Revision as of 01:05, 27 May 2025

FFUF

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.

Common Options

Target & Wordlist

Command	Description	Usage
`-u [URL]`	Target URL with the keyword FUZZ where payloads will be injected	`ffuf -u https://target.com/FUZZ`
`-w [FILE]`	Wordlist file to use for fuzzing	`ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt`

Input Options

Command	Description	Usage
`-D`	DirSearch wordlist compatibility mode, use with -e	`ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html`
`-e [EXT]`	Comma-separated list of extensions to append	`ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt`
`-ic`	Ignore comment lines in wordlist	`ffuf -u https://target.com/FUZZ -w dict.txt -ic`
`--input-cmd`	Use output from a command as input	`ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ`
`--input-num [NUM]`	Number of values from input-cmd	`ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ`
`--input-shell [SHELL]`	Shell used to run input-cmd	`ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ`
`-mode [TYPE]`	Multi-wordlist mode: clusterbomb or pitchfork	`ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS`
`-request [FILE]`	Use raw HTTP request from file	`ffuf -request raw.txt -w dict.txt -u FUZZ`
`-request-proto [PROTO]`	Protocol to use with raw request	`ffuf -request raw.txt -request-proto http -w dict.txt`

Filtering & Matching

Command	Description	Usage
`-fc [CODE]`	Filter out responses with the given HTTP status code	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404`
`-mc [CODE]`	Only show responses with specific HTTP status codes	`ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200`
`-fw [WORDS]`	Filter responses by word count	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0`
`-ml [LINES]`	Match only responses with specific number of lines	`ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10`
`-fs [BYTES]`	Filter by response size	`ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234`
`--filter-regex`	Filter responses based on regular expression in the body	`ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"`
`-mr [REGEX]`	Match responses with regex in body	`ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"`
`-ms [BYTES]`	Match responses by exact size	`ffuf -u https://target.com/FUZZ -w list.txt -ms 1024`
`-mw [WORDS]`	Match responses by word count	`ffuf -u https://target.com/FUZZ -w list.txt -mw 50`
`-fl [LINES]`	Filter out by number of lines	`ffuf -u https://target.com/FUZZ -w list.txt -fl 0`
`-fr [REGEX]`	Filter responses using regex	`ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"`

Headers, Cookies & Methods

Command	Description	Usage
`-H "Header: Value"`	Add custom HTTP headers to the request	`ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt`
`-X [METHOD]`	HTTP method to use (e.g. GET, POST)	`ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt`
`-d "DATA"`	Data to include in request body	`ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt`
`-b "COOKIE=VALUE"`	Send cookies with request	`ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt`
`-ignore-body`	Skip response body content	`ffuf -u https://target.com/FUZZ -w list.txt -ignore-body`
`-r`	Follow HTTP redirects	`ffuf -u https://target.com/FUZZ -w list.txt -r`
`-recursion`	Recursively scan directories (FUZZ must be at end)	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion`
`-recursion-depth [N]`	Max recursion depth for scanning	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2`
`-recursion-strategy [STR]`	Recursion strategy: default or greedy	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy`
`-replay-proxy [URL]`	Proxy to replay matched requests	`ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081`
`-x [PROXY]`	Proxy URL to route requests through	`ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050`

Output & Format

Command	Description	Usage
`-o [FILE]`	Write output to file	`ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt`
`-of [FORMAT]`	Output file format (json, html, csv, etc.)	`ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json`
`-or`	Don't create output file if no results	`ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or`
`-debug-log [FILE]`	Write internal log to file	`ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log`
`-od [DIR]`	Output directory for matched results	`ffuf -u https://target.com/FUZZ -w list.txt -od ./matched`

Performance

Command	Description	Usage
`-t [NUM]`	Number of concurrent threads	`ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100`
`-p [SECONDS]`	Delay between each request	`ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5`
`-rate [NUM]`	Max requests per second	`ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200`
`--timeout [SEC]`	Set timeout for individual requests	`ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5`
`-maxtime [SEC]`	Maximum total run time in seconds	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300`
`-maxtime-job [SEC]`	Maximum time per job	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60`

