Ffuf: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 4: Line 4:
It is widely used in web application testing, especially during active reconnaissance and content discovery phases.
It is widely used in web application testing, especially during active reconnaissance and content discovery phases.


== <span id="options"></span>Common Options ==
== <span id="general"></span>Common Options ==
{| class="wikitable"
! Command !! Description !! Usage
|-
| [[#ex-V|<code>-V</code>]] || Show version information || <code>ffuf -V</code>
|-
| [[#ex-ac|<code>-ac</code>]] || Automatically calibrate filtering options || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ac</code>
|-
| [[#ex-acc|<code>-acc "STRING"</code>]] || Custom auto-calibration string (can be used multiple times) – implies <code>-ac</code> || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"</code>
|-
| [[#ex-c|<code>-c</code>]] || Colorize output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -c</code>
|-
| [[#ex-config|<code>-config [FILE]</code>]] || Load configuration from file || <code>ffuf -config ~/.ffufrc</code>
|-
| [[#ex-s|<code>-s</code>]] || Silent mode (suppress extra info) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
|-
| [[#ex-sa|<code>-sa</code>]] || Stop on all error cases (implies <code>-sf</code> and <code>-se</code>) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sa</code>
|-
| [[#ex-se|<code>-se</code>]] || Stop on spurious errors || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -se</code>
|-
| [[#ex-sf|<code>-sf</code>]] || Stop when &gt; 95 % of responses are 403 || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sf</code>
|-
| [[#ex-v|<code>-v</code>]] || Verbose output (print full URL & redirect) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -v</code>
|}


=== Target & Wordlist ===
== <span id="input"></span>Input Options ==
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code>
| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode (use with <code>-e</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
|-
| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions (extends <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
|-
| [[#ex-ic|<code>-ic</code>]] || Ignore wordlist comments || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
|-
|-
| [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code>
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use command output as input (requires <code>--input-num</code>) || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
|-
|-
| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use the output of a command as input || <code>ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"</code>
| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of inputs to test with <code>--input-cmd</code> || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
|-
|-
| [[#ex-input-num|<code>--input-num</code>]] || Fuzz with a range of numbers || <code>ffuf -u https://target.com/user?id=FUZZ --input-num 1-100</code>
| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used for <code>--input-cmd</code> || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
|-
| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: <code>clusterbomb</code> / <code>pitchfork</code> || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
|-
| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
|-
| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol when using raw request (http/https) || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
|}
|}


=== Filtering & Matching ===
== <span id="headers"></span>Headers, Cookies & Methods ==
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code>
| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Add cookie header || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
|-
|-
| [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code>
| [[#ex-ignore-body|<code>-ignore-body</code>]] || Do not fetch response body || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
|-
|-
| [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code>
| [[#ex-r|<code>-r</code>]] || Follow redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
|-
|-
| [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code>
| [[#ex-recursion|<code>-recursion</code>]] || Recursive scan (URL must end in <code>FUZZ</code>) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
|-
|-
| [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code>
| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Maximum recursion depth || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
|-
|-
| [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code>
| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: <code>default</code> / <code>greedy</code> || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
|-
| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Replay matched requests through proxy || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
|-
| [[#ex-x|<code>-x [PROXY]</code>]] || Send requests via proxy (HTTP/SOCKS5) || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
|}
|}


=== Output & Format ===
== <span id="filtering"></span>Filtering & Matching ==
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-o|<code>-o [FILE]</code>]] || Save output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code>
| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match body using regular expression || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
|-
| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match exact response size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
|-
| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
|-
|-
| [[#ex-of|<code>-of [FORMAT]</code>]] || Specify output format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code>
| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter by line count || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
|-
|-
| [[#ex-or|<code>-or</code>]] || Show redirect location in results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -or</code>
| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses matching regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not&nbsp;Found"</code>
|}
|}


=== Headers & Methods ===
== <span id="performance"></span>Performance ==
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code>
| [[#ex-rate|<code>-rate [NUM]</code>]] || Limit requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
|-
|-
| [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code>
| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Max total runtime || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
|-
|-
| [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body (use FUZZ inside the string) || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code>
| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Max runtime per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
|}
|}


=== Performance ===
== <span id="output"></span>Output & Format ==
{| class="wikitable"
{| class="wikitable"
! Command !! Description !! Usage
! Command !! Description !! Usage
|-
|-
| [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code>
| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write debug log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
|-
|-
| [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code>
| [[#ex-od|<code>-od [DIR]</code>]] || Directory to store matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
|-
|-
| [[#ex-timeout|<code>--timeout</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code>
| [[#ex-or-out|<code>-or</code>]] || Skip creating output file when no results || <code>ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or</code>
|}
|}


