from a command as input	`ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ`
`--input-num [NUM]`	Number of values from input-cmd	`ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ`
`--input-shell [SHELL]`	Shell used to run input-cmd	`ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ`
`-mode [TYPE]`	Multi-wordlist mode: clusterbomb or pitchfork	`ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS`
`-request [FILE]`	Use raw HTTP request from file	`ffuf -request raw.txt -w dict.txt -u FUZZ`
`-request-proto [PROTO]`	Protocol to use with raw request	`ffuf -request raw.txt -request-proto http -w dict.txt`

Filtering & Matching[edit | edit source]

Command	Description	Usage
`-fc [CODE]`	Filter out responses with the given HTTP status code	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404`
`-mc [CODE]`	Only show responses with specific HTTP status codes	`ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200`
`-fw [WORDS]`	Filter responses by word count	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0`
`-ml [LINES]`	Match only responses with specific number of lines	`ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10`
`-fs [BYTES]`	Filter by response size	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234`
`--filter-regex`	Filter responses based on regular expression in the body	`ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"`
`-mr [REGEX]`	Match responses with regex in body	`ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"`
`-ms [BYTES]`	Match responses by exact size	`ffuf -u https://target.com/FUZZ -w list.txt -ms 1024`
`-mw [WORDS]`	Match responses by word count	`ffuf -u https://target.com/FUZZ -w list.txt -mw 50`
`-fl [LINES]`	Filter out by number of lines	`ffuf -u https://target.com/FUZZ -w list.txt -fl 0`
`-fr [REGEX]`	Filter responses using regex	`ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"`

Headers, Cookies & Methods[edit | edit source]

Command	Description	Usage
`-H "Header: Value"`	Add custom HTTP headers to the request	`ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt`
`-X [METHOD]`	HTTP method to use (e.g. GET, POST)	`ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt`
`-d "DATA"`	Data to include in request body	`ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt`
`-b "COOKIE=VALUE"`	Send cookies with request	`ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt`
`-ignore-body`	Skip response body content	`ffuf -u https://target.com/FUZZ -w list.txt -ignore-body`
`-r`	Follow HTTP redirects	`ffuf -u https://target.com/FUZZ -w list.txt -r`
`-recursion`	Recursively scan directories (FUZZ must be at end)	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion`
`-recursion-depth [N]`	Max recursion depth for scanning	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2`
`-recursion-strategy [STR]`	Recursion strategy: default or greedy	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy`
`-replay-proxy [URL]`	Proxy to replay matched requests	`ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081`
`-x [PROXY]`	Proxy URL to route requests through	`ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050`

Output & Format[edit | edit source]

Command	Description	Usage
`-o [FILE]`	Write output to file	`ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt`
`-of [FORMAT]`	Output file format (json, html, csv, etc.)	`ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json`
`-or`	Don't create output file if no results	`ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or`
`-debug-log [FILE]`	Write internal log to file	`ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log`
`-od [DIR]`	Output directory for matched results	`ffuf -u https://target.com/FUZZ -w list.txt -od ./matched`

Performance[edit | edit source]

Command	Description	Usage
`-t [NUM]`	Number of concurrent threads	`ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100`
`-p [SECONDS]`	Delay between each request	`ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5`
`-rate [NUM]`	Max requests per second	`ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200`
`--timeout [SEC]`	Set timeout for individual requests	`ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5`
`-maxtime [SEC]`	Maximum total run time in seconds	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300`
`-s`	Silent mode. Suppresses banner, progress bar, and stats output	`ffuf -u https://target.com/FUZZ -w wordlist.txt -s`
`-maxtime-job [SEC]`	Maximum time per job	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60`

Status Codes[edit | edit source]

HTTP status codes returned during fuzzing give insight into how the server responds to various inputs. Understanding these codes helps identify valid endpoints, error states, redirects, and more.

