Ffuf
FFUF
FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer used for discovering hidden files, directories, subdomains, GET and POST parameters, and more. It is widely used in web application testing, especially during active reconnaissance and content discovery phases.
Common Options
| Command | Description | Usage |
|---|---|---|
-V |
Show version information | ffuf -V
|
-ac |
Automatically calibrate filtering options | ffuf -u https://target.com/FUZZ -w wordlist.txt -ac
|
-acc "STRING" |
Custom auto-calibration string (can be used multiple times) – implies -ac |
ffuf -u https://target.com/FUZZ -w wordlist.txt -acc "Welcome"
|
-c |
Colorize output | ffuf -u https://target.com/FUZZ -w wordlist.txt -c
|
-config [FILE] |
Load configuration from file | ffuf -config ~/.ffufrc
|
-s |
Silent mode (suppress extra info) | ffuf -u https://target.com/FUZZ -w wordlist.txt -s
|
-sa |
Stop on all error cases (implies -sf and -se) |
ffuf -u https://target.com/FUZZ -w wordlist.txt -sa
|
-se |
Stop on spurious errors | ffuf -u https://target.com/FUZZ -w wordlist.txt -se
|
-sf |
Stop when > 95 % of responses are 403 | ffuf -u https://target.com/FUZZ -w wordlist.txt -sf
|
-v |
Verbose output (print full URL & redirect) | ffuf -u https://target.com/FUZZ -w wordlist.txt -v
|
Input Options
| Command | Description | Usage |
|---|---|---|
-D |
DirSearch wordlist compatibility mode (use with -e) |
ffuf -u https://target.com/FUZZ -w dirs.txt -D -e php,html
|
-e [EXT] |
Comma-separated list of extensions (extends FUZZ) |
ffuf -u https://target.com/FUZZ -w dirs.txt -e php,txt
|
-ic |
Ignore wordlist comments | ffuf -u https://target.com/FUZZ -w dict.txt -ic
|
--input-cmd |
Use command output as input (requires --input-num) |
ffuf --input-cmd "seq 1 100" --input-num 100 -u https://target.com/id=FUZZ
|
--input-num [NUM] |
Number of inputs to test with --input-cmd |
ffuf --input-cmd "cat users.txt" --input-num 50 -u https://target.com/FUZZ
|
--input-shell [SHELL] |
Shell used for --input-cmd |
ffuf --input-shell /bin/zsh --input-cmd "printf '%s\n' {A..Z}" --input-num 26 -u https://target.com/FUZZ
|
-mode [TYPE] |
Multi-wordlist mode: clusterbomb / pitchfork |
ffuf -w users.txt:USER -w pass.txt:PASS -mode pitchfork -u https://target.com/login?u=USER&p=PASS
|
-request [FILE] |
Use raw HTTP request from file | ffuf -request raw.txt -w dict.txt -u FUZZ
|
-request-proto [PROTO] |
Protocol when using raw request (http/https) | ffuf -request raw.txt -request-proto http -w dict.txt
|
Headers, Cookies & Methods
| Command | Description | Usage |
|---|---|---|
-b "COOKIE=VALUE" |
Add cookie header | ffuf -u https://target.com/dashboard -b "SESSION=FUZZ" -w tokens.txt
|
-ignore-body |
Do not fetch response body | ffuf -u https://target.com/FUZZ -w list.txt -ignore-body
|
-r |
Follow redirects | ffuf -u https://target.com/FUZZ -w list.txt -r
|
-recursion |
Recursive scan (URL must end in FUZZ) |
ffuf -u https://target.com/FUZZ -w dirs.txt -recursion
|
-recursion-depth [N] |
Maximum recursion depth | ffuf -u https://target.com/FUZZ -w dirs.txt -recursion -recursion-depth 2
|
-recursion-strategy [STR] |
Recursion strategy: default / greedy |
ffuf -u https://target.com/FUZZ -w dirs.txt -recursion-strategy greedy
|
-replay-proxy [URL] |
Replay matched requests through proxy | ffuf -u https://target.com/FUZZ -w list.txt -replay-proxy http://127.0.0.1:8081
|
-x [PROXY] |
Send requests via proxy (HTTP/SOCKS5) | ffuf -u https://target.com/FUZZ -w list.txt -x socks5://127.0.0.1:9050
|
Filtering & Matching
| Command | Description | Usage |
|---|---|---|
-mr [REGEX] |
Match body using regular expression | ffuf -u https://target.com/FUZZ -w list.txt -mr "^Admin"
|
-ms [BYTES] |
Match exact response size | ffuf -u https://target.com/FUZZ -w list.txt -ms 1024
|
-mw [WORDS] |