Input Options

Command	Description	Usage
`-D`	DirSearch wordlist compatibility mode, use with -e	`ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html`
`-e [EXT]`	Comma-separated list of extensions to append	`ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt`
`-ic`	Ignore comment lines in wordlist	`ffuf -u https://target.com/FUZZ -w dict.txt -ic`
`--input-cmd`	Use output from a command as input	`ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ`
`--input-num [NUM]`	Number of values from input-cmd	`ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ`
`--input-shell [SHELL]`	Shell used to run input-cmd	`ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ`
`-mode [TYPE]`	Multi-wordlist mode: clusterbomb or pitchfork	`ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS`
`-request [FILE]`	Use raw HTTP request from file	`ffuf -request raw.txt -w dict.txt -u FUZZ`
`-request-proto [PROTO]`	Protocol to use with raw request	`ffuf -request raw.txt -request-proto http -w dict.txt`

Headers, Cookies & Methods

Command	Description	Usage
`-b "COOKIE=VALUE"`	Send cookies with request	`ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt`
`-ignore-body`	Skip response body content	`ffuf -u https://target.com/FUZZ -w list.txt -ignore-body`
`-r`	Follow HTTP redirects	`ffuf -u https://target.com/FUZZ -w list.txt -r`
`-recursion`	Recursively scan directories (FUZZ must be at end)	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion`
`-recursion-depth [N]`	Max recursion depth for scanning	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2`
`-recursion-strategy [STR]`	Recursion strategy: default or greedy	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy`
`-replay-proxy [URL]`	Proxy to replay matched requests	`ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081`
`-x [PROXY]`	Proxy URL to route requests through	`ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050`

Filtering & Matching

Command	Description	Usage
`-mr [REGEX]`	Match responses with regex in body	`ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"`
`-ms [BYTES]`	Match responses by size	`ffuf -u https://target.com/FUZZ -w list.txt -ms 1024`
`-mw [WORDS]`	Match responses by word count	`ffuf -u https://target.com/FUZZ -w list.txt -mw 50`
`-fl [LINES]`	Filter out by number of lines	`ffuf -u https://target.com/FUZZ -w list.txt -fl 0`
`-fr [REGEX]`	Filter responses using regex	`ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"`

Performance

Command	Description	Usage
`-rate [NUM]`	Max requests per second	`ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200`
`-maxtime [SEC]`	Maximum total run time in seconds	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300`
`-maxtime-job [SEC]`	Maximum time per job	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60`

Output & Format

Command	Description	Usage
`-debug-log [FILE]`	Write internal log to file	`ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log`
`-od [DIR]`	Output directory for matched results	`ffuf -u https://target.com/FUZZ -w list.txt -od ./matched`
`-or`	Don't write output file if no results	`ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or`

Input Options

Command	Description	Usage
`-D`	DirSearch wordlist compatibility mode, use with -e	`ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html`
`-e [EXT]`	Comma-separated list of extensions to append	`ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt`
`-ic`	Ignore comment lines in wordlist	`ffuf -u https://target.com/FUZZ -w dict.txt -ic`
`--input-cmd`	Use output from a command as input	`ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ`
`--input-num [NUM]`	Number of values from input-cmd	`ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ`
`--input-shell [SHELL]`	Shell used to run input-cmd	`ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ`
`-mode [TYPE]`	Multi-wordlist mode: clusterbomb or pitchfork	`ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS`
`-request [FILE]`	Use raw HTTP request from file	`ffuf -request raw.txt -w dict.txt -u FUZZ`
`-request-proto [PROTO]`	Protocol to use with raw request	`ffuf -request raw.txt -request-proto http -w dict.txt`

Headers, Cookies & Methods

Command	Description	Usage
`-b "COOKIE=VALUE"`	Send cookies with request	`ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt`
`-ignore-body`	Skip response body content	`ffuf -u https://target.com/FUZZ -w list.txt -ignore-body`
`-r`	Follow HTTP redirects	`ffuf -u https://target.com/FUZZ -w list.txt -r`
`-recursion`	Recursively scan directories (FUZZ must be at end)	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion`
`-recursion-depth [N]`	Max recursion depth for scanning	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2`
`-recursion-strategy [STR]`	Recursion strategy: default or greedy	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy`
`-replay-proxy [URL]`	Proxy to replay matched requests	`ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081`
`-x [PROXY]`	Proxy URL to route requests through	`ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050`

Filtering & Matching

Command	Description	Usage
`-mr [REGEX]`	Match responses with regex in body	`ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"`
`-ms [BYTES]`	Match responses by size	`ffuf -u https://target.com/FUZZ -w list.txt -ms 1024`
`-mw [WORDS]`	Match responses by word count	`ffuf -u https://target.com/FUZZ -w list.txt -mw 50`
`-fl [LINES]`	Filter out by number of lines	`ffuf -u https://target.com/FUZZ -w list.txt -fl 0`
`-fr [REGEX]`	Filter responses using regex	`ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"`