Status Code	Description
200	OK – The request was successful. Often indicates a valid page or endpoint.
204	No Content – The server processed the request but returned no content. Often used to detect hidden but functional endpoints.
301	Moved Permanently – The resource has been permanently moved to a new URL. May indicate URL redirection behavior.
302	Found – The resource temporarily resides under a different URL. Can be used to detect login redirects or session handling.
307	Temporary Redirect – Similar to 302 but the method is preserved. Indicates temporary redirection.
401	Unauthorized – Authentication is required. Useful for identifying protected areas.
403	Forbidden – Access is denied. Often reveals restricted endpoints that exist but are off-limits.
404	Not Found – The requested resource does not exist. A common baseline for filtering invalid responses.
405	Method Not Allowed – The method (e.g., POST, GET) is not allowed for the requested resource.
500	Internal Server Error – The server encountered an unexpected condition. May indicate exploitable flaws.
502	Bad Gateway – The server received an invalid response from the upstream server.
503	Service Unavailable – The server is currently unavailable. May suggest rate limiting or maintenance.
504	Gateway Timeout – The upstream server failed to send a request in time. May indicate backend issues.

Examples[edit | edit source]

Target URL[edit | edit source]

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

@@ Line 4: / Line 4: @@
 It is widely used in web application testing, especially during active reconnaissance and content discovery phases.
-== <span id="general"></span>Common Options ==
+== <span id="options"></span>Common Options ==
+=== Target & Wordlist ===
+These two options are required to run ffuf.
+You must provide a target URL with the keyword FUZZ (`-u`) and a wordlist file (`-w`) for fuzzing to begin.
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-V|<code>-V</code>]] || Show version information || <code>ffuf -V</code>
+| [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code>
+|-
+| [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code>
+|}
+=== Input Options ===
+{| class="wikitable"
+! Command !! Description !! Usage
 |-
-| [[#ex-ac|<code>-ac</code>]] || Automatically calibrate filtering options || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ac</code>
+| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
 |-
-| [[#ex-acc|<code>-acc "STRING"</code>]] || Custom auto-calibration string (can be used multiple times) – implies <code>-ac</code> || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"</code>
+| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
 |-
-| [[#ex-c|<code>-c</code>]] || Colorize output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -c</code>
+| [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
 |-
-| [[#ex-config|<code>-config [FILE]</code>]] || Load configuration from file || <code>ffuf -config ~/.ffufrc</code>
+| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
 |-
-| [[#ex-s|<code>-s</code>]] || Silent mode (suppress extra info) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
+| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
 |-
-| [[#ex-sa|<code>-sa</code>]] || Stop on all error cases (implies <code>-sf</code> and <code>-se</code>) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sa</code>
+| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
 |-
-| [[#ex-se|<code>-se</code>]] || Stop on spurious errors || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -se</code>
+| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
 |-
-| [[#ex-sf|<code>-sf</code>]] || Stop when &gt; 95 % of responses are 403 || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sf</code>
+| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
 |-
-| [[#ex-v|<code>-v</code>]] || Verbose output (print full URL & redirect) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -v</code>
+| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
 |}
-== <span id="input"></span>Input Options ==
+=== Filtering & Matching ===
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode (use with <code>-e</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
+| [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code>
 |-
-| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions (extends <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
+| [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code>
 |-
-| [[#ex-ic|<code>-ic</code>]] || Ignore wordlist comments || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
+| [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code>
 |-
-| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use command output as input (requires <code>--input-num</code>) || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
+| [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code>
 |-
-| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of inputs to test with <code>--input-cmd</code> || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
+| [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code>
 |-
-| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used for <code>--input-cmd</code> || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
+| [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code>
 |-
-| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: <code>clusterbomb</code> / <code>pitchfork</code> || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
+| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
 |-
-| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
+| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by exact size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
+|-
+| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
+|-
+| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
 |-
-| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol when using raw request (http/https) || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
+| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"</code>
 |}
-== <span id="headers"></span>Headers, Cookies & Methods ==
+=== Headers, Cookies & Methods ===
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Add cookie header || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
+| [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code>
 |-
-| [[#ex-ignore-body|<code>-ignore-body</code>]] || Do not fetch response body || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
+| [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code>
 |-
-| [[#ex-r|<code>-r</code>]] || Follow redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
+| [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code>
 |-
-| [[#ex-recursion|<code>-recursion</code>]] || Recursive scan (URL must end in <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
+| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
 |-
-| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Maximum recursion depth || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
+| [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
 |-
-| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: <code>default</code> / <code>greedy</code> || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
+| [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
 |-
-| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Replay matched requests through proxy || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
+| [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
 |-
-| [[#ex-x|<code>-x [PROXY]</code>]] || Send requests via proxy (HTTP/SOCKS5) || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
+| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
+|-
+| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
+|-
+| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
+|-
+| [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
 |}
-== <span id="filtering"></span>Filtering & Matching ==
+=== Output & Format ===
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match body using regular expression || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
+| [[#ex-o|<code>-o [FILE]</code>]] || Write output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code>
 |-
-| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match exact response size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
+| [[#ex-of|<code>-of [FORMAT]</code>]] || Output file format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code>
 |-
-| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
+| [[#ex-or|<code>-or</code>]] || Don't create output file if no results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or</code>
 |-
-| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter by line count || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
+| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
 |-
-| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses matching regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
+| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
 |}
-== <span id="performance"></span>Performance ==
+=== Performance ===
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-rate|<code>-rate [NUM]</code>]] || Limit requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
+| [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code>
+|-
+| [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code>
+|-
+| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
+|-
+| [[#ex-timeout|<code>--timeout [SEC]</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code>
+|-
+| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
 |-
-| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Max total runtime || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
+| [[#ex-s|<code>-s</code>]] || Silent mode. Suppresses banner, progress bar, and stats output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
 |-
-| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Max runtime per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
+| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
 |}
-== <span id="output"></span>Output & Format ==
+=== Status Codes ===
+HTTP status codes returned during fuzzing give insight into how the server responds to various inputs. Understanding these codes helps identify valid endpoints, error states, redirects, and more.
 {| class="wikitable"
-! Command !! Description !! Usage
+! Status Code !! Description
+|-
+| 200 || OK – The request was successful. Often indicates a valid page or endpoint.
+|-
+| 204 || No Content – The server processed the request but returned no content. Often used to detect hidden but functional endpoints.
+|-
+| 301 || Moved Permanently – The resource has been permanently moved to a new URL. May indicate URL redirection behavior.
+|-
+| 302 || Found – The resource temporarily resides under a different URL. Can be used to detect login redirects or session handling.
+|-
+| 307 || Temporary Redirect – Similar to 302 but the method is preserved. Indicates temporary redirection.
+|-
+| 401 || Unauthorized – Authentication is required. Useful for identifying protected areas.
+|-
+| 403 || Forbidden – Access is denied. Often reveals restricted endpoints that exist but are off-limits.
+|-
+| 404 || Not Found – The requested resource does not exist. A common baseline for filtering invalid responses.
+|-
+| 405 || Method Not Allowed – The method (e.g., POST, GET) is not allowed for the requested resource.
+|-
+| 500 || Internal Server Error – The server encountered an unexpected condition. May indicate exploitable flaws.
 |-
-| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write debug log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
+| 502 || Bad Gateway – The server received an invalid response from the upstream server.
 |-
-| [[#ex-od|<code>-od [DIR]</code>]] || Directory to store matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
+| 503 || Service Unavailable – The server is currently unavailable. May suggest rate limiting or maintenance.
 |-
-| [[#ex-or-out|<code>-or</code>]] || Skip creating output file when no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
+| 504 || Gateway Timeout – The upstream server failed to send a request in time. May indicate backend issues.
 |}

