Ffuf: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older edit
VisualWikitext
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 4: Line 4:
It is widely used in web application testing, especially during active reconnaissance and content discovery phases.
It is widely used in web application testing, especially during active reconnaissance and content discovery phases.


== <span id="general"></span>Common Options ==
== <span id="options"></span>Common Options ==
 
=== Target & Wordlist ===
These two options are required to run ffuf. 
You must provide a target URL with the keyword FUZZ (`-u`) and a wordlist file (`-w`) for fuzzing to begin.
 
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-V|<code>-V</code>]] || Show version information || <code>ffuf -V</code>
| [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code>
|-
| [[#ex-ac|<code>-ac</code>]] || Automatically calibrate filtering options || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ac</code>
|-
| [[#ex-acc|<code>-acc "STRING"</code>]] || Custom auto-calibration string, implies -ac || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"</code>
|-
| [[#ex-c|<code>-c</code>]] || Colorize output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -c</code>
|-
| [[#ex-config|<code>-config [FILE]</code>]] || Load configuration from file || <code>ffuf -config ~/.ffufrc</code>
|-
| [[#ex-s|<code>-s</code>]] || Silent mode (suppress extra info) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
|-
| [[#ex-sa|<code>-sa</code>]] || Stop on all error cases || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sa</code>
|-
| [[#ex-se|<code>-se</code>]] || Stop on spurious errors || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -se</code>
|-
| [[#ex-sf|<code>-sf</code>]] || Stop when more than 95% of responses are 403 || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sf</code>
|-
|-
| [[#ex-v|<code>-v</code>]] || Verbose output with full URL and redirects || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -v</code>
| [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code>
|}
|}


== <span id="input"></span>Input Options ==
=== Input Options ===
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
Line 52: Line 41:
|}
|}


== <span id="headers"></span>Headers, Cookies & Methods ==
=== Filtering & Matching ===
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
| [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code>
|-
|-
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
| [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code>
|-
|-
| [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
| [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code>
|-
|-
| [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
| [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code>
|-
|-
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
| [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code>
|-
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
|-
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
| [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code>
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
|}
 
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
! Command !! Description !! Usage
|-
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
|-
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by exact size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
Line 85: Line 65:
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"</code>
|}
 
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
|}


== <span id="output"></span>Output & Format ==
=== Headers, Cookies & Methods ===
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
| [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code>
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
| [[#ex-or-out|<code>-or</code>]] || Don't write output file if no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
 
== <span id="input"></span>Input Options ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
|-
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
|-
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
|-
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
| [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code>
|-
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
| [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code>
|}
 
== <span id="headers"></span>Headers, Cookies & Methods ==
{| class="wikitable"
! Command !! Description !! Usage
|-
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
Line 154: Line 95:
|}
|}


== <span id="filtering"></span>Filtering & Matching ==
=== Output & Format ===
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
| [[#ex-o|<code>-o [FILE]</code>]] || Write output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code>
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
| [[#ex-of|<code>-of [FORMAT]</code>]] || Output file format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code>
|-
|-
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
| [[#ex-or|<code>-or</code>]] || Don't create output file if no results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or</code>
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
 
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
 
== <span id="output"></span>Output & Format ==
{| class="wikitable"
! Command !! Description !! Usage
|-
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
|-
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
| [[#ex-or-out|<code>-or</code>]] || Don't write output file if no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
|}


== <span id="input"></span>Input Options ==
=== Performance ===
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode (use with <code>-e</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
| [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code>
|-
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions (extends <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
| [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code>
|-
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore wordlist comments || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use command output as input (requires <code>--input-num</code>) || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
| [[#ex-timeout|<code>--timeout [SEC]</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code>
|-
|-
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of inputs to test with <code>--input-cmd</code> || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
|-
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used for <code>--input-cmd</code> || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
| [[#ex-s|<code>-s</code>]] || Silent mode. Suppresses banner, progress bar, and stats output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
|-
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: <code>clusterbomb</code> / <code>pitchfork</code> || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol when using raw request (http/https) || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
|}
|}


== <span id="headers"></span>Headers, Cookies & Methods ==
=== Status Codes ===
HTTP status codes returned during fuzzing give insight into how the server responds to various inputs. Understanding these codes helps identify valid endpoints, error states, redirects, and more.
 