Performance

Command	Description	Usage
`-rate [NUM]`	Max requests per second	`ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200`
`-maxtime [SEC]`	Maximum total run time in seconds	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300`
`-maxtime-job [SEC]`	Maximum time per job	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60`

Output & Format

Command	Description	Usage
`-debug-log [FILE]`	Write internal log to file	`ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log`
`-od [DIR]`	Output directory for matched results	`ffuf -u https://target.com/FUZZ -w list.txt -od ./matched`
`-or`	Don't write output file if no results	`ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or`

Input Options

Command	Description	Usage
`-D`	DirSearch wordlist compatibility mode (use with `-e`)	`ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html`
`-e [EXT]`	Comma-separated list of extensions (extends `FUZZ`)	`ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt`
`-ic`	Ignore wordlist comments	`ffuf -u https://target.com/FUZZ -w dict.txt -ic`
`--input-cmd`	Use command output as input (requires `--input-num`)	`ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ`
`--input-num [NUM]`	Number of inputs to test with `--input-cmd`	`ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ`
`--input-shell [SHELL]`	Shell used for `--input-cmd`	`ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ`
`-mode [TYPE]`	Multi-wordlist mode: `clusterbomb` / `pitchfork`	`ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS`
`-request [FILE]`	Use raw HTTP request from file	`ffuf -request raw.txt -w dict.txt -u FUZZ`
`-request-proto [PROTO]`	Protocol when using raw request (http/https)	`ffuf -request raw.txt -request-proto http -w dict.txt`

Headers, Cookies & Methods

Command	Description	Usage
`-b "COOKIE=VALUE"`	Add cookie header	`ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt`
`-ignore-body`	Do not fetch response body	`ffuf -u https://target.com/FUZZ -w list.txt -ignore-body`
`-r`	Follow redirects	`ffuf -u https://target.com/FUZZ -w list.txt -r`
`-recursion`	Recursive scan (URL must end in `FUZZ`)	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion`
`-recursion-depth [N]`	Maximum recursion depth	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2`
`-recursion-strategy [STR]`	Recursion strategy: `default` / `greedy`	`ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy`
`-replay-proxy [URL]`	Replay matched requests through proxy	`ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081`
`-x [PROXY]`	Send requests via proxy (HTTP/SOCKS5)	`ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050`

Filtering & Matching

Command	Description	Usage
`-mr [REGEX]`	Match body using regular expression	`ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"`
`-ms [BYTES]`	Match exact response size	`ffuf -u https://target.com/FUZZ -w list.txt -ms 1024`
`-mw [WORDS]`	Match by word count	`ffuf -u https://target.com/FUZZ -w list.txt -mw 50`
`-fl [LINES]`	Filter by line count	`ffuf -u https://target.com/FUZZ -w list.txt -fl 0`
`-fr [REGEX]`	Filter responses matching regex	`ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"`

Performance

Command	Description	Usage
`-rate [NUM]`	Limit requests per second	`ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200`
`-maxtime [SEC]`	Max total runtime	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300`
`-maxtime-job [SEC]`	Max runtime per job	`ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60`

Output & Format

Command	Description	Usage
`-debug-log [FILE]`	Write debug log to file	`ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log`
`-od [DIR]`	Directory to store matched results	`ffuf -u https://target.com/FUZZ -w list.txt -od ./matched`
`-or`	Skip creating output file when no results	`ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or`

Examples

Target URL

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin           [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login           [Status: 200, Size: 1024, Words: 132, Lines: 15]