Revision as of 01:01, 27 May 2025

FFUF

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options

Command Description Usage
-V Show version information ffuf -V
-ac Automatically calibrate filtering options ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
-acc "STRING" Custom auto-calibration string (can be used multiple times) – implies -ac ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"
-c Colorize output ffuf -u https://target.com/FUZZ -w wordlist.txt -c
-config [FILE] Load configuration from file ffuf -config ~/.ffufrc
-s Silent mode (suppress extra info) ffuf -u https://target.com/FUZZ -w wordlist.txt -s
-sa Stop on all error cases (implies -sf and -se) ffuf -u https://target.com/FUZZ -w wordlist.txt -sa
-se Stop on spurious errors ffuf -u https://target.com/FUZZ -w wordlist.txt -se
-sf Stop when > 95 % of responses are 403 ffuf -u https://target.com/FUZZ -w wordlist.txt -sf
-v Verbose output (print full URL & redirect) ffuf -u https://target.com/FUZZ -w wordlist.txt -v

Input Options

Command Description Usage
-D DirSearch wordlist compatibility mode (use with -e) ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html
-e [EXT] Comma-separated list of extensions (extends FUZZ) ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt
-ic Ignore wordlist comments ffuf -u https://target.com/FUZZ -w dict.txt -ic
--input-cmd Use command output as input (requires --input-num) ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ
--input-num [NUM] Number of inputs to test with --input-cmd ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ
--input-shell [SHELL] Shell used for --input-cmd ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ
-mode [TYPE] Multi-wordlist mode: clusterbomb / pitchfork ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS
-request [FILE] Use raw HTTP request from file ffuf -request raw.txt -w dict.txt -u FUZZ
-request-proto [PROTO] Protocol when using raw request (http/https) ffuf -request raw.txt -request-proto http -w dict.txt

Headers, Cookies & Methods

Command Description Usage
-b "COOKIE=VALUE" Add cookie header ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt
-ignore-body Do not fetch response body ffuf -u https://target.com/FUZZ -w list.txt -ignore-body
-r Follow redirects ffuf -u https://target.com/FUZZ -w list.txt -r
-recursion Recursive scan (URL must end in FUZZ) ffuf -u https://target.com/FUZZ -w dirs.txt -recursion
-recursion-depth [N] Maximum recursion depth ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2
-recursion-strategy [STR] Recursion strategy: default / greedy ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy
-replay-proxy [URL] Replay matched requests through proxy ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081
-x [PROXY] Send requests via proxy (HTTP/SOCKS5) ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050

Filtering & Matching

Command Description Usage
-mr [REGEX] Match body using regular expression ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"
-ms [BYTES] Match exact response size ffuf -u https://target.com/FUZZ -w list.txt -ms 1024
-mw [WORDS] Match by word count ffuf -u https://target.com/FUZZ -w list.txt -mw 50
-fl [LINES] Filter by line count ffuf -u https://target.com/FUZZ -w list.txt -fl 0
-fr [REGEX] Filter responses matching regex ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"

Performance

Command Description Usage
-rate [NUM] Limit requests per second ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200
-maxtime [SEC] Max total runtime ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300
-maxtime-job [SEC] Max runtime per job ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60

Output & Format

Command Description Usage
-debug-log [FILE] Write debug log to file ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log
-od [DIR] Directory to store matched results ffuf -u https://target.com/FUZZ -w list.txt -od ./matched
-or Skip creating output file when no results ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or

Examples

Target URL

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

↑ Options

Wordlist Option

ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret          [Status: 403, Size: 512, Words: 22, Lines: 4]

↑ Options

Input from Command

ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12              [Status: 200, Size: 900, Words: 100, Lines: 10]

↑ Options

Fuzz Numeric Range

ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42       [Status: 200, Size: 1500, Words: 150, Lines: 20]

↑ Options

Filter by Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hidden

↑ Options

Match Specific Status Code

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard       [Status: 200, Size: 2048, Words: 250, Lines: 25]

↑ Options

Filter by Word Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shown

↑ Options

Match by Line Count

ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help            [Status: 200, Size: 850, Words: 90, Lines: 10]

↑ Options

Filter by Size

ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about           [Status: 200, Size: 1234, Words: 140, Lines: 12]

↑ Options

Filter by Regex

ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shown

↑ Options

Output to File

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txt

↑ Options

Specify Output Format

ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.json

↑ Options

Show Redirect Location

ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page        [Status: 301, Redirect: /new-page]

↑ Options

Custom Header Fuzzing

ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com   [Status: 200, Size: 5120, Words: 500, Lines: 30]

↑ Options

Use POST Method

ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)

↑ Options

POST Data with FUZZ

ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)

↑ Options

Threads for Speed

ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrency

↑ Options

Delay Between Requests

ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)

↑ Options

Set Request Timeout

ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped

↑ Options


See Also

Retrieved from "https://hackops.wiki/index.php?title=Ffuf&oldid=109"