Match by word count | ffuf -u https://target.com/FUZZ -w list.txt -mw 50
|
-fl [LINES] |
Filter by line count | ffuf -u https://target.com/FUZZ -w list.txt -fl 0
|
-fr [REGEX] |
Filter responses matching regex | ffuf -u https://target.com/FUZZ -w list.txt -fr "Not Found"
|
Performance
| Command | Description | Usage |
|---|---|---|
-rate [NUM] |
Limit requests per second | ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 200
|
-maxtime [SEC] |
Max total runtime | ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime 300
|
-maxtime-job [SEC] |
Max runtime per job | ffuf -u https://target.com/FUZZ -w wordlist.txt -maxtime-job 60
|
Output & Format
| Command | Description | Usage |
|---|---|---|
-debug-log [FILE] |
Write debug log to file | ffuf -u https://target.com/FUZZ -w list.txt -debug-log ffuf.log
|
-od [DIR] |
Directory to store matched results | ffuf -u https://target.com/FUZZ -w list.txt -od ./matched
|
-or |
Skip creating output file when no results | ffuf -u https://target.com/FUZZ -w list.txt -o results.json -or
|
Examples
Target URL
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Output:
# /admin [Status: 301, Size: 0, Words: 1, Lines: 1]
# /login [Status: 200, Size: 1024, Words: 132, Lines: 15]Wordlist Option
ffuf -u https://target.com/FUZZ -w wordlist.txt
# Output:
# /secret [Status: 403, Size: 512, Words: 22, Lines: 4]Input from Command
ffuf -u https://target.com/FUZZ --input-cmd "seq 1 100"
# Output:
# /12 [Status: 200, Size: 900, Words: 100, Lines: 10]Fuzz Numeric Range
ffuf -u https://target.com/user?id=FUZZ --input-num 1-100
# Output:
# user?id=42 [Status: 200, Size: 1500, Words: 150, Lines: 20]Filter by Status Code
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
# Output:
# All 404 responses are hiddenMatch Specific Status Code
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200
# Output:
# /dashboard [Status: 200, Size: 2048, Words: 250, Lines: 25]Filter by Word Count
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
# Output:
# Only responses with more than 0 words are shownMatch by Line Count
ffuf -u https://target.com/FUZZ -w wordlist.txt -ml 10
# Output:
# /help [Status: 200, Size: 850, Words: 90, Lines: 10]Filter by Size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Output:
# /about [Status: 200, Size: 1234, Words: 140, Lines: 12]Filter by Regex
ffuf -u https://target.com/FUZZ -w wordlist.txt --filter-regex "Not Found"
# Output:
# Only responses that do not contain "Not Found" in the body are shownOutput to File
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.txt
# Output:
# Results saved to results.txtSpecify Output Format
ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Output:
# Results saved in JSON format to results.jsonShow Redirect Location
ffuf -u https://target.com/FUZZ -w wordlist.txt -or
# Output:
# /old-page [Status: 301, Redirect: /new-page]Custom Header Fuzzing
ffuf -u http://127.0.0.1/ -H "Host: FUZZ.target.com" -w subdomains.txt
# Output:
# Host: admin.target.com [Status: 200, Size: 5120, Words: 500, Lines: 30]Use POST Method
ffuf -X POST -d "username=admin&password=FUZZ" -u https://target.com/login -w rockyou.txt
# Output:
# Password guess "letmein" returns Status: 302 (Login success redirect)POST Data with FUZZ
ffuf -X POST -d "q=FUZZ" -u https://target.com/search -w payloads.txt
# Output:
# Payload "admin" produces search results page (Status: 200)Threads for Speed
ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# Output:
# Much faster scan due to increased concurrencyDelay Between Requests
ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.5
# Output:
# Slower scan with 0.5s delay between requests (useful to avoid rate limits)Set Request Timeout
ffuf -u https://target.com/FUZZ -w wordlist.txt --timeout 5
# Output:
# Requests that take more than 5 seconds will be skipped