Ffuf: Difference between revisions

From HackOps
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Created page with "= FFUF = '''FFUF''' (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases. == <span id="options"></span>Common Options == === Target & Wordlist === {| class="wikitable" ! Option !! Description |- | -u [URL] || Target URL with the keyword FUZZ wher..."
 
Line 8: Line 8:
=== Target & Wordlist ===
=== Target & Wordlist ===
{| class="wikitable"
{| class="wikitable"
! Option !! Description
! Command !! Description !! Usage
|-
|-
| [[#ex-u| -u [URL] ]] || Target URL with the keyword FUZZ where payloads will be injected
| [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code>
|-
|-
| [[#ex-w| -w [FILE] ]] || Wordlist file to use for fuzzing
| [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code>
|-
|-
| [[#ex-input-cmd| --input-cmd ]] || Use the output of a command as input (e.g. seq 1 100)
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use the output of a command as input || <code>ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"</code>
|-
|-
| [[#ex-input-num| --input-num ]] || Fuzz with a range of numbers (e.g. 1-100)
| [[#ex-input-num|<code>--input-num</code>]] || Fuzz with a range of numbers || <code>ffuf -u https://target.com/user?id=FUZZ --input-num 1-100</code>
|}
|}


=== Filtering & Matching ===
=== Filtering & Matching ===
{| class="wikitable"
{| class="wikitable"
! Option !! Description
! Command !! Description !! Usage
|-
|-
| [[#ex-fc| -fc [CODE] ]] || Filter out responses with the given HTTP status code
| [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code>
|-
|-
| [[#ex-mc| -mc [CODE] ]] || Only show responses with specific HTTP status codes
| [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code>
|-
|-
| [[#ex-fw| -fw [WORDS] ]] || Filter responses by word count
| [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code>
|-
|-
| [[#ex-ml| -ml [LINES] ]] || Match only responses with specific number of lines
| [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code>
|-
|-
| [[#ex-fs| -fs [BYTES] ]] || Filter by response size
| [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code>
|-
|-
| [[#ex-filter-regex| --filter-regex ]] || Filter responses based on regular expression in the body
| [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code>
|}
|}


=== Output & Format ===
=== Output & Format ===
{| class="wikitable"
{| class="wikitable"
! Option !! Description
! Command !! Description !! Usage
|-
|-
| [[#ex-o| -o [FILE] ]] || Save output to file
| [[#ex-o|<code>-o [FILE]</code>]] || Save output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code>
|-
|-
| [[#ex-of| -of [FORMAT] ]] || Specify output format (json, html, csv, etc.)
| [[#ex-of|<code>-of [FORMAT]</code>]] || Specify output format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code>
|-
|-
| [[#ex-or| -or ]] || Show redirect location in results
| [[#ex-or|<code>-or</code>]] || Show redirect location in results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -or</code>
|}
|}


=== Headers & Methods ===
=== Headers & Methods ===
{| class="wikitable"
{| class="wikitable"
! Option !! Description
! Command !! Description !! Usage
|-
|-
| [[#ex-H| -H "Header: Value" ]] || Add custom HTTP headers to the request
| [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code>
|-
|-
| [[#ex-X| -X [METHOD] ]] || HTTP method to use (e.g. GET, POST)
| [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code>
|-
|-
| [[#ex-d| -d "DATA" ]] || Data to include in request body (use FUZZ inside the string)
| [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body (use FUZZ inside the string) || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code>
|}
|}


=== Performance ===
=== Performance ===
{| class="wikitable"
{| class="wikitable"
! Option !! Description
! Command !! Description !! Usage
|-
|-
| [[#ex-t| -t [NUM] ]] || Number of concurrent threads
| [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code>
|-
|-
| [[#ex-p| -p [SECONDS] ]] || Delay between each request
| [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code>
|-
|-
| [[#ex-timeout| --timeout ]] || Set timeout for individual requests
| [[#ex-timeout|<code>--timeout</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code>
|}
|}


Revision as of 17:25, 26 May 2025

FFUF

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options

Target & Wordlist

Command Description Usage
-u [URL] Target URL with the keyword FUZZ where payloads will be injected ffuf -u https://target.com/FUZZ
-w [FILE] Wordlist file to use for fuzzing ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
--input-cmd Use the output of a command as input ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
--input-num Fuzz with a range of numbers ffuf -u https://target.com/user?id=FUZZ --input-num 1-100

Filtering & Matching

Command Description Usage
-fc [CODE] Filter out responses with the given HTTP status code ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
-mc [CODE] Only show responses with specific HTTP status codes ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
-fw [WORDS] Filter responses by word count ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
-ml [LINES] Match only responses with specific number of lines ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
-fs [BYTES] Filter by response size ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
--filter-regex Filter responses based on regular expression in the body ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"

Output & Format

Command Description Usage
-o [FILE] Save output to file ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
-of [FORMAT] Specify output format (json, html, csv, etc.) ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json
-or Show redirect location in results ffuf -u https://target.com/FUZZ -w wordlist.txt -or

Headers & Methods

Command Description Usage
-H "Header: Value" Add custom HTTP headers to the request ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
-X [METHOD] HTTP method to use (e.g. GET, POST) ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
-d "DATA" Data to include in request body (use FUZZ inside the string) ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt

Performance

Command Description Usage
-t [NUM] Number of concurrent threads ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
-p [SECONDS] Delay between each request ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
--timeout Set timeout for individual requests ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5

Examples

Target URL

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

↑ Options

Wordlist Option

ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret          [Status: 403, Size: 512, Words: 22, Lines: 4]

↑ Options

Input from Command

ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12              [Status: 200, Size: 900, Words: 100, Lines: 10]

↑ Options

Fuzz Numeric Range

ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42       [Status: 200, Size: 1500, Words: 150, Lines: 20]

↑ Options

Filter by Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hidden

↑ Options

Match Specific Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard       [Status: 200, Size: 2048, Words: 250, Lines: 25]

↑ Options

Filter by Word Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shown

↑ Options

Match by Line Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help            [Status: 200, Size: 850, Words: 90, Lines: 10]

↑ Options

Filter by Size

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about           [Status: 200, Size: 1234, Words: 140, Lines: 12]

↑ Options

Filter by Regex

ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shown

↑ Options

Output to File

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txt

↑ Options

Specify Output Format

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.json

↑ Options

Show Redirect Location

ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page        [Status: 301, Redirect: /new-page]

↑ Options

Custom Header Fuzzing

ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com   [Status: 200, Size: 5120, Words: 500, Lines: 30]

↑ Options

Use POST Method

ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)

↑ Options

POST Data with FUZZ

ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)

↑ Options

Threads for Speed

ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrency

↑ Options

Delay Between Requests

ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)

↑ Options

Set Request Timeout

ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped

↑ Options


See Also

Retrieved from "https://hackops.wiki/index.php?title=Ffuf&oldid=108"