Ffuf: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
Line 125: Line 125:
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
|}
== <span id="input"></span>Input Options ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
|-
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
|-
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
|}
== <span id="headers"></span>Headers, Cookies & Methods ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
|-
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
|-
| [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
|-
| [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
|-
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
|-
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
|}
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
|-
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
== <span id="output"></span>Output & Format ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
| [[#ex-or-out|<code>-or</code>]] || Don't write output file if no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
== <span id="input"></span>Input Options ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
|-
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
|-
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
|}
== <span id="headers"></span>Headers, Cookies & Methods ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
|-
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
|-
| [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
|-
| [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
|-
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
|-
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
|}
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
|-
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
== <span id="output"></span>Output & Format ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
| [[#ex-or-out|<code>-or</code>]] || Don't write output file if no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
== <span id="input"></span>Input Options ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode (use with <code>-e</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions (extends <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore wordlist comments || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use command output as input (requires <code>--input-num</code>) || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
|-
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of inputs to test with <code>--input-cmd</code> || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
|-
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used for <code>--input-cmd</code> || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: <code>clusterbomb</code> / <code>pitchfork</code> || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol when using raw request (http/https) || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
|}
== <span id="headers"></span>Headers, Cookies & Methods ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Add cookie header || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
|-
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Do not fetch response body || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
|-
| [[#ex-r|<code>-r</code>]] || Follow redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
|-
| [[#ex-recursion|<code>-recursion</code>]] || Recursive scan (URL must end in <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
|-
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Maximum recursion depth || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
|-
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: <code>default</code> / <code>greedy</code> || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Replay matched requests through proxy || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Send requests via proxy (HTTP/SOCKS5) || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
|}
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match body using regular expression || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match exact response size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
|-
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter by line count || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses matching regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
== <span id="performance"></span>Performance ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-rate|<code>-rate [NUM]</code>]] || Limit requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Max total runtime || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Max runtime per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
== <span id="output"></span>Output & Format ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write debug log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
|-
| [[#ex-od|<code>-od [DIR]</code>]] || Directory to store matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
| [[#ex-or-out|<code>-or</code>]] || Skip creating output file when no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
== Examples ==
== Examples ==


Revision as of 03:13, 27 May 2025

FFUF

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options

Target & Wordlist

Command Description Usage
-u [URL] Target URL with the keyword FUZZ where payloads will be injected ffuf -u https://target.com/FUZZ
-w [FILE] Wordlist file to use for fuzzing ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

Input Options

Command Description Usage
-D DirSearch wordlist compatibility mode, use with -e ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html
-e [EXT] Comma-separated list of extensions to append ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt
-ic Ignore comment lines in wordlist ffuf -u https://target.com/FUZZ -w dict.txt -ic
--input-cmd Use output from a command as input ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ
--input-num [NUM] Number of values from input-cmd ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ
--input-shell [SHELL] Shell used to run input-cmd ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ
-mode [TYPE] Multi-wordlist mode: clusterbomb or pitchfork ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS
-request [FILE] Use raw HTTP request from file ffuf -request raw.txt -w dict.txt -u FUZZ
-request-proto [PROTO] Protocol to use with raw request ffuf -request raw.txt -request-proto http -w dict.txt

Filtering & Matching

Command Description Usage
-fc [CODE] Filter out responses with the given HTTP status code ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
-mc [CODE] Only show responses with specific HTTP status codes ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
-fw [WORDS] Filter responses by word count ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
-ml [LINES] Match only responses with specific number of lines ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
-fs [BYTES] Filter by response size ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
--filter-regex Filter responses based on regular expression in the body ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
-mr [REGEX] Match responses with regex in body ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"
-ms [BYTES] Match responses by exact size ffuf -u https://target.com/FUZZ -w list.txt -ms 1024
-mw [WORDS] Match responses by word count ffuf -u https://target.com/FUZZ -w list.txt -mw 50
-fl [LINES] Filter out by number of lines ffuf -u https://target.com/FUZZ -w list.txt -fl 0
-fr [REGEX] Filter responses using regex ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"

Headers, Cookies & Methods

Command Description Usage
-H "Header: Value" Add custom HTTP headers to the request ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
-X [METHOD] HTTP method to use (e.g. GET, POST) ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
-d "DATA" Data to include in request body ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
-b "COOKIE=VALUE" Send cookies with request ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt
-ignore-body Skip response body content ffuf -u https://target.com/FUZZ -w list.txt -ignore-body
-r Follow HTTP redirects ffuf -u https://target.com/FUZZ -w list.txt -r
-recursion Recursively scan directories (FUZZ must be at end) ffuf -u https://target.com/FUZZ -w dirs.txt -recursion
-recursion-depth [N] Max recursion depth for scanning ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2
-recursion-strategy [STR] Recursion strategy: default or greedy ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy
-replay-proxy [URL] Proxy to replay matched requests ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081
-x [PROXY] Proxy URL to route requests through ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050

Output & Format

Command Description Usage
-o [FILE] Write output to file ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
-of [FORMAT] Output file format (json, html, csv, etc.) ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json
-or Don't create output file if no results ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or
-debug-log [FILE] Write internal log to file ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log
-od [DIR] Output directory for matched results ffuf -u https://target.com/FUZZ -w list.txt -od ./matched

Performance

Command Description Usage
-t [NUM] Number of concurrent threads ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
-p [SECONDS] Delay between each request ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
-rate [NUM] Max requests per second ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200
--timeout [SEC] Set timeout for individual requests ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
-maxtime [SEC] Maximum total run time in seconds ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300
-s Silent mode. Suppresses banner, progress bar, and stats output ffuf -u https://target.com/FUZZ -w wordlist.txt -s
-maxtime-job [SEC] Maximum time per job ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60

Examples

Target URL

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

↑ Options

Wordlist Option

ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret          [Status: 403, Size: 512, Words: 22, Lines: 4]

↑ Options

Input from Command

ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12              [Status: 200, Size: 900, Words: 100, Lines: 10]

↑ Options

Fuzz Numeric Range

ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42       [Status: 200, Size: 1500, Words: 150, Lines: 20]

↑ Options

Filter by Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hidden

↑ Options

Match Specific Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard       [Status: 200, Size: 2048, Words: 250, Lines: 25]

↑ Options

Filter by Word Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shown

↑ Options

Match by Line Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help            [Status: 200, Size: 850, Words: 90, Lines: 10]

↑ Options

Filter by Size

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about           [Status: 200, Size: 1234, Words: 140, Lines: 12]

↑ Options

Filter by Regex

ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shown

↑ Options

Output to File

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txt

↑ Options

Specify Output Format

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.json

↑ Options

Show Redirect Location

ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page        [Status: 301, Redirect: /new-page]

↑ Options

Custom Header Fuzzing

ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com   [Status: 200, Size: 5120, Words: 500, Lines: 30]

↑ Options

Use POST Method

ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)

↑ Options

POST Data with FUZZ

ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)

↑ Options

Threads for Speed

ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrency

↑ Options

Delay Between Requests

ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)

↑ Options

Set Request Timeout

ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped

↑ Options


See Also

Retrieved from "https://hackops.wiki/index.php?title=Ffuf&oldid=114"