@@ Line 4: / Line 4: @@
 It is widely used in web application testing, especially during active reconnaissance and content discovery phases.
-== <span id="general"></span>Common Options ==
+== <span id="options"></span>Common Options ==
+=== Target & Wordlist ===
 {| class="wikitable"
 ! Command !! Description !! Usage
 |-
-| [[#ex-V|<code>-V</code>]] || Show version information || <code>ffuf -V</code>
+| [[#ex-u|<code>-u [URL]</code>]] || Target URL with the keyword FUZZ where payloads will be injected || <code>ffuf -u https://target.com/FUZZ</code>
 |-
-| [[#ex-ac|<code>-ac</code>]] || Automatically calibrate filtering options || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ac</code>
+| [[#ex-w|<code>-w [FILE]</code>]] || Wordlist file to use for fuzzing || <code>ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt</code>
+|}
+=== Input Options ===
+{| class="wikitable"
+! Command !! Description !! Usage
+|-
+| [[#ex-D|<code>-D</code>]] || DirSearch wordlist compatibility mode, use with -e || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html</code>
+|-
+| [[#ex-e|<code>-e [EXT]</code>]] || Comma-separated list of extensions to append || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt</code>
+|-
+| [[#ex-ic|<code>-ic</code>]] || Ignore comment lines in wordlist || <code>ffuf -u https://target.com/FUZZ -w dict.txt -ic</code>
+|-
+| [[#ex-input-cmd|<code>--input-cmd</code>]] || Use output from a command as input || <code>ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ</code>
+|-
+| [[#ex-input-num|<code>--input-num [NUM]</code>]] || Number of values from input-cmd || <code>ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ</code>
+|-
+| [[#ex-input-shell|<code>--input-shell [SHELL]</code>]] || Shell used to run input-cmd || <code>ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ</code>
+|-
+| [[#ex-mode|<code>-mode [TYPE]</code>]] || Multi-wordlist mode: clusterbomb or pitchfork || <code>ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS</code>
+|-
+| [[#ex-request|<code>-request [FILE]</code>]] || Use raw HTTP request from file || <code>ffuf -request raw.txt -w dict.txt -u FUZZ</code>
+|-
+| [[#ex-request-proto|<code>-request-proto [PROTO]</code>]] || Protocol to use with raw request || <code>ffuf -request raw.txt -request-proto http -w dict.txt</code>
+|}
+=== Filtering & Matching ===
+{| class="wikitable"
+! Command !! Description !! Usage
+|-
+| [[#ex-fc|<code>-fc [CODE]</code>]] || Filter out responses with the given HTTP status code || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404</code>
+|-
+| [[#ex-mc|<code>-mc [CODE]</code>]] || Only show responses with specific HTTP status codes || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200</code>
+|-
+| [[#ex-fw|<code>-fw [WORDS]</code>]] || Filter responses by word count || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0</code>
+|-
+| [[#ex-ml|<code>-ml [LINES]</code>]] || Match only responses with specific number of lines || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10</code>
+|-
+| [[#ex-fs|<code>-fs [BYTES]</code>]] || Filter by response size || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234</code>
+|-
+| [[#ex-filter-regex|<code>--filter-regex</code>]] || Filter responses based on regular expression in the body || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"</code>
+|-
+| [[#ex-mr|<code>-mr [REGEX]</code>]] || Match responses with regex in body || <code>ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"</code>
+|-
+| [[#ex-ms|<code>-ms [BYTES]</code>]] || Match responses by exact size || <code>ffuf -u https://target.com/FUZZ -w list.txt -ms 1024</code>
+|-
+| [[#ex-mw|<code>-mw [WORDS]</code>]] || Match responses by word count || <code>ffuf -u https://target.com/FUZZ -w list.txt -mw 50</code>
+|-
+| [[#ex-fl|<code>-fl [LINES]</code>]] || Filter out by number of lines || <code>ffuf -u https://target.com/FUZZ -w list.txt -fl 0</code>
+|-
+| [[#ex-fr|<code>-fr [REGEX]</code>]] || Filter responses using regex || <code>ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"</code>
+|}
+=== Headers, Cookies & Methods ===
+{| class="wikitable"
+! Command !! Description !! Usage
+|-
+| [[#ex-H|<code>-H "Header: Value"</code>]] || Add custom HTTP headers to the request || <code>ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt</code>
+|-
+| [[#ex-X|<code>-X [METHOD]</code>]] || HTTP method to use (e.g. GET, POST) || <code>ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt</code>
+|-
+| [[#ex-d|<code>-d "DATA"</code>]] || Data to include in request body || <code>ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt</code>
+|-
+| [[#ex-b|<code>-b "COOKIE=VALUE"</code>]] || Send cookies with request || <code>ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt</code>
+|-