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Status Code !! Description
|-
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Add cookie header || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
| 200 || OK – The request was successful. Often indicates a valid page or endpoint.
|-
|-
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Do not fetch response body || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
| 204 || No Content – The server processed the request but returned no content. Often used to detect hidden but functional endpoints.
|-
|-
| [[#ex-r|<code>-r</code>]] || Follow redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
| 301 || Moved Permanently – The resource has been permanently moved to a new URL. May indicate URL redirection behavior.
|-
|-
| [[#ex-recursion|<code>-recursion</code>]] || Recursive scan (URL must end in <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
| 302 || Found – The resource temporarily resides under a different URL. Can be used to detect login redirects or session handling.
|-
|-
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Maximum recursion depth || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
| 307 || Temporary Redirect – Similar to 302 but the method is preserved. Indicates temporary redirection.
|-
|-
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: <code>default</code> / <code>greedy</code> || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
| 401 || Unauthorized – Authentication is required. Useful for identifying protected areas.
|-
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Replay matched requests through proxy || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
| 403 || Forbidden – Access is denied. Often reveals restricted endpoints that exist but are off-limits.
|-
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Send requests via proxy (HTTP/SOCKS5) || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
| 404 || Not Found – The requested resource does not exist. A common baseline for filtering invalid responses.
|}
 
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
! Command !! Description !! Usage
|-
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match body using regular expression || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
| 405 || Method Not Allowed – The method (e.g., POST, GET) is not allowed for the requested resource.
|-
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match exact response size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
| 500 || Internal Server Error – The server encountered an unexpected condition. May indicate exploitable flaws.
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
|-
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter by line count || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses matching regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
 
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Limit requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Max total runtime || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Max runtime per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
 
== <span id="output"></span>Output & Format ==
{| class="wikitable"
! Command !! Description !! Usage
|-
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write debug log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
| 502 || Bad Gateway – The server received an invalid response from the upstream server.
|-
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Directory to store matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
| 503 || Service Unavailable – The server is currently unavailable. May suggest rate limiting or maintenance.
|-
|-
| [[#ex-or-out|<code>-or</code>]] || Skip creating output file when no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
| 504 || Gateway Timeout – The upstream server failed to send a request in time. May indicate backend issues.
|}
|}


Latest revision as of 23:29, 29 May 2025

FFUF[edit | edit source]

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options[edit | edit source]

Target & Wordlist[edit | edit source]

These two options are required to run ffuf. You must provide a target URL with the keyword FUZZ (`-u`) and a wordlist file (`-w`) for fuzzing to begin.

Command Description Usage
-u [URL] Target URL with the keyword FUZZ where payloads will be injected ffuf -u https://target.com/FUZZ
-w [FILE] Wordlist file to use for fuzzing ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

Input Options[edit | edit source]

Command Description Usage
-D DirSearch wordlist compatibility mode, use with -e ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html
-e [EXT] Comma-separated list of extensions to append ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt
-ic Ignore comment lines in wordlist ffuf -u https://target.com/FUZZ -w dict.txt -ic
--input-cmd Use output from a command as input ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ
--input-num [NUM] Number of values from input-cmd ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ
--input-shell [SHELL] Shell used to run input-cmd ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ
-mode [TYPE] Multi-wordlist mode: clusterbomb or pitchfork ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS
-request [FILE] Use raw HTTP request from file ffuf -request raw.txt -w dict.txt -u FUZZ
-request-proto [PROTO] Protocol to use with raw request ffuf -request raw.txt -request-proto http -w dict.txt

Filtering & Matching[edit | edit source]

Command Description Usage
-fc [CODE] Filter out responses with the given HTTP status code ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
-mc [CODE] Only show responses with specific HTTP status codes ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
-fw [WORDS] Filter responses by word count ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
-ml [LINES] Match only responses with specific number of lines ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
-fs [BYTES] Filter by response size ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
--filter-regex Filter responses based on regular expression in the body ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
-mr [REGEX] Match responses with regex in body ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"
-ms [BYTES] Match responses by exact size ffuf -u https://target.com/FUZZ -w list.txt -ms 1024
-mw [WORDS] Match responses by word count ffuf -u https://target.com/FUZZ -w list.txt -mw 50
-fl [LINES] Filter out by number of lines ffuf -u https://target.com/FUZZ -w list.txt -fl 0
-fr [REGEX] Filter responses using regex ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"

Headers, Cookies & Methods[edit | edit source]