Ffuf: Difference between revisions

Latest revision as of 23:29, 29 May 2025

FFUF[edit | edit source]

Common Options[edit | edit source]

Target & Wordlist[edit | edit source]

Input Options[edit | edit source]

Filtering & Matching[edit | edit source]

Headers, Cookies & Methods[edit | edit source]

Output & Format[edit | edit source]

Performance[edit | edit source]

Status Codes[edit | edit source]

Examples[edit | edit source]

Target URL[edit | edit source]

Wordlist Option[edit | edit source]

Input from Command[edit | edit source]

Fuzz Numeric Range[edit | edit source]

Filter by Status Code[edit | edit source]

Match Specific Status Code[edit | edit source]

Filter by Word Count[edit | edit source]

Match by Line Count[edit | edit source]

Filter by Size[edit | edit source]

Filter by Regex[edit | edit source]

Output to File[edit | edit source]

Specify Output Format[edit | edit source]

Show Redirect Location[edit | edit source]

Custom Header Fuzzing[edit | edit source]

Use POST Method[edit | edit source]

POST Data with FUZZ[edit | edit source]

Threads for Speed[edit | edit source]

Delay Between Requests[edit | edit source]

Set Request Timeout[edit | edit source]

See Also[edit | edit source]

Navigation menu

Search