+| [[#ex-ignore-body|<code>-ignore-body</code>]] || Skip response body content || <code>ffuf -u https://target.com/FUZZ -w list.txt -ignore-body</code>
+|-
+| [[#ex-r|<code>-r</code>]] || Follow HTTP redirects || <code>ffuf -u https://target.com/FUZZ -w list.txt -r</code>
+|-
+| [[#ex-recursion|<code>-recursion</code>]] || Recursively scan directories (FUZZ must be at end) || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion</code>
+|-
+| [[#ex-recursion-depth|<code>-recursion-depth [N]</code>]] || Max recursion depth for scanning || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2</code>
+|-
+| [[#ex-recursion-strategy|<code>-recursion-strategy [STR]</code>]] || Recursion strategy: default or greedy || <code>ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy</code>
+|-
+| [[#ex-replay-proxy|<code>-replay-proxy [URL]</code>]] || Proxy to replay matched requests || <code>ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081</code>
 |-
-| [[#ex-acc|<code>-acc "STRING"</code>]] || Custom auto-calibration string, implies -ac || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"</code>
+| [[#ex-x|<code>-x [PROXY]</code>]] || Proxy URL to route requests through || <code>ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050</code>
+|}
+=== Output & Format ===
+{| class="wikitable"
+! Command !! Description !! Usage
 |-
-| [[#ex-c|<code>-c</code>]] || Colorize output || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -c</code>
+| [[#ex-o|<code>-o [FILE]</code>]] || Write output to file || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt</code>
+|-
+| [[#ex-of|<code>-of [FORMAT]</code>]] || Output file format (json, html, csv, etc.) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -of json -o output.json</code>
+|-
+| [[#ex-or|<code>-or</code>]] || Don't create output file if no results || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt -or</code>
+|-
+| [[#ex-debug-log|<code>-debug-log [FILE]</code>]] || Write internal log to file || <code>ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log</code>
+|-
+| [[#ex-od|<code>-od [DIR]</code>]] || Output directory for matched results || <code>ffuf -u https://target.com/FUZZ -w list.txt -od ./matched</code>
+|}
+=== Performance ===
+{| class="wikitable"
+! Command !! Description !! Usage
 |-
-| [[#ex-config|<code>-config [FILE]</code>]] || Load configuration from file || <code>ffuf -config ~/.ffufrc</code>
+| [[#ex-t|<code>-t [NUM]</code>]] || Number of concurrent threads || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100</code>
 |-
-| [[#ex-s|<code>-s</code>]] || Silent mode (suppress extra info) || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -s</code>
+| [[#ex-p|<code>-p [SECONDS]</code>]] || Delay between each request || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5</code>
 |-
-| [[#ex-sa|<code>-sa</code>]] || Stop on all error cases || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sa</code>
+| [[#ex-rate|<code>-rate [NUM]</code>]] || Max requests per second || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200</code>
 |-
-| [[#ex-se|<code>-se</code>]] || Stop on spurious errors || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -se</code>
+| [[#ex-timeout|<code>--timeout [SEC]</code>]] || Set timeout for individual requests || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5</code>
 |-
-| [[#ex-sf|<code>-sf</code>]] || Stop when more than 95% of responses are 403 || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -sf</code>
+| [[#ex-maxtime|<code>-maxtime [SEC]</code>]] || Maximum total run time in seconds || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300</code>
 |-
-| [[#ex-v|<code>-v</code>]] || Verbose output with full URL and redirects || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -v</code>
+| [[#ex-maxtime-job|<code>-maxtime-job [SEC]</code>]] || Maximum time per job || <code>ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60</code>
 |}

Ffuf: Difference between revisions

Revision as of 01:05, 27 May 2025

FFUF

Common Options

Target & Wordlist

Input Options

Filtering & Matching

Headers, Cookies & Methods

Output & Format

Performance

Input Options

Headers, Cookies & Methods

Filtering & Matching

Performance

Output & Format

Input Options

Headers, Cookies & Methods

Filtering & Matching

Performance

Output & Format

Input Options

Headers, Cookies & Methods

Filtering & Matching

Performance

Output & Format

Examples

Target URL

Wordlist Option

Input from Command

Fuzz Numeric Range

Filter by Status Code

Match Specific Status Code

Filter by Word Count

Match by Line Count

Filter by Size

Filter by Regex

Output to File

Specify Output Format

Show Redirect Location

Custom Header Fuzzing

Use POST Method

POST Data with FUZZ

Threads for Speed

Delay Between Requests

Set Request Timeout

See Also

Navigation menu

Search