Command Description Usage
-H "Header: Value" Add custom HTTP headers to the request ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
-X [METHOD] HTTP method to use (e.g. GET, POST) ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
-d "DATA" Data to include in request body ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
-b "COOKIE=VALUE" Send cookies with request ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt
-ignore-body Skip response body content ffuf -u https://target.com/FUZZ -w list.txt -ignore-body
-r Follow HTTP redirects ffuf -u https://target.com/FUZZ -w list.txt -r
-recursion Recursively scan directories (FUZZ must be at end) ffuf -u https://target.com/FUZZ -w dirs.txt -recursion
-recursion-depth [N] Max recursion depth for scanning ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2
-recursion-strategy [STR] Recursion strategy: default or greedy ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy
-replay-proxy [URL] Proxy to replay matched requests ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081
-x [PROXY] Proxy URL to route requests through ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050

Output & Format[edit | edit source]

Command Description Usage
-o [FILE] Write output to file ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
-of [FORMAT] Output file format (json, html, csv, etc.) ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json
-or Don't create output file if no results ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or
-debug-log [FILE] Write internal log to file ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log
-od [DIR] Output directory for matched results ffuf -u https://target.com/FUZZ -w list.txt -od ./matched

Performance[edit | edit source]

Command Description Usage
-t [NUM] Number of concurrent threads ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
-p [SECONDS] Delay between each request ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
-rate [NUM] Max requests per second ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200
--timeout [SEC] Set timeout for individual requests ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
-maxtime [SEC] Maximum total run time in seconds ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300
-s Silent mode. Suppresses banner, progress bar, and stats output ffuf -u https://target.com/FUZZ -w wordlist.txt -s
-maxtime-job [SEC] Maximum time per job ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60

Status Codes[edit | edit source]

HTTP status codes returned during fuzzing give insight into how the server responds to various inputs. Understanding these codes helps identify valid endpoints, error states, redirects, and more.

Status Code Description
200 OK – The request was successful. Often indicates a valid page or endpoint.
204 No Content – The server processed the request but returned no content. Often used to detect hidden but functional endpoints.
301 Moved Permanently – The resource has been permanently moved to a new URL. May indicate URL redirection behavior.
302 Found – The resource temporarily resides under a different URL. Can be used to detect login redirects or session handling.
307 Temporary Redirect – Similar to 302 but the method is preserved. Indicates temporary redirection.
401 Unauthorized – Authentication is required. Useful for identifying protected areas.
403 Forbidden – Access is denied. Often reveals restricted endpoints that exist but are off-limits.
404 Not Found – The requested resource does not exist. A common baseline for filtering invalid responses.
405 Method Not Allowed – The method (e.g., POST, GET) is not allowed for the requested resource.
500 Internal Server Error – The server encountered an unexpected condition. May indicate exploitable flaws.
502 Bad Gateway – The server received an invalid response from the upstream server.
503 Service Unavailable – The server is currently unavailable. May suggest rate limiting or maintenance.
504 Gateway Timeout – The upstream server failed to send a request in time. May indicate backend issues.

Examples[edit | edit source]

Target URL[edit | edit source]

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

↑ Options

Wordlist Option[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret          [Status: 403, Size: 512, Words: 22, Lines: 4]

↑ Options

Input from Command[edit | edit source]

ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12              [Status: 200, Size: 900, Words: 100, Lines: 10]

↑ Options

Fuzz Numeric Range[edit | edit source]

ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42       [Status: 200, Size: 1500, Words: 150, Lines: 20]

↑ Options

Filter by Status Code[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hidden

↑ Options

Match Specific Status Code[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard       [Status: 200, Size: 2048, Words: 250, Lines: 25]

↑ Options

Filter by Word Count[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shown

↑ Options

Match by Line Count[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help            [Status: 200, Size: 850, Words: 90, Lines: 10]

↑ Options

Filter by Size[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about           [Status: 200, Size: 1234, Words: 140, Lines: 12]

↑ Options

Filter by Regex[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shown

↑ Options

Output to File[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txt

↑ Options

Specify Output Format[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.json

↑ Options

Show Redirect Location[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page        [Status: 301, Redirect: /new-page]

↑ Options

Custom Header Fuzzing[edit | edit source]

ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com   [Status: 200, Size: 5120, Words: 500, Lines: 30]

↑ Options

Use POST Method[edit | edit source]

ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)

↑ Options

POST Data with FUZZ[edit | edit source]

ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)

↑ Options

Threads for Speed[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrency

↑ Options

Delay Between Requests[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)

↑ Options

Set Request Timeout[edit | edit source]

ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped

↑ Options


See Also[edit | edit source]

Retrieved from "https://hackops.wiki/index.php?title=Ffuf&oldid=146"